Please don't force us to log in using Apple/Google or "magic links"

Just want to add, as someone who works in cyber. The first step in compromising someone is usually getting access to email so you’re kind of making it easier for the bad guys. Cool

It looks to me like there will still be an option to get a code sent via email, not requiring an account link to Google or Apple.

I hate always having to go check my email or SMS for a login code, but it’s not like I expect Trakt to reverse this change. Best we can hope for is an actual notification to users via email, website/app banners, EVERYWHERE! that the sign-in flow WILL change with a link to the announcement thread (New Sign-In Flow)

Would I rather see 2FA and passkey support added here instead? Absolutely. But Trakt has recently shown no inclination to hear and respond to actual feedback, so I will not expect it.

Are username/password logins broken right now?

I’m 100% sure my credentials (from 1Password) are correct, but Trakt no longer accepts them and forces me to use Magic Links instead…

username+password still works for me. remember to use your email address as the username (that was also changed a while ago).

They work again for me as well (same data from 1Password as earlier today).

Please! No magic links… keep username/password but add 2fa instead.

Sadly, I have noticed they do not listen to user feedback recently, so I think we are doomed…

Well if thats true GG trakt in that case, never listening to customers isnt a great sign.

The sign in flow will keep the standard email form while we continue to evaluate this change. The support post was just a heads up, but it hasn’t actually been changed yet.

What is this “magic” sign in?

We previously had a “magic link” which can email you a sign in link. Basically a quick way of signing in if you don’t know your password.

This new update adds a “magic code” which emails a code you can copy and paste into the website. This flow is especially nice for apps (Trakt and 3rd party) since the “magic link” would lose context and not redirect back to the app. With the “magic code”, you’re still inside the app and able to sign in without knowing your password.

Trakt Lite

We will use the flow without the email form in Trakt Lite soon. Since this a new playground of sorts, we’re able to experiment with things a bit differently and gather feedback.

Signing in

If you’re using Trakt normally, the website and apps will keep you signed in pretty much indefinitely (auth is automatically handed and refreshed behind the scenes for you).

Based on the replies here, it seems like some of you are signing in a lot. I’m curious how often you are signing in? Is there a reason you don’t want to stay automatically signed in on the apps and website?

Passkeys or 2FA

We are planning to look into passkeys. No guarantees that is what we end up doing, but we will research it more.

Other

FYI, I’m marking this as the solution so it shows up in the main post for better contest. Happy to continue the discussion, but it seems like there is some confusion that this change will somehow force sign ins more regularly. For most people it will not change their day to day use of Trakt or the apps.

Personally I don’t sign in a lot, hahaha
(can you check those records, I’m curious)

Just when I have a new device, or new browser, or do a clean install periodically (I’ve neglected that actually).

I don’t sign in often either but I don’t like using google or apple in the sign in process.

I usually let browsers remove all cookies at exit.

I’m very curious as to what will happen to users who aren’t even registered to the site with a Google or Apple account, like myself.

Also I don’t think I’ve ever seen a company intentionally self-destruct the way this one has. I don’t even use the service anymore - I’m just here to watch the show.

You sign in using email.

Great, I just disconnected my Google account to make sure I won’t have to use it for auth.

The site didn’t show me which account it was. If the account I used to use for Google Drive backups… my university killed that off last month anyway, so I could have been locked out

I’m a bit late to this thread but also want to throw in my vote to keep the original login credentials! There is no reason I need my email inbox cluttered with more one-time codes. As stated by OP “Do not punish users who are able to manage their credentials.” This perfectly summarizes the issue. Yes, I realize we don’t actually have to login through Google or Apple and can use any email, but it’s the principle of it. There is no issue with the current login structure as it is. It shouldn’t matter that we may not need to manually login frequently. All these recent changes have been overwhelming negative and it’s disappointing to see.

Totorial says:

May I ask how? Instead of a single sign-in step, this makes it at least 5 step process:

1. Enter your email on Trakt
2. Get to your email client
3. login to your email
4. Find the email
5. Copy the code
6. Get back to Trakt
7. Enter/Paste the code

Also, none of the three options (Magic, Google, Apple) give more security or any advantage at all. Especially if using email aliases to keep every service separate and not tied to a single point of failure

Also, consider the possibility, that EU residents might not be able to fully/safely/securely use Google and/or Apple services in the near future

IMHO this is a terrible decision to even consider removal of normal login. Just 2FA implementation would be enough

I don’t like this as well. I take good care of my account with a password manager (KeePassXC on Linux and KeePassium on iOS) and always enable 2FA whenever the site supports it.

Magic links are bad. It would punish users like me. In fact, it would punish every user. Since now, all an attacker would need is access to your email account (be it from knowing your email credentials or just stealing your session). Anyone who has access to your email can now access your Trakt account.

Whereas with the normal login, they would still need your Trakt password to access your account. (Yes, they could just request a password reset to the email address, but that’s assuming your email is already compromised)

The best option would be to implement simple TOTP 2FA. It’s everywhere now. I wish Trakt also had it. Please, do not force everyone to use magic links, instead make it optional and keep the old email+password process. And please consider adding TOTP 2FA support on top of it. In my password manager, currently Trakt is one of the few sites left not supporting TOTP 2FA.

Maybe in the future, you guys could look into supporting hardware keys like Yubikeys and even passkeys. But please don’t force magic links on us.

On the other hand, this also doesn’t make logging in as seamless as some think. Most people just type their email and password then log in. Others (like me) just copy paste their credentials from a password manager. But with magic links, if you’re not already logged into your email account, first you have to open a new tab or Thunderbird or pick up your phone, log in to your account (maybe your email has 2FA, so you have to enter that too, maybe from another authenticator app), check the mail, go back to Trakt, enter the code, and only then you’re done.

And yes, like others here, I login frequently too. I don’t clear my cookies on exit like some, but I do clear them occasionally. My email isn’t logged into most of the time, but my password manager is always very easy and fast for me to access. Having to first sign into my email just to sign into Trakt is worse imo.

It just shifts the responsibility of account security to another party and makes it both less secure and tedious to log in imo.

Compartmentalization is the best approach to security, but not like this. Password manager, 2FA, hardware keys, passkeys. They should be top priority, not magic links.

Edit: Also, this forum for Trakt is running on Discourse 3.5.0.beta4, and I know for a fact (as I use other forums that use Discourse, some much older than this version) that Discourse supports TOTP 2FA. But not here. Maybe it’s intentionally disabled so it can use the same session cookie as the website? I’m just guessing.

The future is now:

(World Password Day has been replaced by World Passkey Day this year)

Bro I hate magic links! Please don’t force us to use that or Google. I’d rather open a 2FA app than my email.

In fact, I’d rather open my 2FA app multiple times per login than to open my email just once.