Edit: changed a word for clarity.
On topic: I generate all my passwords (variable length 30+ characters), and to log into both the Shield and (as a family account) my wife's phone, I had to type (or copy/send) the entire password in using a directional remote or a phone keyboard. No magic email link, no netflix.com/auth request, no PIN number, no personal wife account that I could include into my family plan.
Passwordless solutions can't come soon enough. the email route is fine for me, though I'm sure there could be better solutions too.
How would this ever work for me?
Foregoing the custom domain, some email providers also let you add tags to your address (e.g. firstname.lastname@example.org). I'm aware of some people who use that functionality to have unique email addresses for each service.
$ ldapsearch -LLL uid=dozzie mail | wc -l
And from the view point of a site owner it's even better: you don't handle passwords anymore. Passwords that many users share among several sites. So you won't be responsible for really, really keeping them secure. Because you don't have them.
Additionally, mail providers and browser vendors have much more security knowledge than pretty much everyone offering a web service.
...with n being 2, and sometimes even 0.3. There are few services where
I would want to stay logged in.
If that is so for the user, how does it work for the site owner? Cierge calls my site and requests a login from a given email, then the site backend conjures a URL which Cierge will use to create the magic link sent back to the user?
It would be very helpful to better understand if they explained the workflow for users and site owners.
If anyone can help me understand this and how it's better than OAUTH (logging FB, Google...) I would be grateful.
First: email is not a reliable way of communication. Emails can be delayed. That means, a service using this method has lost me before I even had a chance to look into the details of the service.
Second: my email is deliberately delayed for services who contact me first. It is called Greylisting and still to theses days it works great as a spam protection without consulting and relying on some (dubious) blacklist providers. That comes back to the first point. A service using this kind of on-boarding has lost me before I even had a chance to look at it.
Also using dotnet for things that suppose to run on server still makes me uncomfortable.
But I will try and I hope to change my opinion on projects like that.
Could someone explain how the "magic links/codes" works ?
What I would suggest, rewrite and organize everything and came back. Otherwise solid idea.
This reminds me of slack. The point of a password AND an email is that will essentially make it “two factor”. With email only you are no longer two factor.
Once your email is hacked, you will be globally owned. No password required - they just need to send a simple phishing site to collect your email password.
You’ll also need to logon to your email to access whatever site which means whatever keylogger is installed on whatever computer you use in some public place will also be a threat.
Hope this helps.
This is also true for 99% of online services that have a "forgot password" function that uses your email address. If your site is in the 1% that needs stronger security, then don't use this.
> You’ll also need to logon to your email to access whatever site which means whatever keylogger is installed on whatever computer you use in some public place will also be a threat.
Valid point, but it's an edge case that's not applicable to most people. The most common use for using a public computer is probably checking email. Even that happens less these days, which people just using their phones + public WiFi instead.
Seems unreasonable and insecure.
However, you also need to consider how most people use passwords. Often they have the same password (or very similar password) for many services. Other people essentially use the password recovery flow as their login mechanism. This is more secure and usable than that.
Please don't confuse things. This is only one factor (email or email+password doesn't matter). Two-factor is only if you have one factor on top of this, e.g. U2F, OATH, etc.
It would be great if someone with more knowledge in this field could provide a better solution for this issue.
Edit: Also you could reset password on your e-mail account if was breached.
Edit 2: There are also push notifications sent on mobile apps which acts like boolean type to accept or deny logon process.
Edit 3: If MITM is also laid down in discussion about possible threats then I think end-to-end encryption may help.
Edit 4: Banks usually use "Fill 3, 4, 15, 22.. character from your [placeholder: password, auth card]" method to get rid of key-loggers on clients PCs.
2- Great - this is 2fa and good.
Edit: If my email was breached (and I would know it) I would probably reset password and logon to change all services to populate them with brand new credentials. Then I will try to minimize the threat (i.e. by making impossible to use my accounts - bail out emails, resting credentials or even removing accounts and e-mail) and then find out the best solution for specified scenario and recover after breach with implemented better security.
The Cierge login approach would obviously be inadvisable for protecting something of importance, like your email account.