I want to part ways with passwords, should I send my users a login link (via email, chat or sms) that contains an OTP? Is it safe? What known attacks are out there?
W3C has a list of recommendations [1] on links like this, which they call 'Capability URLs'.
To summarize, the token should be random and long, so the keyspace is expensive to exhaustively search. The primary risk is exposure, this can happen due to user carelessness, being captured on a foreign server via an incoming Referer header, and others.
1 comment
[ 3.0 ms ] story [ 14.5 ms ] threadTo summarize, the token should be random and long, so the keyspace is expensive to exhaustively search. The primary risk is exposure, this can happen due to user carelessness, being captured on a foreign server via an incoming Referer header, and others.
[1] https://w3ctag.github.io/capability-urls/