I dont like this auth process because it forces me to have to use the email system to authenticate every time which adds to the amount of time it takes to log-in. With Claude.ai, the auth process at least gives you an option to use a code to sign in with after you get the email. The problem is, the email doesn't contain the code. You have to click on a link which opens a web page to gain the code and it appears at that point it wants to do an HTML canvassing operation. I feel like that is a violation of privacy to do this at the point of trying to log into a service I pay for. I'm wondering if I am off base or if anyone notices this, or finds a difference in the process. and if its happening, what can be done about it. Also I wonder what the real reason is why more and more companies are moving toward this authentication method.
Imagine, you work in bigCorp. You have company email address: [email protected]
bigCorp pays for your access to SaaS service.
You switch jobs, your email is revoked/removed. You can not log in anymore.
If there was no 2FA via email - you still can access service with email+password in case they failed to remove your access to specific service.
If all services use 2FA via email - bigCorp has less access problems.
That is also partly related with SAML/SSO lack of "sign off".
1) They can already do this at the login point before the email is send
2) It is more likely, for general users, such that users reuse passwords and get stuffed often
If magic links become increasingly common then email† account access increasing becomes a single point of vulnerability/failure. And email providers obviously can't use magic links for auth. I dont know what the solution is.
† or IM services