DEV Community

loading...

Discussion on: Implementing Passwordless Authentication in Node.JS

Collapse
darkwiiplayer profile image
DarkWiiPlayer • Edited
  • A user submits their email address or phone number in the web app.
  • They are sent a magic link to log in with.
  • The user clicks the magic link and they are redirected to the app, already logged in.

Sounds good on paper, but gets infuriatingly impractical very quickly:

  • I want to log in at some random computer
  • I enter my email
  • I get an email on my phone
  • I click the link
  • I am now logged in on my phone
  • I sigh

Now I have to enter a password anyway, and deal with whatever added security my email account has. What's worse, I now have to input my email password on some random computer (compromised until proven otherwise), instead of a password for some random application I don't even care about. This isn't an improvement in any way.

A better workflow would be:

  • A user submits their email address or phone number
  • They are sent a magic link
  • When they open said link, on any device, their login clears on whatever device they initiated it
Collapse
seanolad profile image
Sean

I agree.

Collapse
shaijut profile image
Shaiju T
  • I want to log in at some random computer
  • I enter my email
  • I get an email on my phone - Why instead open your email in random computer ?
Collapse
darkwiiplayer profile image
DarkWiiPlayer

I just don't open my email on some random computer. That's the whole point: if the default is having to type in the password of your some service on some random computer, suddenly having to instead type in the password to my main email account is not an improvement; it's a reason to stop using that application and look for alternatives.

Collapse
syylaurence profile image
Laurence Ivan Sy

I agree that this is a better workflow

Collapse
bugs_bunny profile image
Derek Oware • Edited

I realised this the first time I did this myself. So I send both the magic link and an OTP
So the user can enter the Pincode if he/she is in such a situation
OR
The link can just verify the login attempt. After the attempt has been verified then you log the user in on the device he/she initiated the login attempt. You can use sockets to make this happen

Collapse
steelvoltage profile image
Brian Barbour

How do you go about implementing that last part? Where clicking the magic link on one device logs you in on another?

Collapse
darkwiiplayer profile image
DarkWiiPlayer

Not without some degree of back-end persistence, which I assume is the main reason it's not how what the article does. You'd need to create some sort of short-lived state in the back-end that gets cleared by opening a link in the email. The login-window could then just do polling, or use some more sophisticated method for waiting for the server to grant it access.

Forem Open with the Forem app