@eaplmx@twtxt.net CSS Battle has a passwordless login, I don’t know the implementation but it basically send you and email where you click a link and you’re in.
@prologic@twtxt.net nice! I didn’t know about it, I’d probably use it on desktop.
I haven’t seen it though, from where is it accessible?
@prologic@twtxt.net I tried just now but I’m not receiving any email. 🤔 Does it take some time?
@justamoment@twtxt.net @prologic@twtxt.net hey, didn’t know that! , as a fan of magic links, I like that it’s available, but “Login with you Email Address” doesn’t make obvious you are going to receive a Dynamic token to your email, in my mind is like “Instead of your Username and Pwd, user your Email and Pwd”
I’d suggest something line “Send an access to your email”, “Send a Magic link”, etc.
@prologic@twtxt.net @justamoment@twtxt.net Same! It’s not arriving to my Proton.me/Protonmail inbox, nor Spam.
@justamoment@twtxt.net @prologic@twtxt.net sorry for the typos, stupid phone keyboard (and myself not paying attention, ha)
@prologic@twtxt.net likely the root cause 🙃
@prologic@twtxt.net Nice!
@prologic@twtxt.net I think the Warning is misleading then…
So it’s not disabled, but not setup correctly and for that reason doesn’t send mails?
@prologic@twtxt.net Sorry, saw this now.
Yes, it’s working for me too now.
@prologic@twtxt.net well, not 100% right but it’s a valid assumption.
If you are able to reset your password by email, it’s a pretty similar level of security than receiving an access token by email. Anyone with access to your mail could get access to your accounts.
Adding a second factor of authentication could help, or using something with Public/Private cripto would be better, like Client Certs, Fido2 or even hipster things.
And also giving alerts that someone else is connected in your behalf is great (like is done for some banks or Google) , but that’s a UX compromise between convenience and security.
@abucci@anthony.buc.ci Nice!
I didn’t know about https://indieauth.net which seems to be based on OAuth 2.0 (that I have used before), I’ll take a look!
@prologic@twtxt.net I’d like to have a 2FA alternative, at least TOTP (what Google Authenticator uses).
And if you have support for WebAuthn, even better.
Both are self-hostable.
@eaplmx@twtxt.net with WebAuthn we could go even take it further and possibly have a userless login too.
@justamoment@twtxt.net sure! I’m working on a proof of concept (in PHP) if you want to take a look on how it works
@justamoment@twtxt.net that said, WebAuthn/FIDO 2/PassKeys are not that easy to implement but I think they have many improvements for the Authentication problem
FIDO 2 isn’t too difficult. modern-ish browsers will support it natively now so the JS required is quite minimal.
You can take a look at the library I’m using, here:
https://eapl.mx/webauthn/_test/client.html
And the implementation there:
https://eapl.mx/twtxt/login.html
What’s missing in the examples is having an identity tied to your Auth device (Hardware token or OS service like Microsoft Hello, Apple Keychain, Android Fingerprint). The explanation is long, but the abstraction is there. Your identity and private certificates are held for you by some ‘magic’ device.
@xuu@txt.sour.is Well, it took me like 4 hours to set up, implement and test the PHP library, with all the setup combinations, devices and such.
So I’ll say that using a password with a simple function like https://www.php.net/manual/en/function.password-verify.php
is much easier than a whole library requiring communication between the server, the browser and the auth device… There is a security reason for that (mainly to avoid phishing, which is something I like compared to other solutions like SQRL)
