Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Slack does this exceptionally well. If you forget which accounts you have, you can put in an email address and it will email you a list of your Slack accounts. If you forget your password, you can get a magic link that automatically signs in through a deep link into the app, no password needed.


It's such a cool idea. If you can reset your password using only your email, there's no security reason you can't just log in with it. It might even be better, since you can then add more annoying steps to the password reset strategy.


But Slack then must rely on the security of your email. If the site is dealing with sensitive information like credit cards, this could be a no go.


Any site that has a "enter your email for a reset link" feature relies on your email security.


Almost every website in existence except the most security sensitive like bank websites will allow you to reset your password with email.


What email based log in that doesn't use 2FA doesn't ultimately rely on the security of your email?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: