yarnd implements this too 👌 Its basically called "Magic Link Auth". We've had this for a while, not sure if anyone uses it though 😅
yarnd implements this too 👌 Its basically called "Magic Link Auth". We've had this for a while, not sure if anyone uses it though 😅
I haven't seen it though, from where is it accessible?
I'd suggest something line "Send an access to your email", "Send a Magic link", etc.
twtxt_twtxt.1.cytd0qqnwbpw@dm4.mills.io | time="2022-10-10T05:17:46Z" level=warning msg="sending emails disabled in configuration"
That would be why it's not working... Hmmm 🤔
twtxt_twtxt.1.cytd0qqnwbpw@dm4.mills.io | time="2022-10-10T05:17:46Z" level=warning msg="sending emails disabled in configuration"
That would be why it's not working... Hmmm 🤔
SMTP_PORT to be set (used to default toi 25) ooops 😅
SMTP_PORT to be set (used to default toi 25) ooops 😅
So it's not disabled, but not setup correctly and for that reason doesn't send mails?
Yes, it's working for me too now.
One of the reasons I ended up on yarn.social was that I was looking for a good passwordless alternative and IndieAuth seemed like it might fit the bill!
If you are able to reset your password by email, it's a pretty similar level of security than receiving an access token by email. Anyone with access to your mail could get access to your accounts.
Adding a second factor of authentication could help, or using something with Public/Private cripto could help, like Client Certs, Fido2 or even hipster things.
And also giving alerts that someone else is connected in your behalf is great (like is done for some banks or Google) , but that's a UX compromise between convenience and security.
If you are able to reset your password by email, it's a pretty similar level of security than receiving an access token by email. Anyone with access to your mail could get access to your accounts.
Adding a second factor of authentication could help, or using something with Public/Private cripto would be better, like Client Certs, Fido2 or even hipster things.
And also giving alerts that someone else is connected in your behalf is great (like is done for some banks or Google) , but that's a UX compromise between convenience and security.
I didn't know about https://indieauth.net which seems to be based on OAuth 2.0 (that I have used before), I'll take a look!
yarnd? 🤔 Note however I have a **strong** preference for something that is "self-hostable".
yarnd? 🤔 Note however I have a **strong** preference for something that is "self-hostable".
And if you have support for WebAuthn, even better.
Both are self-hostable.
https://eapl.mx/webauthn/_test/client.html
And the implementation there:
https://eapl.mx/twtxt/login.html
What's missing in the examples is having an identity tied to your Auth device (Hardware token or OS service like Microsoft Hello, Apple Keychain, Android Fingerprint). The explanation is long, but the abstraction is there. Your identity and private certificates are held for you by some 'magic' device.
So I'll say that using a password with a simple function like https://www.php.net/manual/en/function.password-verify.php
is much easier than a whole library requiring communication between the server, the browser and the auth device... There is a security reason for that (mainly to avoid phishing, which is something I like compared to other solutions like SQRL)
