Comment by hirako2000
3 months ago
At least you've requested that email, to be able to login. The timing chance for a phishing mail to come here and there is insignificant. OP is referring to communications that are one way street, the (pseudo) organisation to you.
Its a lot lower risk, its still not great IMO. Email is really not designed for it, and it trains people to use links to login.
Yeah, I hate these. It's also a very not-ergonomic was to sign in. I wish those companies would redirect those efforts to passkeys.
It's very ergonomic for those who discovered the internet via an iPhone, who think Gmail is email. They can't remember their passwords, and wouldn't know where how to recover most cryptographic factors. They have an email account they tend to have access to and use magic links to login , they are very happy with that.
Not promoting the pattern, I also find it worrying the majority of internet users have no basic understanding of authentication and the risk for their digital identity.
Username/password typically has the same issue via reset password links.
I agree. However you use them less often, so its far harder for someone to time it right.
If you use username instead of email address attackers have to guess that too.
One quite serious problem I see quite often is using email plus password for login, and notifying on failed login that the email is not in the system, letting attackers validate which emails are logins.
1 reply →