Has anyone looked into things like this :
I like the sound of it (and I imagine it would be fairly easy to create one for Anvil), but I struggle internally with how secure it is.
I have clients who really struggle with passwords and essentially change them each time they log in, so something like this sounds like it might help them (they are used to getting the new password or link in email when they reset). And a 2FA app? Hah 
Anyone have any thoughts or insights?
I use link-based authentication for a subset of users to get to order details. There it’s a fixed order number that’s passed in via the link, so it’s not very secure, but given my user population and what they can do via the link, it works well enough.
One-time use login links don’t make sense for what I’m doing, but would be easy enough to implement in Anvil.
Sending an email to authenticate is an interesting idea, and well within Anvil’s capabilities.
I think you’re right, from at least a cursory reading of Swoops features, you could replicate those in Anvil easily enough.
From a security standpoint, the web model has for years assumed that access to email was a guarantee of identity (for password resets, etc). One-time use login links wouldn’t be any less secure than one-time use password reset links, and would remove steps from the always-forgetting-their-password user experience.
I can see it being annoying to the users who do remember their passwords, though, being forced to use email as part of their everyday login process.
Anyone have any thoughts or insights?
And now, I shall put on my best smug face, and perform a magic trick:
(More details at: https://anvil.works/docs/users/authentication_choices#sign-in-with-email-link. Perhaps we should shout about this a bit more…)
I do it with my current production app. Very easy with custom authentication
That’s very cool! I’d glossed over that option, thinking it was one more third-party service I didn’t use.
Well, I must say I am ashamed I didn’t pay more attention
In my defence I don’t use the internal login system much as I’m nearly always authenticating against an external database.
I shall investigate forthwith …
Yeah, now I see it I think I must have thought the same. It’s sandwiched between a load of external auth methods.
I think you should …
Can I get access to the link so I can send out my own custom email?
