dennisreimann

dennisreimann

Passwordless Authentication in Phoenix

I wrote a guide for implementing Passwordless Authentication a.k.a. “Magic Login Links”:

Feedback welcome!

Most Liked

Qqwy

Qqwy

TypeCheck Core Team

I would like to remind you all that email is an unsafe medium. You’re not sending electronic letters, you’re sending electronic postcards.
When you send a ‘forgot password’ email, it can normally only be used to reset a password once. On top of that, the better services also time these links out after a few hours.

With magic links, people will get grumpy if you time their old link out, so all old links should continue working for a very long time.

But in both cases, I have the feeling that too much trust is put in the medium that is email. But solving this problem is a bit a chicken-and-egg problem, as techniques like PGP are somewhat of a hassle to set up and need a password themselves.

dennisreimann

dennisreimann

fyi I updated the article incorporating your idea and mentioning this thread – thanks again! :slight_smile:

bobbypriambodo

bobbypriambodo

Nice post!

A feedback (or more like a question): from a security point of view, would it be better not to let the user know whether or not the email is found on the DB? Just notify the user as if the email were successfully sent, but silently swallow the error on the server-side (you don’t actually send the email). That way any potential attacker wouldn’t be able to guess who’s registered on your system.

UX-wise it would pose a problem if the user mistype their email, but that can be circumvented by just printing back the email to the client (“We have sent a magic login link to foo@bar.com. See you soon!”).

But of course implementing it this way doesn’t mean you can left out the maximum number of tries validation (and possibly captchas) for preventing brute-force attacks and using your system as spam mail generator :slight_smile:

RisingFromAshes

RisingFromAshes

Thanks for the tutorial, I’m still trying to work out whether I want to use this in my app, for the following reasons:

  1. Is it easier for most people to check email to sign-in each time (or am I missing something)?

  2. Is it significantly more secure - to save user profiles etc, a user account still needs to be created and checked against for creating sessions between logins, which will always have some login info stored eg email address if not password?

  3. Is there a better way - eg as much as a developer may prefer not to use it, is signing in via Facebook etc the more practical version of passwordless authentication?

Perhaps, giving the user a choice to do one or the other or both would be best - log in by email link or password, whichever is most convenient at the time?

dennisreimann

dennisreimann

I think we might leave the actual intent of the article/guide: Of course there are considerations, trade-offs etc. involved, as its the case with any kind of authentication.

My goal was neither to propose passwordless authentication as the one-size fits all or best solution nor to give an overview of all available options and compare them. The guide is for people who decided that passwordless auth is a good fit for their case or that are considering it and would like to see what a potential implementation might look like. I hope it helps these people to decide whether or not it might be a good solution – maybe also as a supplement to other kinds of authentication.

There are lots of good resources out there for comparing the available options and a few of them are linked in the article. :slight_smile:

Where Next?

Popular in Guides/Tuts Top

tfwright
I thought I’d share a small project I’m working on to gain some familiarty with LiveView in a Phoenix app. Github Repo Deployment It’s...
New
Logan
Here is an example of a Mix application that utilizes Cowboy to handle websocket connections. If anyone has an idea about making this wor...
New
sergio
I couldn’t find any guides that worked well with Phoenix 1.6.0 and esbuild. I hope this helps people test the waters and eases you into t...
New
WolfDan
So my main OS is Windows, I do must of my work with it, Elixir and vscode elixirls works just fine when you’re working only with elixir, ...
New
dkuku
I Created a blog post about setting up svelte with phoenix. I found it a bit tricky and the only blog post I found was written using som...
New
TwistingTwists
This is a thread to note down things/best practices encountered in LiveBeats App as I explore the source code. Found this usage of r...
New
wfgilman
I'm writing up this quick "How to" because what I thought was going to be an easy implementation of a Plug to validate a webhook request ...
New
lukertty
Install web-mode and mmm-mode first and put this in your config file: (require 'mmm-mode) (require 'web-mode) (setq mmm-global-mode 'may...
New
thetechnologyvault
One of our team members just published this getting started guide for Elixir/Phoenix devs to use the Nanobox platform: https://content.n...
New
slouchpie
Warmest greetings, comrades. I recently started using :dns_cluster (GitHub - phoenixframework/dns_cluster: Simple DNS clustering for dis...
New

Other popular topics Top

senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 35421 110
New
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers' Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New

We're in Beta

About us Mission Statement