Ask HN: Password Reset Flow as Login?

1 points by BWStearns ↗ HN
I'm thinking about making an authentication workflow where you just ask for one time login link and it gets sent to your email/phone, you click it and get your session. Any reason this is a Bad Idea™? It's for a not super critical service and users might go a couple months in between uses so I was thinking it'd be nice to not give them a passwordless option.

6 comments

[ 3.2 ms ] story [ 27.2 ms ] thread
What happens when the users phone or email is hacked or compromised? What if they lose access to that email address, or get a new phone number? Email and SMS are not secure (despite the use of SMS for 2FA).
Yeah I know that part (but that also applies to email/sms based 2fa with passwords), no one is wasting a good sim cloning hookup on this particular service.
Except that they might. Maybe your particular service is of little value, but the data about your users can still be of use, when motivated parties can associate it with other datasets and match up people across services. Easy enough to do with email and phone numbers. That can be a source of information to hop to another service used by the same user and compromise a more valuable service, say a bank account.

In other words, your idea is based on the presumption that you're only protecting your service and the data of your users you keep, but in reality you risk your users' other data by offering an easy hack.

Doesn't this criticism apply to any service that allows password resets using email?

I get what you're saying but if they already have access to the user's email inbox then I consider the user popped and I'm not afraid of them being further compromised by some cute correlation attack because the attacker also now knows where they rent a kayak from. If anything it reduces their risk because now if my db got compromised there's no password hash to crack.

> rent a kayak

So there's money involved?

Your best move would be to hire a security expert to consult and assess your risk surface. Unless you are OK with seeing your company on the front page of HN when the inevitable compromise happens.