Single post
jump to replies
I need your point of view about a login method.
On pages.casa, I want to add the possibility to edit/create blog post directly in the browser (simpler than FTP/SFTP file transfer).
To avoid users to manage a password which could differ from their FTP/SFTP account, I'd like to propose to log in with a link sent by email:
- User opens the login page
- Enter her/his email associated to the account.
- System sends a one shot login link available 20 minutes
- User open the link with her/his browser and confirm to use it to connect.
- Access to back-office is done
7 replies
back to top
@adele i think that in addition to being able to log in using password is ideal. Having only the magic link with no fallback feels a bit risky to me.
@leitzke which risk ?
user can always edit blog posts with FTP/SFTP
@gmazzap @adele I understand that email is a secondary method, and I absolutely understand that what I am thinking may very well be less than 1% of the cases, however e-mails have a few challenges...
In terms of availability: I would guess that the group that is looking at alternatives which are not so "mainstream", which seems to be the main target, are also more likely to have self-hosted email solutions than the general population, and there we may have instances where deliverability can be spotty and either take longer or fail entirely.
As for security: as Giuseppe well noted, e-mail is not safe. Most people are not used to email encryption and that is always an extra step. Plain e-mails are notoriously vulnerable to MITM attacks, so even if the short time helps to keep things safe, it's never 100% trustworthy.
And there's also the human factor of it... I personally don't feel 100% safe if my only method of accessing something is via email (I reckon that is not the case, as you said, people can edit via FTP)... what if my email provider blocks my account? what if they decide to reject your emails as spam, because maybe you send from an IP that is used by bad actors?
I think the best passwordless authentication nowadays would be passkey, but I - as a user - would still feel a bit safer with the option of password and 2FA, as I am personally slow to adopt new authentication methods.
Sorry for the long text, but I felt that it would be better to give more context to my point of view. And also, what I am saying reflects my experience and preferences, and it is in no sense an absolute truth. :)
@adele I hate this. In order to login one must:
- Open a new tab/window on their browser
- Click on a button to login
- Switch to their inbox
- Wait for an email
- Open the email
- Click on a link that will open a new tab/window in their browser
- Close the previous tab
I'd rather like to login with a password!
@adele bearing in mind that a lot of websites allow to reset their passwords via similar email, I would say it is a rather standard level of safety now.