top | item 44263959

(no title)

vizzah | 8 months ago

I just can't stand email OTP. Before we had passwords, now we have passwords + email OTP. And doesn't matter if you forgot password - you will receive password reset to the same email. You already prove email ownership by resetting or using password - why sending another useless "security token" to the same email. Pure nonsense. Whoever designs all of this clearly has little idea of what they are doing :(

discuss

TylerE|8 months ago

I’ve kind of become a fan of the sites that don’t even have passwords but just email you a “magic” link. If my account security is tied to my email why make me do extra song and dance if I’m gonna have to fish out an email for every login anyway?

kevincox|8 months ago

I despise this. With username and password my password manager just fills it in and it is one click to click "login".

With email magic link I need to enter my email (it seems to rarely auto-fill for some reason), then wait (often it takes 10s for the email to be sent for some reason), then if I was logging in on something that isn't my default browser I need to copy+paste the link (often just clicking the link authorizes the source session but not always and you don't know what this site does so you need to do it to be safe). Now you are finally logged in but probably have two tabs open. Either you need to find the first one to continue your session (if it logged that one in) or close it and lose your history for that tab (and hope that the website actually maintained your target page which more often than not it didn't).

paradox460|8 months ago

The biggest pet peeve of mine in this area is "magic link" auth. Instead of letting you use a password and otp, which can be managed by a password manager, they send you an email so you can click a link to get into their app

That's right, you have to wait for an email to arrive, make it through the spam gauntlet, and then click the link in the email, likely covered in trackers, just to get into a website or app. And here I thought people wanted to keep you in their site as much as possible

notfed|8 months ago

I'm confused by this comment. Can you clarify exactly which poor design flow you're talking about?

tpxl|8 months ago

1. Input username/password -> get email otp code.

2. Forget password -> get email for new password -> input username/new password -> get email otp code.

The only actual security factor here is your [email, email password], everything else is just silly rigamarole.

spacebanana7|8 months ago

Email OTP can be useful as a layer in risk based authentication.

If someone tries to log on to your site from a low reputation VPN, throwing an email OTP challenge can give some assurance it’s a genuine user logging in. Rather than a spammer or something like that.

Freebytes|8 months ago

Yes, it makes sense if the environment has changed, the device has changed, or if the person is logging in from a higher threat source such as a VPN IP address. However, if nothing changed, it is a waste of time in many cases.