And even if proper passwords are used, many sites/apps use this pattern for account recovery if the password is forgotten so effectively this is the only security as an attacker has “forgotten” the password and just uses this flow to login.
I've got a little generic login tool that bits I write myself use for login, using this method, but it is not for anything sensitive or otherwise important (I just want to identify the user, myself or a friend, so correct preferences and other saved information can be applied to the right person, and the information is not easily scraped) - I call it ICGAFAS, the “I Couldn't Give A Factor” Auth System to make it obvious how properly secure it isn't trying to be!
Another issue that email based “authentication” like this (though one for the site/app admins more than the end user) has is the standard set of deliverability issues inherent with modern handling of SMTP mail. You end up having to use a 3rd party relay service to reduce the amount of time you spend fighting blocklists as your source address gets incorrectly ignored as a potential spam source.
> And even if proper passwords are used, many sites/apps use this pattern for account recovery if the password is forgotten so effectively this is the only security as an attacker has “forgotten” the password and just uses this flow to login.
Why is NOONE talking about this? This is exactly why 2FA is less secure than password authentication, because with a password authentication, the attacker actually has to be able to capture the password in some way, whereas with 2FA, effectively anyone anywhere with the skills akin to the most junior private investigator, has the capability and tools to take over anyone's account "protected" by 2FA.
Yet we're still being told that 2FA is mandatory because security is important, and that somehow 2FA is still more secure.
> And even if proper passwords are used, many sites/apps use this pattern for account recovery if the password is forgotten so effectively this is the only security as an attacker has “forgotten” the password and just uses this flow to login.
Was about to post just this. This is the flow they use for account recovery so it's the weakest link in the chain anyway.
Well, no. I'm more attention to what I'm doing if I have to recover my account. My typical login is something I have to do every day for every place, so it's easy to become more careless subconsciously.
Since this is about the human accidentally getting tricked to give a code to a malicious actor, I do think that workflow abuses humans being overtired by too many factors of auth by too many different services. I just want to login and get my thing done, but now I have to spend time waiting on email, etc.
I've got a little generic login tool that bits I write myself use for login, using this method, but it is not for anything sensitive or otherwise important (I just want to identify the user, myself or a friend, so correct preferences and other saved information can be applied to the right person, and the information is not easily scraped) - I call it ICGAFAS, the “I Couldn't Give A Factor” Auth System to make it obvious how properly secure it isn't trying to be!
Another issue that email based “authentication” like this (though one for the site/app admins more than the end user) has is the standard set of deliverability issues inherent with modern handling of SMTP mail. You end up having to use a 3rd party relay service to reduce the amount of time you spend fighting blocklists as your source address gets incorrectly ignored as a potential spam source.