Is this login flow via an authenticated email account safe?
I want to have users log in by entering an email, and then proving that they control that email. I only care that they do control the email, and so want to avoid add another password to the process if I can safely defer to the security guarding access of an email sent to that email account (to cut out a class of attack, I don't care about fundamentally trustworthy parties who can access the email legitimately, such as IT people at an organisation).
I've given it some thought and have come up with the following scheme. There are a lot of answers on here that give me pieces of information about the parts, but I was wondering if this specific scheme, in its entirety, is enough for me not to have to use my own password system on top of an email verification system, to avoid illegitimate third parties logging in under an email address they aren't supposed to be able to access.
- submit the email address john@example.com
- generate a random token e.g. 'first-token' (just pretend that's random!), with an expiry of say 2 minutes (configurable, just some shortish length of time)
- send an email to john@example.com, containing a link to fire a GET over https to a login endpoint with the email address and 'first-token' as query params
- the first time the login endpoint is hit with 'first-token' and 'john@example.com' whilst 'first-token' is still not expired, another token 'second-token' is generated and sent back. 'second-token' then becomes the longer-lasting access token for john@example.com, with some longer expiry (days, perhaps)
- if the login endpoint is hit with 'first-token' and 'john@example.com' after 'first-token' is expired, an error is returned
So, assuming the user has their email account secured with a password that's hard to crack/socially engineer out and all the rest - how secure is this login scheme?
My immediate thought is that, as I've heard email is unsafe and can be intercepted as plaintext on the wire, this isn't secure at all. However I don't understand very well how big a problem this is - can emails sent to an account be targeted for interception without knowing the specific servers the email will pass through? How likely or even feasible is it for a specific email to be targeted, intercepted and read if you're not, for example, part of the organisation whose email server will eventually receive the email?
And, if it is unsafe, then doesn't that effectively mean most 'forgot password? I'll send you a rest link via email' flows on the internet are vulnerable to attack, as they all use something very similar, or even weaker, than the scheme above. I'm just talking about making this back door the front door - but either way the door's going to exist, right? Which leads me to believe that this scheme could be considered secure in practice?
I've thought about potential security holes in this scheme as far as my knowledge on the subject will allow - I'd really appreciate some help from the experts!
