Comment by kevincox

Comment by kevincox 6 months ago

9 replies

View on Hacker News

I despise this. With username and password my password manager just fills it in and it is one click to click "login".

With email magic link I need to enter my email (it seems to rarely auto-fill for some reason), then wait (often it takes 10s for the email to be sent for some reason), then if I was logging in on something that isn't my default browser I need to copy+paste the link (often just clicking the link authorizes the source session but not always and you don't know what this site does so you need to do it to be safe). Now you are finally logged in but probably have two tabs open. Either you need to find the first one to continue your session (if it logged that one in) or close it and lose your history for that tab (and hope that the website actually maintained your target page which more often than not it didn't).

ddejohn 6 months ago

Nothing tempts me so strongly to give up and leave a site than needing to use a magic link to get in.

Sometimes it takes minutes. I have, on more than one occasion, given up on buying a product because of this. It's actually insane to me how much effort sites put into preventing users from using them.

I get it, most people are idiots with completely non-existent security hygiene, but man does it suck being punished because of just how low the common denominator is here.

Reply View 0 replies
radicality 6 months ago

And on top of that, the session is probably gonna expire in less than day. I hate logging in to Anthropic because of this signin-email dance

Reply View 0 replies
TylerE 6 months ago

My point is that on sites that force email 2FA you have to do the email dance anyway. A username and password are basically theater.

Reply View 1 reply
  • kevincox 6 months ago

    That's true. Although pasting the code into the existing browser tab is a bit smoother in my workflow. And at least the form autofills properly when they ask for email and password.

    I'd much prefer if they could just trust my password. But I know the unfortunate truth is that the majory of people just reuse a password across most sites. So these measures are intended to raise the baseline difficulty, not to improve the security of those with good habits.

    Reply View 0 replies
frankish 6 months ago

My preferred workflow as well, but now many websites are starting to do this thing where you have to enter only your username, hit next, and then the password input shows up; however, the username only input breaks my password manager from trying to autofill! Argh

Reply View 4 replies
  • radicality 6 months ago

    HomeDepot’s is even crazier. You input just your email and hit Next. Then a button appears to “Send magic link” to login via that annoying method. And then there is a tiny text below: “Want to use a different login method? Wait 10s…9s…8s…”. Only after 10s are you able to select a tiny text link “Use Password” to unlock using the password field

    Reply View 2 replies
    • jesseendahl 6 months ago

      FYI Home Depot supports passkeys which are a significantly better* sign-in user experience than magic links.

      *faster + easier (fewer steps)

      Reply View 1 reply
      • radicality 6 months ago

        Oh nice, thanks, just set this up! Though seems like I needed to do enable it separately for the web version and iOS app.

        Reply View 0 replies
  • tpxl 6 months ago

    Google has been doing this for years, if not over a decade at this point. Password managers have gotten wise about it though, so for some websites it actually works.

    Reply View 0 replies