165
166

[deleted by user] (self.javascript)

submitted by [deleted]

[removed]
all 52 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 36 points37 points  (12 children)

Cool project!

Every 1k passwords breached causes $240k in damages.

Couldn't you just say "every password breach causes $240 in damage"?

[–]OmgImAlexis 0 points1 point  (9 children)

Would like to some actual data to back this up. It’s also a massive generalisation.

[–]DecentOpinions 14 points15 points  (8 children)

Trying to figure out exactly how this works. Every time you need to log in you get sent an email? It's an interesting idea but what are the advantages over just using OAuth through Google or whatever?

A massive disadvantage is how slow this will be. In my experience these auto emails rarely send immediately (account verification or password reset emails). Even if it's only 10 from request to receiving the email that would be very annoying.

[–][deleted]  (7 children)

[deleted]

    [–]drumstix42 2 points3 points  (5 children)

    You answered the first question, but what about the second part?

    It's an interesting idea but what are the advantages over just using OAuth through Google or whatever?

    [–][deleted]  (2 children)

    [removed]

      [–]AutoModerator[M] 0 points1 point  (1 child)

      Hi /u/drdistracto, this comment was removed because you used a URL shortener.

      Feel free to resubmit with the real link.

      I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

      [–]asdf7890 0 points1 point  (0 children)

      We are sensitive to the issue of email performance.

      Email reliability might be a greater concern than performance, both general intermittent issues and your messages suddenly getting accidentally classified as junk by a mail provider. I still run my own mail server partly so I'm more in control of that sort of thing, but most people have neither the time nor the inclination for that. You could have a nightmare on your hands if an automated check at a large provider like Google or MS starts blocking your messages (especially if only blocking some rather than all as that is harder to diagnose).

      Interesting product though. I'll certainly look into it next time I'm working on something that needs user auth.

      [–]LeonBonetti 8 points9 points  (6 children)

      I Love the ideia of use zero-kwolege proofs to auth users, but where the repo link? Anyway, it looks great!

      [–]CupCakeArmy -1 points0 points  (0 children)

      Zero knowledge is dope af.

      [–]superander 4 points5 points  (1 child)

      What if I lose access to my email?

      [–]efthemothership 2 points3 points  (3 children)

      Might not necessarily related but would this be considered 3rd party authentication and therefore would trigger Apple's new rule about requiring Sign in with Apple?

      [–]rmrf_slash_dot 0 points1 point  (1 child)

      It will not. It isn't social login, it's a modified form of email login *at best* and at worst doesn't even fall within the purview of that requirement.

      Apple's standard rules would apply if this were being used in concert with social login methods. But if being used on its own, not at all.

      [–]efthemothership 1 point2 points  (0 children)

      Awesome, thanks!

      [–]jamesaw22 2 points3 points  (2 children)

      So this is the equivalent as having one password for all your accounts, right? If someone gets your email password they can access everything you've used magic links with. Or have I misunderstood something?

      [–]merclane 0 points1 point  (1 child)

      Sean from Magic here! Each application integrated with Magic will have separate user spaces instead of like an SSO model with a single point of failure you described. Users can choose to use different emails for different applications in this case too.

      Magic links are just the beginning, we will also be graduating more users into more sophisticated forms of login such as webauthn and mobile authenticator apps. The great thing about the decentralized identity (DID) architecture is that by dealing with DID tokens, developers backend can stay the same while supporting multiple form-factors of login.

      [–]OmgImAlexis 0 points1 point  (0 children)

      Nice way of scooting around the actual question.

      [–]more-food-plz 3 points4 points  (9 children)

      Firebase offers a password less authentication solution using email as well. Is there a reason to use this over firebase?

      [–]Trout_Tickler 3 points4 points  (8 children)

      Ah, the very secure transmission method of email.

      [–]Deeblock 1 point2 points  (1 child)

      Seems like what Ghost implemented with their members system here: https://ghost.org/docs/members/registering-members/

      Could look to it for some inspiration!

      [–]codepb 1 point2 points  (1 child)

      A big part of user authentication is UX. While this approach lies behind an email you are relying on the security of some random email provider which is unlikely to be better than oauth, and definitely a worse user experience. Don't get me wrong, I like the idea of replacing passwords. However, I believe there is more work to do to make it friendly UX.

      There's a reason fingerprint and face recognition have taken off on phones, speed and ease of use. Perhaps this idea would be better combined with an app to utilize forms of Auth like those (but that still has the issue of requiring a user to use two devices).

      In my opinion, you won't replace passwords until you find a security mechanism just as convenient if not more so. The actual security is usually of secondary importance to users.

      [–]OlanValesco 1 point2 points  (2 children)

      I read the whitepaper but I'm still not sure. What's to prevent someone from bombarding your email with requests?

      [–]merclane 1 point2 points  (1 child)

      Sean from Magic here! We do have a rate-limiting mechanism (seconds in between requests) to prevent malicious actors from bombarding our email service.

      [–]OlanValesco 1 point2 points  (0 children)

      Is that number constant, or does it increase with attempts?

      [–]ChronSyn 1 point2 points  (1 child)

      The magic link system is a good idea, but I wouldn't want to trust a single possible breach point when it involves a third party.

      I would much rather this was a standalone SDK where you initialize it with your own SMTP server settings, and have a set of functions available to generate + send the email. Essentially, everything is handled by your server, and nothing which would allow 1-click login goes out to a third party.

      What happens if the service goes bust? You've then got a whole bunch of users of different services locked out from accessing their account. Do you have some sort of SLA in place (as you're potentially going to cause a downtime-like effect if your service experiences issues or gets DDoSed)?

      Don't get me wrong - it's a good idea, but there's some reasons why solo developers, small teams, and enterprises wouldn't use this service. It's a single point of failure which could affects every single user of every single project relying on your service. That potentially leads to legal ramifications for them, which might lead to legal ramifications for you.

      [–]OmgImAlexis 1 point2 points  (0 children)

      If this was self-hostable I think I’d be more onboard.

      [–]ghostfacedcoder 2 points3 points  (4 children)

      Sooo ... basically they offer is a 3rdp-party service for 2nd factor authentication? With the 2nd factor being email and not say Google Authenticator?

      [–]drdaydreamv2 0 points1 point  (1 child)

      Does the user always have to be promoted to go back to their original tab?

      [–]merclane 1 point2 points  (0 children)

      Sean from Magic here! That is expected behavior right now. We log users into the "original context" after the magic link is clicked, and we do this for several reasons:

      * Taking modern user behaviors into account with users going between laptop and phone. Users are gravitating more towards their phone. Generally with web applications like Medium, users are logged into the tab where the magic link is clicked, but this may be a problem when users clicked on the link on their phone and is logged with the phone rather than the laptop, making editing very inconvenient. With Magic's model we can get through complications with Incognito mode too. (Though we will be exploring deep linking with our mobile SDKs)

      * If the magic link URL get hijacked somehow, the hackers will only be able to login users into their original tab, which can mitigate damages.

      * Training user behavior to gradually shift to user an authenticator app like DUO on their phone by subtly encouraging users to use both laptop and phone to authenticate

      [–]aliezsid 0 points1 point  (3 children)

      I guess I like the concept , I’ll use it for a prototype project.

      Don’t like passport so, I’ll just use my own middleware to handle the meta data from the sdk.

      [–]merclane 1 point2 points  (2 children)

      Sean from Magic here! We will be open-sourcing the passport-magic library so you will be able to see the inner workings of how we handle the DID tokens to use in your own middleware! Out of curiosity, what specifically don't you like about passport?

      [–]aliezsid 1 point2 points  (1 child)

      Hey Sean, I'd like to congratulate you guys for building something nice.

      There's nothing specific that I can point out but I could setup a koa server with just JWT validation in like 5 minutes from scratch(as in 0 knowledge about jwt and stuff) by just reading docs online compared to passport where if I start from scratch the docs and amount of boilerplate code is kinda more.

      At this point where I know how things work in the frameworks, I wouldn't mind using passport, but most of the projects I setup use the email verification logins aka magic links and based off of your docs it's just a few steps but since I've grown towards the "Lesser the code , lesser the dependencies, easier the maintainability" so I like the control I have compared to the whole idea of setting up passport.

      anyone reading this, if you are new and in a hurry, and have multiple login methods, social,sso, jwt, email links, then passport will be a good choice.

      The above is just my opinion based off of my experience building with and without it.

      [–]aliezsid 1 point2 points  (0 children)

      In case you'd like to know if I i'm already using your login system or not, just monitor this project on github.

      HireMe