Especially users working with Microsoft Office 365 and therefore Outlook noticed very often that login is not possible. Upon closer analysis, it was found that the MS/Bing crawlers are particularly persistent and repeatedly call the reset links, regardless of server configuration or the like. For this reason, a text field was implemented in the backend via the Drupal State API, in which selected user agents (always one per line) can be entered. These are checked by 'Shy One Time', in case of a hit a redirect to the LogIn form with a 302 status code occurs, the reset link is not invalidated.

I’ve implemented a form on the landings page that auto-submits (on DOMContentLoaded) and posts the token to the next page. Passwordless login is now working for my client despite their mail scanner.

As a prevention method, organizations should consider implementing passwordless practices like fingerprints or facial recognition, as well as modern authentication standards like WebAuthn, which remove passwords from the authentication experience. When organizations opt for these authentication methods, they help to mitigate the risk of stolen credentials, and minimize the chance of account takeovers.

Passkeys Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins

NOPASSWD doesn't have a major impact on security. Its most obvious effect is to provide protection when the user left his workstation unattended

Cierge sends a magic link as well as a magic code that a user can manually enter into the login screen to continue as an alternative to clicking the link. Magic codes are short, volatile, & memorable (eg. 443 863). For example, you can look up the code on your phone then enter it into your browser on desktop.