Best practices for Automatic login via notification emails?

2 points by cwhitaker01 ↗ HN
I'm developing a web app that sends the user an email notification to complete a lesson/tutorial. I've added the ability to automatically login the user via the link in that email. This featured has been added to several services around the internet, most notable, OKcupid.

Here's how I've set up my table: http://cl.ly/Q1K2

When a user visits a link via the email, something like: http://example.com/go/IbQlQW8Dn8PNXJFFwHQxwh/hdC4dXQJUPA0pU7I6eUiXawbnobYv0iThA [http:/example.com/go/`key`/`secret`]

The server first checks that the url isn't expired based on the date in the table. If it isn't expired, the user is automatically logged in using the `user_id` and then redirected to the given url in the `action` column. I used two separate values (`key` & `secret`) for the url just for added security (prevent fusking).

Now because of the nature of the site (video lessons), security isn't a huge concern, but I'd still like to know what best practices to consider.

• Should I limit the number of times a link can be used? • Currently I have the link expire 60 hours (3 days) from when the email is sent. Should this be lowered? • Obvious two risks for unauthorized access include someone forwarding the email or someone gaining access to the user's email account. Anything else to consider?

1 comment

[ 5.6 ms ] story [ 12.1 ms ] thread
I'd recommend expiring the link after a single use. A password-less login essentially trades something you know (a password) for something you have (a link). The security of a passwordless system depends on the security of the link... so if it expires once it's been used (which will usually be immediately), the risk associated with the link drops. This also prevents replay attacks.

I'm assuming your site's sessions are longer than the timeout of the sign-in link, so most users won't need to sign in multiple times in a short period anyway.

Also, a couple related links, if you haven't seen them:

http://notes.xoxco.com/post/27999787765/is-it-time-for-passw... https://nopassword.alexsmolen.com