Magic link sign-in flow (password-free logins) [Feature
https://github.com/heartcombo/devise/issues/4724
KelseyDH commented Dec 14, 2017 • edited Loading commented • edited Loading Magic Links are becoming an increasingly popular approach to logging in, thanks in part to Slack.
In a Magic Link login flow, a user is emailed (or texted!) a link to automatically log into their account by email, removing the need to remember a complex password. From a UX standpoint, the experience excellent. Adding support for Magic Links through Devise would give Ruby on Rails in general a powerful leg up over other frameworks and authentication libraries.
A secure solution / proposal for how it could be added:
Since Devise already has comprehensive support for unlocking an account via an unlock_token or a password_reset_token, an eleventh module -- a standalone Magic Link module -- with controller + views similar to the Recoverable and Lockable modules could just be added without complecting devise's existing modules or codebase too much.
Thoughts?! The text was updated successfully, but these errors were encountered: ❤️ 16 Copy link Authorcross-p6 commented Dec 15, 2017 commented While the 'magic link' mechanism is great from a UX point of view, I have yet to see an implementation that is not trading security for ease of use. With that said, I'm hesitant to see this implemented in the devise core, since devise takes security very seriously and is expected to do so.
The magic link is actually very similar to the 'insecure sign in' after confirmation that at one time existed in devise and was removed, for good reason.
If implementations wish to override devise's mechanics to allow this behavior, so be it -- to have this be something in core that comes with the connotation of being secure is my main disagreement. Loading Sorry, something went wrong. Copy link AuthorKelseyDH commented Dec 19, 2017 commented What is it about a magic sign-in link/token that makes it insecure compared to a password reset link? Loading Sorry, something went wrong. Copy linkKelseyDH commented Dec 21, 2017 • edited Loading commented • edited Loading Thank you for sharing this. However, I don't believe what you posted invalidates this approach for handling magic links.
From : Automatically signing the user in could also be harmful in the e-mail reconfirmation workflow. The write-up then explains how confirmation tokens could become a security issue (my emphasis added): Imagine that a user decides to change his e-mail address and, while doing so, he makes a typo on the new e-mail address. An e-mail will be sent to another address which,* with the token in hands, would be able to sign in into that account. If the user corrects the e-mail straight away, no harm will be done. But if not, someone else could sign into that account and the user would not know that it happened. For this reason, Devise 3.1 no longer signs the user automatically in after confirmation. You can temporarily bring the old behavior back after upgrading by setting the following in your config/initializers/devise.rb From this write up... we can see the security concerns are not that automatic logins via email are inherently dangerous... but rather, that automatic login links via email are dangerous if sent while in the context of a user changing their email address. The danger being that the user could mistakenly give someone else access to their account in a confirm-your-email confirmation email if they made a typo while in the process of changing their account's email address.
For confirmation links sent right after changing an email address, this is a valid security concern, and no doubt one that Devise was right to patch up. But it's not a security concern relevant for a magic login link, which are sent when the connection between a user and their email address is unambiguous (especially if a user has confirmed their email address).
In such cases, magic links would be no more dangerous than Devise's default out-of-the-box configuration for password resets, where it's assumed that anyone who can prove ownership of an email address, and ownership of a token recently-generated for that email, is someone we can trust. 👍 19 Loading Sorry, something went wrong. changed the title
Future support for Magic Links? Magic Link / "Email me a link" sign in flow (password-free logins) [Feature Request] changed the title
Magic Link / "Email me a link" sign in flow (password-free logins) [Feature Request] Magic link sign-in flow (password-free logins) [Feature Request] Copy link Collaboratorrafaelfranca commented Dec 22, 2017 commented Thank you for the feature request but we don't plan to add any new feature to devise in the feasible future. I recommend you to try to implement this feature as a devise plugin. If it gets popular we can think in integrating in devise. 👍 3 Loading Sorry, something went wrong. closed this Copy linkNielsKSchjoedt commented May 1, 2018 commented +1 Loading Sorry, something went wrong. Copy linkdvanderbeek commented May 3, 2018 commented I took a stab at a gem for this feature. Feedback or PR's would be greatly appreciated! 👍 17 🎉 11 ❤️ 9 Loading Sorry, something went wrong. Copy link AuthorKelseyDH commented May 4, 2018 commented Very cool! I just in hope to get some additional attention on it. When the gem's documentation is fleshed out a bit this would definitely be worth posting to Hacker News also. Loading Sorry, something went wrong. Copy linksounishnath003 commented Dec 25, 2018 commented How can i mplemented >>>? 😄 1 🚀 1 Loading Sorry, something went wrong. Copy linkkoenhandekyn commented Apr 29, 2020 commented David, I think your implementation was a bit too early. The concept has been around for a while but it seems it's currently gaining in popularity. It's very surprising to find that it's still not there as a standard devise extension. I'll take a look at your implementation! There are gems now that bring 'passwordless' to Rails but they are standalone but I guess there is a serious case for an integrated solution because I assume there are more applications that would like to provide the user with options (with password or without) for example. 👍 5 Loading Sorry, something went wrong. Copy link Contributorabevoelker commented Nov 12, 2020 commented
DA: 70 PA: 2 MOZ Rank: 96
