-
should emails auto-sign-in when you click those links? We could make that happen. And it would side-step Persona and you'll just be in.
Wouldn't that punch a big hole in the alleged security benefit which was supposed to be the big selling point of the annoying Persona method?
gbj_tester-
The benefits we argued were:
- Save time in development (launch Microcosm sooner)
- Be mobile app and API friendly (an integrated HTML form is not)
- Don't trust unknown third parties (which may be the application itself, it should never have access to your password, so the app must never have an integrated sign-in form)
- Trust a single third party that has a track record of privacy and security
None of that is weakened by auto sign-in on email links.
And we already have the very strong notion that "email is your auth method"... if someone has access to your email, then by virtue of that they have access to any account on any service that would send a password reminder to your email.
So the big assumption behind email as an auth method is: You protect your email.
Given that... if we send an email to you alone, and it's personalised and it's only for you... then why not make the link in the email sign-in automatically.
If you're not protecting your email, the whole game is up anyway.
- Save time in development (launch Microcosm sooner)
Velocio
The email content?
Which type of notification is it?
Also... a general question... should emails auto-sign-in when you click those links? We could make that happen. And it would side-step Persona and you'll just be in.