New top story on Hacker News: Ask HN: Security of Passwordless Login?
Ask HN: Security of Passwordless Login?
8 by pw | 0 comments on Hackshub
Hi, all. I noticed Tumblr (for me, as least) started offering passwordless login ala Medium (i.e. they'll send me a "magic link" that logs me in). I was wondering: how secure is this sort of passwordless login? I think I've got a good understanding of how the magic links work (single-use, time-limited tokens, etc.) and that seems secure, but I'm wondering if you can rely on only the actual user receiving the email with the magic link. I hear a lot about how DNS is fundamentally insecure, and I suppose by inserting altered MX records an attacker could start receiving a domain's emails, but I'm not clear on exactly how such attacks work or how feasible they are. Also, would this be any less secure than the standard password reset function that also assumes only the actual user receives the reset email? Can any of HN's security experts enlighten me? Thanks!
8 by pw | 0 comments on Hackshub
Hi, all. I noticed Tumblr (for me, as least) started offering passwordless login ala Medium (i.e. they'll send me a "magic link" that logs me in). I was wondering: how secure is this sort of passwordless login? I think I've got a good understanding of how the magic links work (single-use, time-limited tokens, etc.) and that seems secure, but I'm wondering if you can rely on only the actual user receiving the email with the magic link. I hear a lot about how DNS is fundamentally insecure, and I suppose by inserting altered MX records an attacker could start receiving a domain's emails, but I'm not clear on exactly how such attacks work or how feasible they are. Also, would this be any less secure than the standard password reset function that also assumes only the actual user receives the reset email? Can any of HN's security experts enlighten me? Thanks!
Comments
Post a Comment