Hey guys! Great episode! The magic session as you called it to activate devices is usually the well documentend OAuth flow called Device Authorization Flow. Usually when the flow is different, it is because you don’t want the device to be logged in « as you » but rather be added to your account as « its own thing ».
Passkeys are the future. The thing with magic links that most devs don’t appreciate is that you reduce your attack surface for individuals a lot. Basically MFA as default
I had high hopes for them, but so far I'm not convinced. It's been a messy user experience trying to get them setup and working reliably with 1Password
@@Pygon2 if someone has your phone, you are screwed. The same with your email. But again, the future and real long term answer is passkeys. I plan to move all of my apps to 100% passkeys in the next year
Great episode! I generally turn away when a site ONLY offers a google oauth or requests a phone number (like Wes mentions at the end). Often I don't want to give up that info anymore than I already have. Also I never thought of "roll your own" auth in this manner so that was helpful. I've always thought of that as building your own username/pass login flow (plus register, refresh tokens, etc.) and managing that data in an app which is something I've always stayed away from and told others to do the same.
Hey guys! Great episode!
The magic session as you called it to activate devices is usually the well documentend OAuth flow called Device Authorization Flow.
Usually when the flow is different, it is because you don’t want the device to be logged in « as you » but rather be added to your account as « its own thing ».
Passkeys are the future. The thing with magic links that most devs don’t appreciate is that you reduce your attack surface for individuals a lot. Basically MFA as default
I had high hopes for them, but so far I'm not convinced. It's been a messy user experience trying to get them setup and working reliably with 1Password
@@Pygon2 if someone has your phone, you are screwed. The same with your email. But again, the future and real long term answer is passkeys. I plan to move all of my apps to 100% passkeys in the next year
Magic links suck. Especially when you have a device where you aren’t logged in to your email.
First 😂 haven't watched yet but I am sure it is a bomb. Thanks GOATs
Great episode! I generally turn away when a site ONLY offers a google oauth or requests a phone number (like Wes mentions at the end). Often I don't want to give up that info anymore than I already have. Also I never thought of "roll your own" auth in this manner so that was helpful. I've always thought of that as building your own username/pass login flow (plus register, refresh tokens, etc.) and managing that data in an app which is something I've always stayed away from and told others to do the same.
Tailwind > Postgres
Docker > React