gph
Sean CoatesThis increasingly-popular pattern of “you don’t have a password, we’ll just email you a token each time you log in” is truly obnoxious for those of us who have a good password/security practice.
Paul Reinheimer@sean I'm trying to get stuff done now. Not in 6 minutes when our mail servers have decided to be friends.
@preinheimer I’m digging through a giant pile of email from when I was out of the office, and you just made me look in a different place for your dumb token when I literally have a button in my browser that would have completed this seamlessly 6 minutes ago.
@sean New Account flow suggestion: Please enter your password.
Option 1. User enters a new character every few seconds, or it's a dog's name.
Hey, would you rather not have a password, we could just send you a link!
Option 2. 32 characters are pasted instantly.
Would you like to set up 2FA? We support all FIDO2, U2F, and OpenPHP keys.
Guillaume Rossolini@sean “hey we care so much about your security that every six months we’ll email you a best practices reminder”
Anthony, of course@sean I just found a setting in Notion last week which actually lets me set a damned password! I've recently been passkeying all the things, mind you
Derick Rethans@sean Even more so if your email and website are not on the same device.
~robby@sean worse yet are sites that accept passwords as input, but gaslight you and say that your password manager “forgot” your password, and then you have to “reset” your password every time, essentially having the same login flow that you described. I know at least one site that does this.
Old account
Claude M. Schrader@sean this drives me crazy