This has been suggested before, and the same problems are never answered:
Email is not guaranteed to be secure in transit. This type of authentication system gaining popularity would greatly increase the incentive for in-transit email scanning.
A mailbox is not a password store, and with several "new" mail clients operating with their own server-side component between you and your real mail server, this type of authentication becomes a waiting game of the first major breach.
A good password manager will suggest strong random passwords, store them securely and conveniently, and if you choose, sync them to your other devices.
This problem is solved, it's just a shame some people insist on repeatedly yelling about how a less reliable, less secure solution is better.
Very valid points, some of them are already addressed in the post.
Password managers do solve A problem, but I'm not sure they solve THE problem. They're great when you have a browser extension, but leaving the app, entering another app, and then copying and pasting on mobile is difficult.
There's also a trust issue with giving all your credentials to one app.
The biggest problem that password managers haven't solved yet, is adoption.
LastPass has 4 Million chrome installs. It has 1-5M android downloads.
That's still a drop in the ocean compared to how many users are out there.
> They're great when you have a browser extension, but leaving the app, entering another app, and then copying and pasting on mobile is difficult.
Agreed, but again - the answer here is not some elusive "login via email link" - how do you even do that in a native app?
As with the password manager situation, I believe Apple's approach is right in this space too - auth form fields fields in native apps on iOS can hook into the saved passwords system (aka Keychain). I have yet to see it used in a real app, but I don't use that many apps either, so its possible support is wide-spread.
> The biggest problem that password managers haven't solved yet, is adoption.
Windows has a built-in password manager. OS X/iOS has a built in password manager. Even if you discount those who don't use the built in solution, that is surely tens if not hundreds of millions.
I have no idea how good the Microsoft solution is - but Apple's is good enough that I wonder why people think good, secure password management is some mythical beast that will never be realised.
I haven't spent much time reading it, but I guess it works with deep-linking - the mechanism used when you click on a link to Facebook.com and it takes you to the Facebook app instead of the Facebook webpage.
https://developer.apple.com/library/ios/documentation/Genera...
That only works for first-party website/app combinations. E.g. if HN implemented "email auth links", there would be no way for any third-party HN reading apps to authenticate a user.
Interesting use case. I'm really enjoying this discussion.
I'm guessing this could be solved if 3rd Party apps register to handle "news.ycombinator.com" links. I don't think there's any enforcement by apple or google that you actually own the domain.
There specifically is enforcement by Apple with the new Universal Links feature (which that auth0 article talks about)
Without the enforcement, it's arguably not secure unless the user is prompted "do you want to open this link in Xyz.app"
With the enforcement (you have to upload a special file to web server(s) for the domain(s) you want to "claim" for your app) third party's cannot have the same level of integration (which is not limited to just auth - I'd love Twitter links to open in by native, non official client)
Honestly I think the "solution" already exists and just needs polish:
- Better password managers built in to browsers/os's
- MUCH better handling of private keys and client certs on user devices (add client cert syncing via iCloud Keychain for example)
Email is not guaranteed to be secure in transit. This type of authentication system gaining popularity would greatly increase the incentive for in-transit email scanning.
A mailbox is not a password store, and with several "new" mail clients operating with their own server-side component between you and your real mail server, this type of authentication becomes a waiting game of the first major breach.
A good password manager will suggest strong random passwords, store them securely and conveniently, and if you choose, sync them to your other devices.
This problem is solved, it's just a shame some people insist on repeatedly yelling about how a less reliable, less secure solution is better.