Passwordless with CF
Hello Everyone,
I’m looking to implement a passwordless login system in my web app. Specifically, the user would enter their email, and then I’d send them a magic link or code. I’m considering how to properly secure this approach and would like to hear your thoughts from a security perspective, setting aside UX considerations for now.
My domain is already behind Cloudflare’s WAF, and I’ve integrated Turnstile for the form. The main abuse vector I can foresee is manual or semi-automated spam distribution via this form—essentially, someone generating magic links for various email addresses. This could lead to users marking my emails as spam, increasing my complaint rate. By the way, I’m using SendGrid for email delivery.
I’m also wondering if Google’s captcha might be a better option since it includes a challenge, which could act as a rate limiter for persistent "testers" and discourage spam attempts. I’m not sure if Turnstile can detect form abuse and respond to it effectively. What are your thoughts on this?
0 Replies