As they say, 小洞不补，大洞吃苦。Time to fix this problem.
Originally we introduced magic links as a more secure way to log into PeerBoard. We thought since you need access to recovery email for passwords anyway, why not to get rid of them completely? And folks like Notion and others also use it. This is such a cleaner experience and you can log in in just a few clicks, right? What we missed are a few important edge cases.
- Some mobile email clients open webpages in their own browsers (WebView and SafariView on iOS) that don't share cookie storage with your main browser. So logging in through a magic link there doesn't really create a session where you use it.
- If you open a magic link on a different device (maybe it's easier for you to use it for your emails), same problem - we create a session on a different device, not the one you originally used to request a session.
- Adds another layer of instability, relying on email to log in can lead to emails going to spam, not delivering, etc.
- Finally, even if it works, in some cases there is still more effort to log in than just to use a password manager and paste your info in one click.
We got used to this situation ourselves but thanks to your feedback we started to see it as a bigger problem. We spent a few weeks brainstorming scenarios of everincreasing complexity and eventually realized that we should just go with the most standard and bullet-proof solutions.
So prepare for the arrival of passwords!
We started working on the implementation and I wanted to give the heads up as early as possible. As of today, our migration plan looks as following:
- In a few weeks all new members will start their registration on a new flow, being asked to enter passwords. Old magic link accounts will keep working.
- We'll also migrate new admin registration to passwords. Old admins can still use magic links.
- Around the same time or a bit later, we'll start showing a suggestion to enter a password for old accounts. Please do and this will immediately switch you to the password scheme.
- In 3 months after we start asking to enter passwords, we'll drop magic links support (to remove this code path and lighten our load). You'll still be able to recover your access if you haven't entered the password by then using password recovery option.
Note: email will still be the main channel for email notifications and password restoration, but you'll be able to use the product without relying on it for sign in.
Please let us know if you have any questions, suggestions and for those of you who thought this is a big problem, time to celebrate 🎉💃🕺