top | item 32085305

(no title)

bsid | 3 years ago

At Clerk, (https://clerk.dev, auth SaaS) we did a ton of work to get magic links to play nice with multiple devices, it's certainly a pain, and there's tradeoffs.

The crux of it is, do you sign in the "originating" device (where the magic link was sent from), or the "consuming" device (where it was clicked).

Because it's veryyy common for people to be on a website on their computer, then click the link on their phone, but still want to be logged into their computer. We opted for the "originating" device. But this has security concerns.

(you also need to worry about multiple tabs on the same browser, but cookies make this easy to deal with)

But, what if an attacker just sends a link to loads of email addresses, and one of the receivers clicks on it by accident? Their account now has been taken-over.

So, this needs to be combined with the notion of "trusted devices", and of course, not breaking what the user expects. All in all, a TON of work to get some marginal gains in some sectors, mainly B2C. IMO, B2B should always have passwords as an option. 1Pass is too widely used to ignore.

discuss

inopinatus|3 years ago

Never do this. Automated email scanners may fetch the URL. For example, Hotmail’s mail delivery process is notorious for triggering magic links.

nly|3 years ago

You can defend against this a little bit by having the magic link load a page with a button (which submits a POST action) that you have to click.

unknown|3 years ago

[deleted]