Passwords and Magic Links
As someone that also can't stand "Magic" Links, this post from John Gruber really resonated with me.
Proponents of “magic links” argue that they’re beneficial for technically befuddled users who don’t use a password manager. That’s a good argument for offering “magic links” as an _option_, but it’s not a good argument for making them the _exclusive_ way to sign in to a site or service. Good password managers are built into modern OSes and web browsers. Those of us who use them should not be punished with a significantly worse experience just because some users do not. When “magic links” are offered as an _alternative_ to a saved password or passkey, there’s a path for all users. When “magic links” are the _exclusive_ method for signing in, all users get the slowest experience.
As someone that religiously uses 1Password and has unique passwords for every login, I truly despise this dumbing down of log in flows. Having to wait for an email with a link which could take an indeterminate time to arrive is beyond frustrating when you have perfectly secure credentials ready to hand.
I'm also finding that Passkeys are getting more annoying. I know that they are somewhat contentious, but I've personally found Google's handling of Passkeys to be flawless and by far the easiest and quickest way to sign in to a service. But more and more services seem to be adding a TOPTP to the Passkey log in flow, eliminating the seamlessness which makes them so compelling.
My third bugbear are sites which separately present the email and password fields on separate screens. I can't even understand the security theatre benefit of this and have no comprehension of what it achieves 🤬.
Finally, what is it with companies forcing TOTP codes on you via email/SMS? I generally always have TOTP set up in 1Password, but it's still an active choice where I've opted in and have a strong preference for always using the app to either autofill or manually paste the code. There are very few instances where I would choose the inconvenience of being forced to use an email/SMS TOTP code.