mikker
commented
1 year ago Tokens are the only factor atm. If you already have a "Forgot password" process, it has the same "problem". But your idea is good.
Closed Signum closed 11 months ago
mikker
commented
1 year ago Tokens are the only factor atm. If you already have a "Forgot password" process, it has the same "problem". But your idea is good.
Signum
commented
1 year ago Thanks for considering it. I thought about it some more. It might happen that the user is getting the link on a different device (e.g. smartphone) and not on the desktop where the application runs. In that case the login would happen on the smartphone which is not what the user expects. My idea would only work if email and the browser would be on the same device. That's the case for me but it might not be for everybody. So maybe an approach like "using it as a second factor" would help.
A slightly different but more flexible concept:
I would also consider a slight variation: Passwordless sends the user an email containing both a link and also a TAN (e.g. a 6-digit number). You don't need to click on the link but can just enter the number in the browser. Very much like most applications that use such a code as a second factor.
mikker
commented
1 year ago 1.0 will be something like your last suggestion. In that scenario it makes total sense to set the session id in the browser session and check against it.
I expected that the magic link is tied to the browser session. But it seems that anyone who get the link can log in. What I did:
I consider email a good second factor but passwordless seems to use it as the only factor at the moment. Is it planned to make the link work only with the current browser session? Otherwise anyone who sniffs the email would be able to log in.
P.S.: I have spent all day toying around with passwordless. Thanks for the gem. It's not there for me yet but I'm looking forward to 1.0.)