
Ask HN: Is it a bad idea to send OTP in URL link? - bikamonki
I want to part ways with passwords, should I send my users a login link (via email, chat or sms) that contains an OTP? Is it safe? What known attacks are out there?
======
niftich
W3C has a list of recommendations [1] on links like this, which they call
'Capability URLs'.

To summarize, the token should be random and long, so the keyspace is
expensive to exhaustively search. The primary risk is exposure, this can
happen due to user carelessness, being captured on a foreign server via an
incoming Referer header, and others.

[1] [https://w3ctag.github.io/capability-
urls/](https://w3ctag.github.io/capability-urls/)

