DEV Community

Discussion on: Password-less auth in Rails

phawk profile image
Pete Hawkins Author

That’s interesting Shane, I would say if you also ensured there was a unique salt stored in the browser session, then yes. Although this poses a UX concern, what if the end user requests the magic link on their desktop, but opens the email and taps 'login' on their phone? Then this approach doesn’t work, or you need to get rid of the salt, which IMO adds another layer of security, ensuring you can only login from the browser that requested the login.

The only thing you are getting from the JWT approach is a longer token. Both approaches assume email is a secure protocol, but then so does every app that implements password resets.

I don’t think either approach is necessarily bad or weak, but would like to be challenged on that!