Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75399

Allow authentication via magic links especially on mobile


    • Easy

      This is a common use case for when you mostly use desktop and you have some big good strong password in your password manager on your desktop and then out of the blue you need to login on mobile. You do NOT want a password reset, your password is fine it is just a huge horrible thing to type and you don't have password manager syncing. All you want is to get login and do whatever you wanted to do.

      Hypothetically if you did go through the email based reset you'd get in but its a huge hassle for no reason. There is a growing feature lots of products have called a magic link which is fairly similar to the password reset but all it does is log you in:

      1) Go to login with username and password

      2) Before you enter your password you get the option to 'login via email link'

      3) Often this is given to you as a prompt if you password failed, as another alternative to resetting it.

      4) If you click the button it sends you an email with a single use magic link

      5) Open email, click on the link and you are logged straight in with no fuss

      6) The link is tied to the session you were in so you can't open it in another browser or on another device

      The security around this is equivalent to the password reset using email.

      This would work with any authentication plugin type that accepts a password, and where the users email is known and valid and not bouncing etc. It also works in some edge cases like where the reset cannot work eg when the password cannot be changed.

      This has a net benefit because it encourages people to use good strong passwords but doesn't then penalize you when it isn't easy to use them.

      Magic links in the wild:





            Unassigned Unassigned
            brendanheywood Brendan Heywood
            0 Vote for this issue
            4 Start watching this issue


                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.