Comment by TylerE
2 days ago
I’ve kind of become a fan of the sites that don’t even have passwords but just email you a “magic” link. If my account security is tied to my email why make me do extra song and dance if I’m gonna have to fish out an email for every login anyway?
I despise this. With username and password my password manager just fills it in and it is one click to click "login".
With email magic link I need to enter my email (it seems to rarely auto-fill for some reason), then wait (often it takes 10s for the email to be sent for some reason), then if I was logging in on something that isn't my default browser I need to copy+paste the link (often just clicking the link authorizes the source session but not always and you don't know what this site does so you need to do it to be safe). Now you are finally logged in but probably have two tabs open. Either you need to find the first one to continue your session (if it logged that one in) or close it and lose your history for that tab (and hope that the website actually maintained your target page which more often than not it didn't).
And on top of that, the session is probably gonna expire in less than day. I hate logging in to Anthropic because of this signin-email dance
Nothing tempts me so strongly to give up and leave a site than needing to use a magic link to get in.
Sometimes it takes minutes. I have, on more than one occasion, given up on buying a product because of this. It's actually insane to me how much effort sites put into preventing users from using them.
I get it, most people are idiots with completely non-existent security hygiene, but man does it suck being punished because of just how low the common denominator is here.
My preferred workflow as well, but now many websites are starting to do this thing where you have to enter only your username, hit next, and then the password input shows up; however, the username only input breaks my password manager from trying to autofill! Argh
HomeDepot’s is even crazier. You input just your email and hit Next. Then a button appears to “Send magic link” to login via that annoying method. And then there is a tiny text below: “Want to use a different login method? Wait 10s…9s…8s…”. Only after 10s are you able to select a tiny text link “Use Password” to unlock using the password field
2 replies →
Google has been doing this for years, if not over a decade at this point. Password managers have gotten wise about it though, so for some websites it actually works.
My point is that on sites that force email 2FA you have to do the email dance anyway. A username and password are basically theater.
That's true. Although pasting the code into the existing browser tab is a bit smoother in my workflow. And at least the form autofills properly when they ask for email and password.
I'd much prefer if they could just trust my password. But I know the unfortunate truth is that the majory of people just reuse a password across most sites. So these measures are intended to raise the baseline difficulty, not to improve the security of those with good habits.