←back to thread

Ask HN: Magic links are bad UX and make people's lives worse. Change my mind

51 points figassis | 1 comments | 14 Apr 25 12:32 UTC | HN request time: 0.747s | source

Click login, get sent an email link that you have to first wait to be delivered (sometimes takes a full minute, sometimes you have to resend the link).

Sometimes the link goes to spam, sometimes you have to search for it like a needle in a haystack of other notifications.

Sometimes you are not logged into your email on that device, or it's a small screen that makes it a pain.

Maybe it's my mother, and she now has to go find where she wrote down her email password because she still can't figure out that 1Password thing I setup for her. Also, she does not have 1Password on this computer (maybe it's a public library).

All this pain because a developer did not want to bother with authentication.

Many, many products are like this nowadays, but the worst offenders are developer tools and OSS projects, and looks like the justification is just that, they just wanted to scratch their itch of a specific feature, why bother with auth when there is google.

Am I crazy?

1. muzani ◴[15 Apr 25 07:15 UTC] No.43689887[source]
My take,

Low security should use passwords. None of that fancy &@73gdb-Whb stuff. Just a regular word. Suitable for Netflix and meditation apps that want a basic login to prove that you paid.

Medium security should use magic links and a simple password that you don't need to write. If you lose your email, the password prevents hackers from taking over your app. If you lose your password, hackers can't take over your device. Suited for something like social media or MMOs, which are targeted very often.

High security might need proper 2FA with auth app, password rotation, stuff like that. Probably shouldn't be necessary unless there's constant active attempts to hack. Everyone gets attacked, especially in the era of AI, but I'm saying at least 10 attacks a day.

You can also layer on extra levels of security, but IMO that's about the level you should expect from users.