8 years ago
Thurs Jun 8, 2017 8:44pm PST
Ask HN: Why is Stripe's 'Remember Me' considered secure? Or Lyft's sign up flow?
Traditionally an account is secure when the user gives something publicly available (email) coupled with something only they know (password).

With Stripe's Remember Me feature (https://stripe.com/checkout/info) an invisible 'account' is created for you by the unique between the email and phone number. Then when you type in your email the next time, you get texted a code that you can use to auto fill in your payment methods. Why is this considered a secure experience? Can the code be thought of as a one time password? It seems a little crazy that two publicly available pieces of information can be used to authenticate (although admittedly you would have to intercept the text message code).

Even worse is Lyft. When you install the app you enter a phone number, verify with a code, and then enter your credit card info -- no password anywhere. What happens if you change phone numbers and it gets recycled? Now a new user installs Lyft and my credit card is already on file! How can this possibly be justified?

comments:
add comment
loading comments...