Login Security

tempus_fugit

Pescur said:

I am sorry if I was not clear enough for you

So if you access this site you create a username and set a password, a normal feature of any website.  As part of the account creation process they verify your email, so all good and this site does not even need huge security because one imagines the only information people would want to keep secure is their email address.

Now imagine you accessed say the home banking website of your bank, but they did not take your account number, or customer number or password and only asked for your email address.

So you enter your email address and they send to your email a link 

You click on that link and you have full access to your home banking.

But if someone gets access to your email account then they can do this even if you have a password set up, as most “forgotten password” links just email you the new password or a link to change the password. So the important thing here is not how you access this particular site, but how secure your email is. If you have a strong password for your email account and two-factor authentication set up then this is much more secure, and then you don’t have to worry so much about the security on individual logins (although still a concern, obviously). 

For all of us, losing access to our main email account to a hacker would be devastating for ALL of our accounts, not just one that doesn’t use a password for authentication.

Edit: Just noticed that this is what dan958 says above, sorry.

AndyPix

yet email systems are the weakest systems.

>>>>>>>>>>>>>>>> Where have you got this from ???

Yahoo Oath is currently trying to settle a class action for billions of Yahoo accounts that were hacked and every online email provider has been hacked.

>>>>>>>>>>>  No they havent .. Why would you say that ??

Email is not a secure protocol, emails are transmitted un-encrypted for most people from server to client including web client, so the hyperlink they send can be intercepted.  

>>>>>>>>>>> That is complete nonsense im afraid - where are you getting this stuff from ??

Email accounts are the easiest of systems to hack,>> what ???  for example I know a law firm that was hacked and lost client money, it started with the solicitor using an insecure means to access his work email from home.  The hacker was able to read the emails and find a client who had a relative recently die and the Solicitor was handling the will etc.

The emails included all the details of the beneficiaries of the estate, the hacker then hacked into the email accounts of most of the beneficiaries and pretended to be them, sending messages to the Solicitor telling them to pay their inheritance into mule accounts, due to the incompetence of the solicitor they managed to get over £50,000.

What this company seems to have done is to delegate their security to your email provider, despite not knowing who your provider is.

They have taken away the the part of access control that check you know something that others do not know (a password), they have not added any other security, you literally enter your email address, await their email with the link, click on the link and you are in.

It is a hackers dream!

My comments are in bold - couldnt work out how to split the quote

What you are describing does sound incredible, I wouldnt be using a system like that ..

But .. All the points you make about email systems are completely untrue im afraid. You need to do more rersearch or get a better source of info.

Paul_Varjak

Passwordless logins via email links can be just as inherently secure as the ubiquitous username/password for login, providing the implementation is done right and you observe strict email security and hygiene.

There is a passwordless system called Magic Links (SLACK uses it) that allows logins via email links if that link opens in the same browser as the initial login request was made. This gets around any perceived weakness that you think exists by intercepting your email and stealing the link.

As for email interception, that is far less likely these days anyway. If you choose the right email provider, your emails will certainly have Transport Layer Security to your email service provider and beyond. Hopefully, the service you log into also provides the same assurances for the emails it sends you. If so, you should only be concerned by nation-state adversaries hacking emails. Even then, no-one could not login as you as they would not be using your browser.

Yes, there is a possibility your email could get hacked and someone could log in as you, if they see a history of login links to the service and decide to request a link themselves. So, why not just delete those links immediately after use? Just because you may have several gigabytes of email storage, it does not mean you need to use it! email hygiene is all part of security-in-depth!

You also suggest that the security of the site you want to log into is now governed by the email provider you use. Well, that is a good thing is it not? You can choose to use an email provider that has two factor authentication (preferably with FIDO U2F as the second factor) That now gives you a two factor method of login to any site that employs login via email links even though the site itself does not offer 2FA. It would even be possible to achieve three factor login on newer Android devices that can be utilised as U2F keys (the third factor would be whatever biometric method you use to unlock your phone)

If you are using Gmail, I would suggest changing to something like Tutanota instead. You get 1GB of storage but due to their compression algorithm it equates to more storage than that. If you pay 12 Euros per year you can also use FIDO U2F keys as a second factor. If you are stuck with Gmail, switch over to ADVANCED PROTECTION in Gmail settings, delete unnecessary emails and any private info linked to you email account (such as your phone number) You will only be able to login if you use FIDO U2F keys as a second factor and the only way to recover your Gmail account in the event of lost credentials is to prove your ID to Google.

There may be a couple of problems with logins via email links (though the same could be said for password resets in traditional username/password systems), One is phishing attacks, so be very careful about clicking on links. The second problem is email address re-use on abandoned email accounts either because your free email service re-uses abandoned email addresses or because you have your own domain email account. When you stop paying for that domain, the whole domain is up for re-use (often overlooked by many). If you are going to stop using an email account, keep it going for a couple of years and disassociate any accounts linked to it during that two year period.

STAY SAFE!