undefined | Better HN

0 pointsCushman14y ago0 comments

I love this idea. 90% of the time when I use a forgot password link, I'm really trying to auth-by-email. I'm not sure how it would work for reusable links, since that becomes auth-by-URL, which seems significantly less secure— maybe putting HTTP auth in the url would be less likely to be logged at any point?

0 comments

Joakal14y ago

Auth emails are like plaintext passwords. Best combo would be your public key stored on their server. Any future requests, they send you the PGP'd email.

makmanalp14y ago

Isn't this basically the same thing as e-mailing yourself your password?

woodall14y ago

Not if the link can time-out or expire after X [days, minutes, seconds, ect]. When I think of emailing my self the password, I think of storing it in plain text in my email account. When I think of authentication via email I think of a one time use link that allows me to log into a session.

repsilat14y ago

Email is sent in plaintext. It'd be easy enough for an attacker to request an email authentication (which it then sniffs in transit). Expiry time doesn't help much.

Email auth really should be done as Joakal says - your public key stored on their server when you sign up, email auth is encrypted. Trouble is, it's "too hard" for "normal people". If gmail/outlook etc supported it, though, it could catch on.

1 more reply

CushmanOP14y ago

In the same way that forgot password links are. The key difference is that the token expires on its own.

Johngibb14y ago

wouldn't oauth (by gmail perhaps?) be a better solution to this?

CushmanOP14y ago

It is oauth for all intents and purposes— a third party (your email server) authenticates you as the owner of the email address and passes you a secure token.

It's worse in some ways (control, usability, security) and better in others (simpler technologically, everyone has it).

j / k navigate · click thread line to collapse

0 comments

Joakal14y ago

Auth emails are like plaintext passwords. Best combo would be your public key stored on their server. Any future requests, they send you the PGP'd email.

makmanalp14y ago

Isn't this basically the same thing as e-mailing yourself your password?

woodall14y ago

repsilat14y ago

Email is sent in plaintext. It'd be easy enough for an attacker to request an email authentication (which it then sniffs in transit). Expiry time doesn't help much.

1 more reply

CushmanOP14y ago

In the same way that forgot password links are. The key difference is that the token expires on its own.

Johngibb14y ago

wouldn't oauth (by gmail perhaps?) be a better solution to this?

CushmanOP14y ago

It is oauth for all intents and purposes— a third party (your email server) authenticates you as the owner of the email address and passes you a secure token.

It's worse in some ways (control, usability, security) and better in others (simpler technologically, everyone has it).

j / k navigate · click thread line to collapse