Ask HN: Single-factor authentication via email – good idea or not?
3 by upgradeind | 3 comments on Hacker News.
Background: I am attempting to create a very minimal website for my company written in Rust (yay!). All it does is list products and accept orders with no community or user submitted content beyond payment data (handled via stripe and I only save shipping info). I am using the Rocket framework which doesn't seem to have this baked in yet. The problem: I need a way to let previous customers recover order information and print invoices, but I personally hate being forced to create user accounts on websites just for this purpose. I also didn't want to deal with user passwords and account recovery (hey I said it was minimal!). The scheme I've come up with and tested successfully so far in my dev environment, is to let customers type their email address that they used to make orders orders and send them a time-limited one-time login key via email (it could also come via text using their number if I ever figure that one out). This in theory verifies they control that email address, and once logged in they can see previous order information. That's pretty much it, but seeing as how I've never seen this type of thing available before in my Django or Flask experience, I wanted to see if I was in fact making some kind of huge mistake from a security or convenience perspective. The last thing I'd want to do is compromise the security of clients' information, or make a system that is too annoying to use. I am also trying to be reasonable because it's not like I'm storing vast amounts of personal information or payment credentials. I would also like to think about open sourcing my solution or submitting it as an add-on to Rocket, but I need a gut check first. thanks!