Thanks for the comments. This is a strange feeling. I rarely feel so at odds with the general opinion.

My experience is, passwords are a 1 second affair: open website, tap credential highlighted by password manager, trigger face/touch id or whatever exists on android/windows, done.

Email experience: open website, click login, get some link, go to another app, wait for it to pull emails, look for email, open email, click link, opens in browser, maybe not the same browser where you opened the app, so go back and copy link, realize copying links from email buttons is not easy on mobile, finally login.

If this is where you guys want this to go, it sucks. How can we improve it? Maybe we need to implement some wait to do what apple does when you get a 2FA code via sms? It just shows it to you in app instead of having you open messages app?

Magic links take the 'I forgot my password' workflow, and:

1. Stop labelling it with a confession.

2. Stop forcing the user to reset their password when they demonstrably don't have their password manager ready to store it. [Whether that be 1Password, or just autofill in google chrome]

As the only auth method, it isn’t great. As an option? I wish it were universal. Anything other than those or passkeys creates more issues in your mum's case. And passkeys are new.

(That said – If we’re distinguishing between magic links and email OTPs, there’s really no good reason not to have both in the same email, and the latter is better for the public library use case.)

Someone posted about this the other day and pointed out an even more annoying problem than the ones you list:

It forces you to look at all your unread emails - and you invariably get distracted by some OTHER email that seems important, when you were trying to log into a website to achieve some totally different important thing.

i think, its more then convenient to click on a link and being logged in. No account creation, no risk of leaking hashes/pwds/info. I don't have to remember what password is used where (minimizing the risk of one big password for all sites), no monolithic mammoth-authentication-systems with a single/multiple point-of-failures, no auth-gate-keepers.

The problems with passwords you mention, are valid. But, the same situation will happen for authentication - your mom can't remember her email account's pwd, but then you want her to remember facebook, google and all the other services' pwds?? Just think about where is the difference of "remember email pwd" and "remember 1Password pwd" ?? absolutely no difference.

So, while I understand your points, I'm thinking, magic links are the easiest and failure proof and user friendly way, to verify the user.

Another point is: Onboarding is very fast. The new user doesn't even need to bother with input of pwds, verfication, etc ...

for me:

please no account creation in the old style. Give me magic links. Implement a 2nd factor to check, if necessary - but just let them passwords dieeeeee

> Maybe it's my mother, and she now has to go find where she wrote down her email password because she still can't figure out that 1Password thing I setup for her. Also, she does not have 1Password on this computer (maybe it's a public library).

This is exactly the reason people use magic links - passwords are painful.

I generally don't mind having one or the other, so either password or magic link. What I can't stand is having both in the same login flow:

- Enter your email

- Get sent a magic link

- Open magic link

- Continue and enter your password

- Enter your 2FA as well

- Smash computer

Microsoft needs to be investigated for aiding and abetting the defrauding of the elderly and the feeble minded by leaving password management to third party hacks instead of creating an integrated always-available solution like Apple’s keychain.

I agree that it is bad UX. Other methods of authentication such as TOTP and SMS are not really very good either, I think.

X.509 client certificates would be better (especially since the connection already uses TLS, and yet they do not take full advantage of it and instead require TLS for things that do not need it). It doesn't require email, doesn't require cookies, doesn't require JavaScripts, doesn't require a web browser, doesn't require Unicode (although it can be used if wanted and commonly is), protects against MITM, allows single-sign-on (even without an authentication server, or if the server is down), and the private key can be passworded (without the server needing to know your password; this is handled entirely on the client side). Furthermore, you can store whatever data you want to in the certificate.

How about when the email client pops up its own browser, intercepting the link, so that when you open it in the system browser, the link is burnt and you have to do it again?

Or when the email service is overloaded and the magic link takes more than 30 minutes to arrive and by the time you open it, it has expired?

It's the worst login system, especially when passkeys are easily available now.

What is driving me nuts is websites that send the email/sms first without asking, only for me to log in with my saved password anyway (PayPal, doordash). Now i have to click 2 extra buttons to log in and another 2 buttons to delete the stupid email, every single time i use PayPal now. Joy.

My take,

Low security should use passwords. None of that fancy &@73gdb-Whb stuff. Just a regular word. Suitable for Netflix and meditation apps that want a basic login to prove that you paid.

Medium security should use magic links and a simple password that you don't need to write. If you lose your email, the password prevents hackers from taking over your app. If you lose your password, hackers can't take over your device. Suited for something like social media or MMOs, which are targeted very often.

High security might need proper 2FA with auth app, password rotation, stuff like that. Probably shouldn't be necessary unless there's constant active attempts to hack. Everyone gets attacked, especially in the era of AI, but I'm saying at least 10 attacks a day.

You can also layer on extra levels of security, but IMO that's about the level you should expect from users.

How do you feel about one time login code sent via email?

Does not get prefetched, does not require a click (if at the library, you can check your email on mobile and simply type the number), no need to remember anything, does not get marked as a malicious link by anti-fraud software.

- Great way to confirm if email address is valid

- People tend to use bad passwords

- People tend to forget passwords (you need to write whole password recovery, etc)

- You always have your smartphone with email close to you

- It's way easier than 2FA with Authenticator and cheaper than SMS

- You limit password sharing for your service

Personally I'm frustrated how most companies followed the lead of the likes of Google, and effectively tied security of your account on their website to that of your email.

If you control the email address signed up with, you have "god" access to the account (can perform password resets, etc). They essentially outsourced security to your email provider.

But some of us would prefer to keep more separation between their email accounts and other services. Eg. If my email's hacked, I don't want that to pwn my other stuff.

2FA helps but often there are ways around it if you control the email account.

I agree. It takes the user out of their intended action (using your product) and puts them somewhere distracting (their email).

I've also seen it confuse users who aren't used to it.

It's great from a tech/security perspective but I wouldn't put it into my own product for those reasons. I definitely would not make it the only login mechanism.

This happens when customer support spends too much time on password resets. As soon as someone in CS says "we need to hire another person, too many password resets" you get magic links. Bad number go down, good number go up.

It's really easy for us nerds to write off how confusing, cumbersome, and frustrating passwords are for most people.

I absolutely love magic links. But I also love email, as a technology. I find it so reliable and robust, I genuinely think more things should be built on email.

As with all things, you need to know your audience. If you are making a product for people over 60, probably a simple username/password would work best.

It's simply not secure. Whover controls my email now controls everything.

So I avoid any service where this is an option.

MFA generally sucks for user experience.. I took some convincing but Passkey seems to be the best comprimise.

I think they’re better for most users without a password manager. I don’t see how your mother example would have a better experience with another password to remember.

Bad implementations of username/password degrade to magic links.

You're not, foreshadowing my Claude subscription with email only login... I want a password everyday.

not wanting to use google (or any third party) is a reasonable reason for me

It helps put bots at bay.

Magic links and 2FA are terrible. "muh security" bah. I have Bitwarden, let me 1 click paste in my behemoth login and password. I don't want to 2FA either. Your crusty saas does not warrant 2FA!!!

[flagged]

[flagged]