Comment by vel0city
6 hours ago
This is why a lot of services have just moved to using email with magic links to log people in.
In the end for a lot of services controlling your email is defacto controlling the login.
6 hours ago
This is why a lot of services have just moved to using email with magic links to log people in.
In the end for a lot of services controlling your email is defacto controlling the login.
I am a vocal opponent to magic links via email (I am an unhinged person, in case it wasn't obvious before :) ).
I NEVER log into my mail from my laptop/desktop. I access my email via my phone's mail app.
So
1. try logging on via my laptop's browser
2. service sends a magic link to my email
3. click the link on my phone
4. now I'm logged in on my phone! not what I wanted!
Manually forward the magic mail to an address which you can use on your laptop/desktop for that purpose only.
Even though i understand your consideration of separating regular access and reset onto different devices, im am still more sceptical about smartphone security than anything else. What happens when someone gets access to your phone? They could redirect and use the magic mails too.
Links sent in plaintext over the network. :(
Potentially, but if you have your password reset process be sending a reset code by email it's effectively the same account access.