Wouldn't that just log you in on the browser doing the clicking, instead of the ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		vanviegen 11 months ago \| parent \| context \| favorite \| on: Magic/tragic email links: don't make them the only... Wouldn't that just log you in on the browser doing the clicking, instead of the attackers browser?

szszrk 11 months ago [–]

You mean in the booking example? They logged in the browser that... requested access. So basically anyone that knew your login/email.

I think it should check if browser requesting is the same as the one confirming, or just drop that whole dumb mechanism entirely.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact