Passwords.app and Magic Links
There are many sites — and the trend seems to be accelerating — that do not use passwords (or passkeys) for signing in. Instead, they only support signing in via expiring “magic links” sent by email (or, sometimes, via text messages). To sign in with such a site, you enter your email address, hit a button, and the site emails you a fresh link that you need to follow to sign in. I despise this design pattern, because it’s inherently slower than signing in using an email/password combination that was saved to my passwords app and autofilled by my web browser.
[…]
To make matters worse, when you create a new account using a “magic link”, nothing gets saved to Apple Passwords. I don’t have many email addresses in active use, but I do have several. Sometimes I don’t remember which one I used for my account on a certain site.
[…]
One workaround I’ve used for a few sites with which I keep running into this situation (Status, I’m looking in your direction) is to manually create an entry in Apple Passwords for the site with the email address I used to subscribe, and a made-up single-character password. Apple Passwords won’t let you save an entry without something in the password field, and a single-character password is a visual clue to my future self why I did this.
I have also run into this friction where the Passwords app insists I not leave the field blank but there’s nothing that really makes sense to put there.
I’d always assumed that sites used magic links because people don’t remember their passwords, and it’s easier to click a link than to go through the password reset process each time. But Gruber notes that magic links are also an effective way to combat account sharing.
Previously:
3 Comments RSS · Twitter · Mastodon
I’m not too deep into account-sharing, but what would prevent me from setting up lets-all-share-netflix@gmail.com and use it for the accounts I intend to share?
@Fabian I've done something exactly like this myself.
I would say this "magic link" trend has little to do with account sharing and is mostly motivated by just not wanting to deal with the liability of storing passwords.
This behavior also comes from the sad fact that for many, many users, “forgot password” is their login link. The average user is so bad about passwords that many don’t even try. And honestly that’s probably for the best in many cases, because they are just going to reuse the same simple password and email combination for every service anyway. They’re lucky if the password to their email account isn’t the exact same password anyway.
