
Experiences with Email-Based Login - justinucd
https://www.arp242.net/email-auth.html
======
tgsovlerkhgsel
An organization I'm a member of uses this for sign-in to the membership
management platform. There, I think it works well, and I haven't been annoyed
by it. I use it rarely, and definitely rarely enough that if I tried to
memorize the password I'd have to go through the password reset workflow every
time.

Scaleway (basically a cheaper, European version of Digital Ocean) offers this
option, and it annoys me because it used to mean an extra button click before
the password field shows up. (Nowadays, they instantly detect that your
password manager filled out the password after you click the button and then
instantly log you in.)

I think it's a viable alternative for something that people use rarely, but
for frequent actions, "site specific bearer token managed by your browser" is
the most convenient for most people, and the easiest way to implement that
right now is with a password (which may be generated by the browser, saved by
the browser, and filled by the browser).

Is there anything API that explicitly has the browser authenticate with a
cryptographic key that reliably works across the major browsers and syncs from
one device to another? WebAuthn seems to be going in that direction - but is a
mode that doesn't require a U2F key supported in practice?

------
1cvmask
I started to avoid using such sites and services with the “unmagical” email
link. Was especially frustrating when I don’t have the multiple emails on my
multiple devices. The iPad I use does not have my work email set up for
example. I use a password manager and this annoyance is not necessary at all.

Maybe sites can offer both choices if they insist on email authentication.

There is also a huge swath of humanity who do not interact with emails
anymore, especially in developing countries.

Many sites in India offer both username/password and the option of logging
with your mobile number and a text entry code sent.

