20
votes
What's the deal with sites that ask if you want to sign in with your password or an emailed code and then after you use your password, they still email you a code?
I'm all for two-factor authentication, but what's the point of asking?
Anyone ever hit an MFA chain that just leaves you emotionally exhausted?
Does it count if half of the problem is technically my own fault because my Switch controller is plugged into my PC?
For whatever reason, when my Switch controller is plugged in, trying to log into a Microsoft account in browser is just nightmarish because it seemingly does a bunch of random inputs on the login screen. But it's impossible to tell what's going on, because it just returns me to the email input I enter my email, sometimes letting me enter a confirmation code. It took me multiple hours to figure out the issue was my Switch controller because...
The other half of the problem is that Microsoft sometimes seems to ignore the fact that I don't want it to keep me logged in, or that it will automatically log me in based off of the Microsoft account I was forced to use to set up my computer. Like, stop that. I have two Microsoft accounts for different purposes. Let me use the one I'm intending to use.
Though, part of the reason that was an issue was because it was an authorization for something else, but for some reason there was no way to copy the link so I could slap it into an private browsing window, I just had to click it. Which of course immediately redirected me due to the random inputs, so I couldn't get the link like that either.
And, entirely my fault, but whenever I log into my Microsoft accounts from new device, and they want to send the 2FA code, I never realize the input box is to enter the 2FA method and not the code. So I just end up staring at my inbox for a few minutes waiting for the 2FA. Oops. But why don't they just send it? If they already have access to the email, phone number, or whatever to retrieve the code sent to them, it's trivial to check what the 2FA address is. Especially when they give some of the characters as a hint.
But to top it all off, when I finally got in, I had used the wrong email. Which was not immediately obvious, because for reasons unknown, it doesn't bother throwing an error or even give any feedback. So my assumption was that the app was just broken.
And then the entire process happened again a couple years later, though that time it took me only an hour to figure out. (45 minutes of which I just assumed it was broken and went off to do something else until I remembered my previous encounter.) If I'm lucky, next time I can get it figured out in under 5 minutes...
I have a bank account that does this. So annoying when you're trying to quickly deal with money.
"Magic" (or tragic) links, they're typically called. 404 Media does the same thing, and I can't be bothered if I get linked to an article that wants me to login. It's way more friction than using a password manager.
I guess there's some weird subset of users who just do password resets whenever they need to log in to something, and some companies have run with that.
Sites that do this
For sites like 404 media that don't have anything user-specific or sensitive, I think it's a sensible choice.
Tumblr is one such site, when you enter your username they offer to send you a link to log in, which you can decline in order to enter your password. I haven't had them insist on still sending me an email to verify afterwards though.
Home Depot skips my password every time. I don’t even know if I have one… it’s always just signing me in via email. :(
I also agree that asking for a password then treating you as if you didn't input one is... strange. I've seen this on several sites, including Walmart and Verizon.
I understand why email-as-a-password (or text message as a password) is a thing. The security benefit is arguably favored more towards the site owner than the user. Eliminating the possibility of brute force, limiting the amount of info in a data breach (even if it's only just one less value - a password), and perhaps even reducing an attack vector (for SQL injection, etc) are all valuable.
But for the user... is it convenient? Sure. Is it easier than remembering a password (if you don't use a password manager)? Absolutely.
However... the biggest vulnerability with this is if someone's email account is compromised. You could argue that you're already screwed if this happens, since password resets are possible with email alone in many cases.
But at the same time, when someone receives emails or text messages, they usually know right away, depending on their smartphone notification settings. So if someone gets in, they'll see it quickly. With a password and no MFA, they may never know.
There's pros and cons to everything. But I agree that these sites should stop giving the password login option if they aren't doing actual MFA and sending emails or texts regularly.
Most likely they’re two separate steps in the system:
They just do step #1, and if it succeeds, then do step #2. It’s unlikely that there’s special handling of the e-mail magic link in #1 just because it could also be the 2nd factor in multi-factor enabled.
Why offer step 1 if both require step 2 and step 1 is just extra work?