
Email Sign-In Links - dkopi
https://hashnode.com/post/email-sign-in-links-cio03gpez00iopz53tw2660cq
======
stephenr
This has been suggested before, and the same problems are never answered:

Email is not guaranteed to be secure in transit. This type of authentication
system gaining popularity would _greatly_ increase the incentive for in-
transit email scanning.

A mailbox is not a password store, and with several "new" mail clients
operating with their own server-side component between you and your real mail
server, this type of authentication becomes a waiting game of the first major
breach.

A good password manager will suggest strong random passwords, store them
securely __and __conveniently, and if you choose, sync them to your other
devices.

This problem is solved, it's just a shame some people insist on repeatedly
yelling about how a less reliable, less secure solution is _better_.

~~~
dkopi
Very valid points, some of them are already addressed in the post.

Password managers do solve A problem, but I'm not sure they solve THE problem.
They're great when you have a browser extension, but leaving the app, entering
another app, and then copying and pasting on mobile is difficult.

There's also a trust issue with giving all your credentials to one app.

The biggest problem that password managers haven't solved yet, is adoption.
LastPass has 4 Million chrome installs. It has 1-5M android downloads. That's
still a drop in the ocean compared to how many users are out there.

~~~
stephenr
> They're great when you have a browser extension, but leaving the app,
> entering another app, and then copying and pasting on mobile is difficult.

Agreed, but again - the answer here is not some elusive "login via email link"
\- how do you even _do_ that in a native app?

As with the password manager situation, I believe Apple's approach is right in
this space too - auth form fields fields in _native apps_ on iOS can hook into
the saved passwords system (aka Keychain). I have _yet_ to see it used in a
real app, but I don't use that many apps either, so its possible support is
wide-spread.

> The biggest problem that password managers haven't solved yet, is adoption.

Windows has a built-in password manager. OS X/iOS has a built in password
manager. Even if you discount those who don't use the built in solution, that
is surely tens if not hundreds of millions.

I have no idea how good the Microsoft solution is - but Apple's is good enough
that I wonder why people think good, _secure_ password management is some
mythical beast that will never be realised.

~~~
dkopi
There was a great link someone commented on the post itself, describing how to
implement a "login via email link" on mobile.
[https://auth0.com/blog/2015/12/04/how-to-implement-slack-
lik...](https://auth0.com/blog/2015/12/04/how-to-implement-slack-like-login-
on-ios-with-auth0/)

I haven't spent much time reading it, but I guess it works with deep-linking -
the mechanism used when you click on a link to Facebook.com and it takes you
to the Facebook app instead of the Facebook webpage.
[https://developer.apple.com/library/ios/documentation/Genera...](https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html)

~~~
stephenr
That only works for first-party website/app combinations. E.g. if HN
implemented "email auth links", there would be no way for any third-party HN
reading apps to authenticate a user.

~~~
dkopi
Interesting use case. I'm really enjoying this discussion.

I'm guessing this could be solved if 3rd Party apps register to handle
"news.ycombinator.com" links. I don't think there's any enforcement by apple
or google that you actually own the domain.

~~~
stephenr
There specifically is enforcement by Apple with the new Universal Links
feature (which that auth0 article talks about)

Without the enforcement, it's arguably not secure unless the user is prompted
"do you want to open this link in Xyz.app"

With the enforcement (you have to upload a special file to web server(s) for
the domain(s) you want to "claim" for your app) third party's cannot have the
same level of integration (which is not limited to just auth - I'd love
Twitter links to open in by native, non official client)

Honestly I think the "solution" already exists and just needs polish:

\- Better password managers built in to browsers/os's

\- MUCH better handling of private keys and client certs on user devices (add
client cert syncing via iCloud Keychain for example)

\- wider knowledge and use of 2fa systems

