Can I take a moment to complain about Anthropic's insistence on using a magic email link for login in the year 2026? It's so unnecessary. Please, anthropic team. Just allow us to user username/password/2FA.
Oh yes, upvoting, my top annoyance with anthropic too, email links are a bit ridiculous as a login mechanism.
Anytime I have to login again, it’s the ridiculous dance of figuring out what surface I’m logging into and how to get the magic link to open there, and not mistakenly somewhere else. Never a problem with openAI - input password and 2FA - done, logged in.
I'm not a fan. But what Anthropic SHOULD have done is use plain ol' SSO. Google, GitHub, Microsoft, etc. logins with the option to do this magic link stuff. The third party auth providers would use passkeys at the user's discretion.
I store passkeys and totps in 1Password. I know it means there's no hardware protection of the secure element, but in return they're trivially synced across my devices.
I feel this tradeoff is worth it to me; certainly it is no worse than email or SMS as the second factor.
On iOS and macOS 2FAs are auto-populated for you, and of course also your saved login and password. You don't need to leave the page and open other applications.
This is by far the most common sign-in UX. So is there some security benefit in the email link sign-in?
Auto population of login credentials including 2FA is currently an attack vector.
"A critical security flaw has been uncovered in the autofill functionality of nearly every major password manager. This vulnerability allows threat actors to stealthily harvest user credentials and sensitive financial data from deceptive web forms without user interaction, turning a core convenience feature into a potent weapon for cybercrime."
The only way an account accessed by a magic link can be compromised is by an already compromised associated email. No password in clipboard, which is how some of us still do it, etc. The magic link makes everyone secure regardless of how they store their secrets.
And there's also no password stash if the server were to be hacked, which means no sending out "please update your password" emails and the like.
TOTP works just fine and you can save it in a password manager if you like. Email links don't allow me to use a keyboard shortcut to login, instead I have to open a new tab and click around for a magic code/url.
I'd like to think I am pretty security conscious, but I still don't get the obsession with magic links (and passkeys). This is the one thing where I think I disagree with most of the industry. I thought forgetting passwords was a solved problem. I thought 2fa is much faster than searching for the last email for X provider the maybe takes 1 minute to arrive, requires retries and high tend up in spam? Some one please help me get on board.
It depends how convenient it is for you to constantly be carrying devices that have 2fa software or the correct SIM card installed. I might prefer to simply access my email account, which I know how to do anywhere.
