"you really have no hope of knowing whether or not your account has been compromised/used for some nefarious purpose already" this is an interesting point. Although the same would be true if your password to site in…
Agree with this. I don't see why you cannot add 2FA to email based login flows.
I believe we have to view from the context of how most sites do auth, which is email + password with an 'email recovery' for the password. This is effectively the same thing with worse UX and an added attack vector of…
Yes exactly. If the email itself doesn't require MFA, you can always add MFA on top of email magic links.
Yeah the big providers will not be encrypting at rest for sure. Even if so, the encryption keys would lie with the provider and not the end user, which kind of defeats the purpose.
Perhaps a better title would be "trade-offs between security and UX for Magic Links"? Actually agree with most of what you said (bar the first sentence ;)) 2 key things highlighted in the post though: 1. The trade-offs…
"you really have no hope of knowing whether or not your account has been compromised/used for some nefarious purpose already" this is an interesting point. Although the same would be true if your password to site in…
Agree with this. I don't see why you cannot add 2FA to email based login flows.
I believe we have to view from the context of how most sites do auth, which is email + password with an 'email recovery' for the password. This is effectively the same thing with worse UX and an added attack vector of…
Yes exactly. If the email itself doesn't require MFA, you can always add MFA on top of email magic links.
Yeah the big providers will not be encrypting at rest for sure. Even if so, the encryption keys would lie with the provider and not the end user, which kind of defeats the purpose.
Perhaps a better title would be "trade-offs between security and UX for Magic Links"? Actually agree with most of what you said (bar the first sentence ;)) 2 key things highlighted in the post though: 1. The trade-offs…