Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> If you don't require privileged elevation

What do you mean by privileged elevation (I'm talking in the context of a web app)?

> just using an email address and send "magic links" + persistent (but expiring) sessions

Do you mean something similar to what Medium does?

https://medium.com/the-story/signing-in-to-medium-by-email-a...

I like it too. But what about delays in receiving emails (when I suggested this approach to some customers, they were worried about that)?

> You can also use a delegated auth system

Yes, outsourcing the authentication is another solution, but some (most?) users are not comfortable with giving so much power to Google/Twitter/GitHub/etc. (as you wrote in your comment).



> What do you mean by privileged elevation (I'm talking in the context of a web app)?

For example, prior to changing account settings, reauthenticate the users, regardless if they have a valid session.

> I like it too. But what about delays in receiving emails (when I suggested this approach to some customers, they were worried about that)?

Combo of email & SMS.

As Bruce Schneier has written, security is usually a trade off of user experience.


> For example, prior to changing account settings, reauthenticate the users, regardless if they have a valid session.

Why not reauthenticate by sending a one time password by email/SMS (instead of asking for a password)?

> Combo of email & SMS.

Good idea. I was also thinking of sending one time passwords through some chat applications like WhatsApp, but most of them have no API for such a thing (except Telegram).


> Combo of email & SMS

In France, where I have most of my customers, the SMS is paid by the sender, which makes it expensive.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: