Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Email + magic link is a pattern I keep seeing that's far more secure in practice.

I absolutely despise this. Every time I want to quickly log into an app and check something, just to sit in front of my synchronising mail client, wondering if the email will arrive, be caught by the spam filter, or just have random delay of a few minutes. Awful.



If the authentication session is long-lived then this is usually not too onerous; one round trip the first time you use it.

It’s a nightmare if they also insist on short lived sessions.


I hate it too. I always prefer TOTP. I never said this isn't shitty. Just that for normal users, it's more secure than passwords.


I first saw this with Anthropic. I clear my browser pretty regularly and this flow just adds so much friction. With a password manager plus totp I never really felt burdened by logging in every time I used a service. I hope this doesn't catch on.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: