
Ask HN: Are auto login tokens in transactional emails bad practice? - sspross
Hi HN, what do you think about auto login tokens in transactional emails? If the user has multiple devices (e.g. desktop at work, ipad at home) it&#x27;s just very convenient. We also offer login with social accounts (e.g. facebook, google) but most of our users still register by email.<p>Whats your opinion?
======
Isammoc
I've seen a website without password. To login: you have to fill you email
adress, they send you an email with a one time auto login token.

It was great!

But (because, there is a "but") it was (I repeat) a _one time_ auto login
token.

If there was a for ever auto login token, this mail may be lost, duplicate, or
worse, compromised.

The _one time_ auto login is "secured" in the way you know you will have first
access to this mail (mail is mostly unsafe) and the link worked.

Advantage : only one password (double authenticated for several providers) for
your mail. As would be an oauth connection.

In a transactional mail ? Muh... "transactional" mean with an action, but
commonly with a paid action, with private informations like a credit card
number... I will not feel safe if in the same email I have a confirmation I
have paid something (ie: advice about payment information are provided) and a
link that allows the mail reader to get those informations.

There were my 2 cents.

