Multi-factor authentication - email link

Question

I'm trying to understand possible issues with the approach of sending the MFA one-time-token to the user as a clickable link in the email.

Instead of submitting the OTP on the web page, user will simply click on the link and web application should be able to proceed with the application flow.

I have seen most of web applications use user submitting approach.

I would like to hear the community thoughts on clickable email link approach and any known web applications use that approach for MFA.

Answer 1

This is not multi-factor authentication, as it's just "something you know" twice (the password to your service, and the password to the user's mailbox -- and knowing user habits, they will be exactly the same). Further, the email from your system to the user's mailbox is not likely to travel over a secure connection, as we still live in the world of opportunistic encryption for mail delivery. So, the "secret token" is being sent over not-so-secret channels.

This is marginally better than just asking users for a simple password, but this is definitely not multi-factor authentication (which is supposed to prove that the user has in their possession a specific hardware device).

Answer 2

The login flow you propose is:

• User logs into site with username and password.
• A link is emailed to user's registered (and presumably verified) email address.
• User clicks on link to complete login process.

While you don't describe it, a typical password recovery flow is:

• User asks to recover password.
• They must provide some combination of email address, username, answer to questions, etc...
• An email is sent to user's registered email address with a password reset link or a temporary password.

If you use this it means that getting access to a user's email will allow an attacker to reset the password and then successfully execute the login workflow. This is no better than the standard login and password recovery scheme so don't waste your energy on it.¹

If you do not use the email for password recovery, then I think this solution provides some additional security, though it is debatable how much. And all it is saving is the hassle to the user for having to type in a code sent to them in SMS or via a mobile authentication app.

You don't specify the properties of the login link. It should be the case that it only works if the user opens that link in the same browser that they started the login process in. If it would work in any browser, then the link would be all that is sufficient to actually break into the user's account.

---

¹ It is actually a tiny bit better as an attacker who has only a brief, 1-time access to the user's mailbox can't break in. They need to access it twice: once to reset the password and once more to click the login link. So requiring two emails will help in the unlikely event that the attacker only has enough time to work through one of the workflows before losing access to the victim's email.