Ask HN: Password Reset Flow as Login?
I'm thinking about making an authentication workflow where you just ask for one time login link and it gets sent to your email/phone, you click it and get your session. Any reason this is a Bad Idea™? It's for a not super critical service and users might go a couple months in between uses so I was thinking it'd be nice to not give them a passwordless option.
6 comments
[ 3.2 ms ] story [ 27.2 ms ] threadIn other words, your idea is based on the presumption that you're only protecting your service and the data of your users you keep, but in reality you risk your users' other data by offering an easy hack.
I get what you're saying but if they already have access to the user's email inbox then I consider the user popped and I'm not afraid of them being further compromised by some cute correlation attack because the attacker also now knows where they rent a kayak from. If anything it reduces their risk because now if my db got compromised there's no password hash to crack.
So there's money involved?
Your best move would be to hire a security expert to consult and assess your risk surface. Unless you are OK with seeing your company on the front page of HN when the inevitable compromise happens.
https://supabase.com/docs/guides/auth/auth-email or https://auth0.com/docs/authenticate/passwordless/authenticat...