my introduction
Loading reactions…
Daisy
I agree with you about magic links and it's something that has been brought up before by other users, among other security concerns. We'll see if they get addressed somewhere down the road.
QuestionAtl
Matt Cooper
lazy
@matt you’re still missing the point I was making. If someone gets into your email, they can just hit “send magic link” and log straight into the account. As long as they control your inbox, they’re in. No password, no extra step, nothing. That’s the security issue I’m talking about. And yes, email can have 2FA and other protections, but that’s not some magic shield. If the attacker gets past that, or if the user’s device is already compromised, the account is gone instantly. With a password + 2FA system, there are still multiple layers to break through. Magic links remove all of them. You also said a lot of services use magic links. Which ones? Genuinely asking. If you’re confident enough to state that without quoting ChatGPT, then you must have specific examples or some knowledge I’m missing—so I’d like to hear them.
Matt Cooper
From Chat GPT. Seems we're both right. A magic-link system can be more secure than passwords in some ways, but it depends on how it’s implemented and what risks matter most to you. Here’s the simple breakdown: Where magic links are stronger: • They remove weak passwords. Most people reuse passwords or choose easy ones. Magic links avoid that problem completely. • They stop credential-stuffing attacks, because there is no password for attackers to try. • They depend on access to your email account, which often already has strong protections like two-factor authentication. Where magic links are weaker: • They rely entirely on the security of your email. If someone gets into your email, they get into everything that uses magic links. • Email delivery can sometimes be intercepted on compromised devices or insecure networks, especially if a user’s device has malware. • If the link stays valid for too long, or if someone else can access your email notifications, it can be misused. Best overall security practice: • A password system is strongest when it uses long unique passwords and two-factor authentication. • A magic-link system is strongest when email accounts are well protected and links expire quickly. • Some services combine both approaches or allow optional two-factor on top of magic links. So neither is absolutely “more secure” in every situation. Magic links eliminate the biggest password weaknesses but shift all trust to your email security. If your email account is well protected, magic links can be very safe; if it isn’t, passwords with two-factor are usually better.
lazy
You’re missing what I’m actually saying. If the only thing protecting an account is whoever can open this email, then yeah—convenience goes up, but security goes down. There’s no second step, no password, no PIN, no device check. Just click and you have access to the account. Saying "well if someone has your email they could reset your password anyway" ignores the fact that resetting a password normally triggers extra verification steps on most platforms. Magic-link login removes all of that. It shifts the entire security model onto a single point of failure. I’m not saying magic links are unusable. I’m saying pretending they’re more secure is just wrong.
Matt Cooper
The App was developed way before the site. The site is still very new and unfinished. I know the plan is to develop the site further but the vast majority of users use the service via the App. As for magic link, a lot of services are switching to this form of security actually. Your email hack example isn't a good one because if they had access to your email, they can just change your password. If anything, this has one less vulnerability that could be exploited because there are no passwords to be stolen.
Bran
I don't second that. If you're going to make a website, it only makes sense that it should match. We shouldn't have to use the app if a site exists. Tease much? This post is honest and I approve. W
Calum
Dude, just download the app already. If you don’t have a much better experience, I give you permission to hunt me down and shoot me.