Jared

Well, you also end up in the same situation with 1Password and LastPass when these providers become huge targets. Of course, they probably have their security teams staffed up because if I can hack into Okta or FusionAuth or whatever, it's not just one company's stuff I'm going to get. It's like a smorgasbord.

Well, you also end up in the same situation with 1Password and LastPass when these providers become huge targets. Of course, they probably have their security teams staffed up because if I can hack into Okta or FusionAuth or whatever, it's not just one company's stuff I'm going to get. It's like a smorgasbord.

How separate is it? Like different locations?

How separate is it? Like different locations?

So I agree with that comparison, Dan. Having done both, I can tell you that rolling your own auth is considerably easier than operating a post-fix server with SpamAssassin and these other things on the public internet. Also, there's a step in between. I build my own auth system with my own first party code. And then you have auth providers on the other side.

So I agree with that comparison, Dan. Having done both, I can tell you that rolling your own auth is considerably easier than operating a post-fix server with SpamAssassin and these other things on the public internet. Also, there's a step in between. I build my own auth system with my own first party code. And then you have auth providers on the other side.

And in the middle, you have open source solutions, which many frameworks tackle this head on because it's hugely valuable and can't have pooled resources there. So there's a nice middle ground with auth, whereas with email, you're kind of doing it yourself or doing it with somebody else's. Fair enough.

And in the middle, you have open source solutions, which many frameworks tackle this head on because it's hugely valuable and can't have pooled resources there. So there's a nice middle ground with auth, whereas with email, you're kind of doing it yourself or doing it with somebody else's. Fair enough.

So let's go back to Magic Links and talk about OTP, because this is kind of, to me, seems like maybe an evolution of Magic Links and an improvement. So the idea here is that I'm still going to send you something that you can then confirm that you have.

So let's go back to Magic Links and talk about OTP, because this is kind of, to me, seems like maybe an evolution of Magic Links and an improvement. So the idea here is that I'm still going to send you something that you can then confirm that you have.

But instead of just making it a link, which in our case, it's like a long, it's not like an MD5 sum, but it's, you know, it's like a hash value that you would not be able to just rattle off. It's shorter and time-based and usually it's six numbers that are provided. And so the, the one-time passcode is sent to the email or whatever way you can send them. So you can push notify it or whatever.

But instead of just making it a link, which in our case, it's like a long, it's not like an MD5 sum, but it's, you know, it's like a hash value that you would not be able to just rattle off. It's shorter and time-based and usually it's six numbers that are provided. And so the, the one-time passcode is sent to the email or whatever way you can send them. So you can push notify it or whatever.

And it's, There's a click provided, so you can still just click on it and just embed in the URL in that case. Or you can just read these six characters and type it back out. And that really solves one particular

And it's, There's a click provided, so you can still just click on it and just embed in the URL in that case. Or you can just read these six characters and type it back out. And that really solves one particular

bummer about magic links is the shareability aspect and the like switching context aspect which a lot of people run into is like hey i'm on my phone i send myself a magic link and i don't have that email app on my phone or there's like all these different weird things or it opens in a app specific browser inside of my email client and so it logs me in inside of gmail app

bummer about magic links is the shareability aspect and the like switching context aspect which a lot of people run into is like hey i'm on my phone i send myself a magic link and i don't have that email app on my phone or there's like all these different weird things or it opens in a app specific browser inside of my email client and so it logs me in inside of gmail app

But I go back to my other app and I'm not signed in. Well, with these one time passcodes, you know, you can solve that by just either copy pasting the six digits or just remembering them for 10 seconds and typing them on the other side. So that seems like a nice evolution.

But I go back to my other app and I'm not signed in. Well, with these one time passcodes, you know, you can solve that by just either copy pasting the six digits or just remembering them for 10 seconds and typing them on the other side. So that seems like a nice evolution.

I prefer, I like that method. It doesn't bother me. You still have the trappings of it getting to them in an abnormal way versus stored there in their password manager or remembered in their brain. Like they have to fetch it every single time. But at least you're not stuck to like it has to be.

I prefer, I like that method. It doesn't bother me. You still have the trappings of it getting to them in an abnormal way versus stored there in their password manager or remembered in their brain. Like they have to fetch it every single time. But at least you're not stuck to like it has to be.