DEV Community

loading...

Discussion on: Implementing Passwordless Authentication in Node.JS

Collapse
aubs profile image
Aubrey

The described solution actually introduces attack vectors; what if someone (else) has access to email / phone? They will be able to login.

Someone said "There is a barrier to access a mailbox.".. there is not! If I already have your mailbox then I can get the app "access" if an email is sent for the access... This is a main reason for 2fa and such. (the same goes for phone number).

The only real solution for passwordless (sic) authentication is either an app or a (usb)key. See for example the auth0 implementation for details. (or the MS Authenticator).

The idea of implementing an own authentication layer is outdated anyway.
Why? You do not want a crappy/outdated implementation, that you need to keep updated and secure, to expose your credential data.

Collapse
andreasvirkus profile image
ajv

Whilst the idea of implementing your own authentication may seem outdated to you, it's
1) always good to understand how the services/libraries you use work behind the scenes
2) important to understand that often you'll require custom solutions and services like Auth0 are very rigid in certain regards

Forem Open with the Forem app