If your entire business centers around "one click"... then what features would that app even have?
Also being able to manage your logins and account via an App instead of their website which is always appreciated.
> This approach is not recommended most reliers. Persona has a large and complex codebase that has not seen significant development in several years, and Mozilla will not provide security or maintenance updates after 30th November 2016.
Doesn't seem like a very good option for people today...
But nobody used it. No email providers, no websites. You could fall back to Mozilla's Persona instance to try it out, but the user experience was not amazing. It kinda fizzled out.
It's not the worst idea, especially for low risk stuff. I'm not sure I'd use it for ecommerce though.
Any idea, other than maybe phishing?
That being said, I like the idea and have asked myself that question before as well.
1. I enter my email address on the sign in screen on Fast.co in Tab A.
2. I get an email with a "Login" button in it in Tab B.
3. I click the "Login" button and it opens Tab C and tells me I'm now logged in in Tab A.
4. I go back to Tab A and I'm logged in.
Here's the problem: A hacker sitting next to me see's me type my email in to Fast.co or some site that uses Fast login. They type my email in too. I get two emails with Login buttons. How do I know which one logs me in and which one logs in the hacker? If I click the wrong one, the hacker gets a cookie on their machine that gives them access to my account for 30 days.
It could be something like a sequence of 3 emojis because matching numbers is hard.
That would allow the attacker in straight away, while also allowing your original browser in with a bit of faff. There's an active session list, but presumably most users wouldn't be looking at that.
Certainly made me more sceptical as I was otherwise quite interested!
I don't know how to put it mildly, but ... jeez, lol. PH ranking doesn't correlate much with the quality of the products. All this says is that you managed to score some Internet points on a site popular in the SV echo chamber and that you think it's worthy a mention.
I applaud the initiative, since it removes the couple steps it takes a user to reset their password via "Forgot password" flows. However, this type of auth should really be self-hosted or baked into the most popular frameworks, instead of provided by (yet) another third party you'd have to trust with your users' email address (at the very least).
Raises an interesting attribution problem when Gmail opens it in its own browser though... Unless the email is passing stuff as tracking, those ecom sales are gonna be hard to track...
a) they don't want their passwords going Google.
b) it's annoying when you saved the wrong one by mistake and now it auto-fills it every time.
c) there is no reason to use one since they only use a bank of 5 or less passwords across all their accounts.