Hacker News new | past | comments | ask | show | jobs | submit

Magic/tragic email links: don't make them the only option

https://recyclebin.zip/posts/annoyinglinks/
706gepeto42 | | 504 | HN
loading story #42627763
sebastiennight | parent | next
We've been using Magic Links for a few years (and yes, one reason was to avoid the security issue of storing user passwords when we were just at MVP stage) and found the top problems with it are:

1. Some users (0.1%) just don't ever get the email. We tried sending from our IP, sending from MailGun, sending from PostMark, having a multi-tier retry from different transactional tools. Still, some people just will not ever be able to log in.

2. People click old Magic Links and get frustrated when a 6-month old link "doesn't work". We've decided to remedy that by showing them a page that re-sends the link and explains the situation (like Docusign does) instead of an error message.

3. People will routinely mis-spell their email and then blame the system when they don't get the code.

All of this still results, I feel, in way fewer support tickets than the email+password paradigm, so I'm still in favor of Magic links.

255kb | parent | next
It's indeed interesting the number of people misspelling their email address, or having an inbox so full that it cannot receive emails anymore.

I never tried to add magix links, but I added Google Sign in to my SaaS several month ago, and since then, it accounts for more than 90% of new sign-ups (users are devs, so rather tech savvy and privacy aware). I'm now convinced that no other method is a priority (I still have email/password of course).

loading story #42632257
loading story #42631925
loading story #42637150
loading story #42631835
skerit | parent | next
Magic links can be very useful, but for some users the issue is in only supporting magic links.
cchance | parent | next
Funny part is most of those apply to passwords too, using an old password and complaining its not working, mistyping shit and complaining that its the system, and requesting a password reset and not getting the mail LOL so i only see upsides
tjoff | parent | next
... but the usability is a nightmare.
loading story #42631750
watermelon0 | parent | next
Email should not be considered a secure channel.

Username+password (or passkeys) with a password manager (which ensures that credentials are used on the correct domain) via HTTPS is probably the only end-to-end encrypted way of exchanging credentials with good UX for general public.

loading story #42632012
loading story #42637468
flessner | parent
Also what's the reasoning behind not wanting to store passwords?

It's not like the rest of the customer's data is not valuable? If you don't feel comfortable storing passwords, the amount of data I'd trust you with is strictly zero.

loading story #42634489
loading story #42634287
loading story #42634132
loading story #42632046
loading story #42628782
loading story #42628226
loading story #42628199
loading story #42631267
loading story #42630377
loading story #42627617
loading story #42632170
loading story #42627895
gregates | parent | next
I suspect a hidden "benefit" to the companies implementing this is that it makes it much harder to share your account. You are probably happy to share your Netflix password with your mom, but not your email password.

They can present it as a "more secure" login method, obscuring the reason they actually like it.

loading story #42630486
gepeto42 | parent
Yeah that would not surprise me, in general. I don't think that would be 404's goal, since they provide full-text RSS feeds I could share with a friend easily, but I could see that happening with other services.
loading story #42627750
loading story #42630437
loading story #42628259
loading story #42629602
loading story #42633242
loading story #42632958
loading story #42636112
loading story #42629046
loading story #42627759
loading story #42628764
loading story #42633386
loading story #42629396
loading story #42627798
loading story #42627607
loading story #42632097
loading story #42630765
loading story #42629034
loading story #42631222
loading story #42628815
loading story #42631648
loading story #42627848
loading story #42633562
loading story #42629721
loading story #42630066
loading story #42628862
loading story #42629532
loading story #42629488
loading story #42633507
loading story #42630034
loading story #42633661
loading story #42634396
loading story #42631107
loading story #42631720
loading story #42627909
loading story #42631690
loading story #42631822
loading story #42629730
loading story #42627709
loading story #42635370
loading story #42627746
loading story #42631837
loading story #42631070
loading story #42627989
loading story #42670882
loading story #42628236
loading story #42628038
loading story #42630244
loading story #42659267
loading story #42631922
loading story #42632347
loading story #42630089
loading story #42637828
loading story #42627933
loading story #42632101
loading story #42632200
loading story #42628619
loading story #42629967
loading story #42635139
loading story #42631095
loading story #42629224
loading story #42631536
loading story #42628863
loading story #42633990
loading story #42629141
loading story #42628050
loading story #42632199
loading story #42629870
loading story #42631944
loading story #42627610
Mystery-Machine | parent
> What makes them tragic:

> 1. Multiple devices. Who doesn’t use at least a few computers weekly? I don’t have my email on my gaming PC, nor do I have it on my work laptops.

"Who doesn’t use at least a few computers weekly?"

I don't. And many, many other people.

See what I did there? I assumed that everyone's like me, just like you did in your blog post. Without data, both of us are wrong.

----

I'd add that magic links also act as a distraction: you open your email client, and it by default opens your inbox, and you start going through all of those unread emails that you just found in your inbox...

Shopify is a big proponent for magic links because they went all-in on their new "Shop" customer accounts. What a disaster. Branding something with such a generic word as "shop" is terrible and average customer doesn't understand that it's supposed to be a brand name.

kens | parent | next
Shop is the same as Shopify? Thank you (seriously) for pointing this out. I've been getting Shop emails and I had no idea.
loading story #42627861
Macha | parent | next
> "Who doesn’t use at least a few computers weekly?" > I don't. And many, many other people.

When you consider that a smartphone is "another" computer (or for many users, the computer that is not the smartphone is the "other" computer), I imagine that number goes way up. Someone using a computer at work and a personal phone, for example.

benoliver999 | parent | next
I've not seen Shop but always liked the simple ShopPay UX.
codazoda | parent
I got one of these a couple days ago. I thought it was a well timed scam at first.