Very cool. The magic link/email address as a ready made authentication platform feels very comfortable from a usability perspective. I’m curious if the venerable crowd here at HN has experienced any downsides to this approach. Are we (over)extending a notoriously easy to pown target in email by using this approach? Or is it just considered the same level of security as say a normal user/pass setup? I know zeit uses it for their system and that’s a gateway to applications/websites/micro services/etc. I have to say that I like using it because it’s so easy but I’m not sure what the implications could be in aggregate.
Edit: changed a word for clarity.
I never want my social media connected to other sites, and I never use the same email address for different sites.
How would this ever work for me?
This is basically (but quite a bit more powerful) than the auth system that The Magazine used back then (enter mail address, get a link, click and have cookies set). I loved that and wish more sites would do something like that.
And from the view point of a site owner it's even better: you don't handle passwords anymore. Passwords that many users share among several sites. So you won't be responsible for really, really keeping them secure. Because you don't have them.
Additionally, mail providers and browser vendors have much more security knowledge than pretty much everyone offering a web service.
I am not sure I understand how it works from a user's perspective? I login (using only an email), receive an email with a 'magic link' and this directs me to my authenticated account?
If that is so for the user, how does it work for the site owner? Cierge calls my site and requests a login from a given email, then the site backend conjures a URL which Cierge will use to create the magic link sent back to the user?
It would be very helpful to better understand if they explained the workflow for users and site owners.
If anyone can help me understand this and how it's better than OAUTH (logging FB, Google...) I would be grateful.
Services, which use this kind of login do not work for me.
First: email is not a reliable way of communication. Emails can be delayed. That means, a service using this method has lost me before I even had a chance to look into the details of the service.
Second: my email is deliberately delayed for services who contact me first. It is called Greylisting and still to theses days it works great as a spam protection without consulting and relying on some (dubious) blacklist providers. That comes back to the first point. A service using this kind of on-boarding has lost me before I even had a chance to look at it.
I always wanted to do this. Glad someone did!
Cierge means a votive candle in French.
Also using dotnet for things that suppose to run on server still makes me uncomfortable.
But I will try and I hope to change my opinion on projects like that.
> Cierge uses magic links/codes and external logins to authenticate your users.
Could someone explain how the "magic links/codes" works ?
Idea is fantastic, it is not quite new, but still great, however implementation is very flawed. One site is where I am loging in, other is where I am entering code, email with code arrives from third site. This is just bad to do like this.
What I would suggest, rewrite and organize everything and came back. Otherwise solid idea.
This seems less secure.
This reminds me of slack. The point of a password AND an email is that will essentially make it “two factor”. With email only you are no longer two factor.
Once your email is hacked, you will be globally owned. No password required - they just need to send a simple phishing site to collect your email password.
You’ll also need to logon to your email to access whatever site which means whatever keylogger is installed on whatever computer you use in some public place will also be a threat.
Hope this helps.