alt Hacker NewsAdd the lie "emails are delivered instantly, so the user can click a link I email them within 1 minute"
And the lie "users always read emails on the same device they're logging into a website with"
And the lie "users can always view HTML email so no need to send a plaintext equivalent, especially if I have a long complex URL I want them to click"
And the lie "Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins. Whoever clicks that link first is definitely the user who wanted to log in"
Replies
If you have a password reset form, you probably already have a log-in with email with extra steps functionality.
Claude, for my non Gmail domain, expects me to click a magic link on every device I wish to use it. Its wild that a product like that cannot take a password, or a passkey.
> And the lie "users always read emails on the same device they're logging into a website with"
Or the same browser, or the same browser-profile. For example, on my phone I have external links (from other apps) opening in incognito mode by default.
When I had protonmail, I often wouldn't get emails for hours, sometimes a day.
Most other providers I've used range from instant to a few minutes.
I don't think it's about security. It's about fobing off password resets on somebody else.
> Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins
God, I fucking hate that.
I have a fucking password manager, I have various machines and things open. Just let me fucking log in.
If anyone is reading this who is in charge of the internet please stop doing this.
If you try to create a Discord account with Firefox Klar as your default browser, on Android, immediately upon signing up you'll be banned. I have to assume this is because it clears cookies and thinks you're a bot farm.