DEV Community

Discussion on: Password-less auth in Rails

Collapse
phawk profile image
Pete Hawkins Author

I hope this proves useful to anyone thinking of password-less authentication. If it gets much attention I might consider wrapping it up in a gem to make the install process even easier.

I would love to discuss all aspects of this further, so if you have any UX, security or general thoughts please ask me anything!

Collapse
spgregory profile image
Shane Gregory

Wouldn't emailing a link with a JWT token encoded with a private certificate be more secure?

Collapse
phawk profile image
Pete Hawkins Author

That’s interesting Shane, I would say if you also ensured there was a unique salt stored in the browser session, then yes. Although this poses a UX concern, what if the end user requests the magic link on their desktop, but opens the email and taps 'login' on their phone? Then this approach doesn’t work, or you need to get rid of the salt, which IMO adds another layer of security, ensuring you can only login from the browser that requested the login.

The only thing you are getting from the JWT approach is a longer token. Both approaches assume email is a secure protocol, but then so does every app that implements password resets.

I don’t think either approach is necessarily bad or weak, but would like to be challenged on that!