Great, I just disconnected my Google account to make sure I won’t have to use it for auth.
The site didn’t show me which account it was. If the account I used to use for Google Drive backups… my university killed that off last month anyway, so I could have been locked out 
I’m a bit late to this thread but also want to throw in my vote to keep the original login credentials! There is no reason I need my email inbox cluttered with more one-time codes. As stated by OP “Do not punish users who are able to manage their credentials.” This perfectly summarizes the issue. Yes, I realize we don’t actually have to login through Google or Apple and can use any email, but it’s the principle of it. There is no issue with the current login structure as it is. It shouldn’t matter that we may not need to manually login frequently. All these recent changes have been overwhelming negative and it’s disappointing to see.
Totorial says:
May I ask how? Instead of a single sign-in step, this makes it at least 5 step process:
Also, none of the three options (Magic, Google, Apple) give more security or any advantage at all. Especially if using email aliases to keep every service separate and not tied to a single point of failure
Also, consider the possibility, that EU residents might not be able to fully/safely/securely use Google and/or Apple services in the near future
IMHO this is a terrible decision to even consider removal of normal login. Just 2FA implementation would be enough
I don’t like this as well. I take good care of my account with a password manager (KeePassXC on Linux and KeePassium on iOS) and always enable 2FA whenever the site supports it.
Magic links are bad. It would punish users like me. In fact, it would punish every user. Since now, all an attacker would need is access to your email account (be it from knowing your email credentials or just stealing your session). Anyone who has access to your email can now access your Trakt account.
Whereas with the normal login, they would still need your Trakt password to access your account. (Yes, they could just request a password reset to the email address, but that’s assuming your email is already compromised)
The best option would be to implement simple TOTP 2FA. It’s everywhere now. I wish Trakt also had it. Please, do not force everyone to use magic links, instead make it optional and keep the old email+password process. And please consider adding TOTP 2FA support on top of it. In my password manager, currently Trakt is one of the few sites left not supporting TOTP 2FA.
Maybe in the future, you guys could look into supporting hardware keys like Yubikeys and even passkeys. But please don’t force magic links on us.
On the other hand, this also doesn’t make logging in as seamless as some think. Most people just type their email and password then log in. Others (like me) just copy paste their credentials from a password manager. But with magic links, if you’re not already logged into your email account, first you have to open a new tab or Thunderbird or pick up your phone, log in to your account (maybe your email has 2FA, so you have to enter that too, maybe from another authenticator app), check the mail, go back to Trakt, enter the code, and only then you’re done.
And yes, like others here, I login frequently too. I don’t clear my cookies on exit like some, but I do clear them occasionally. My email isn’t logged into most of the time, but my password manager is always very easy and fast for me to access. Having to first sign into my email just to sign into Trakt is worse imo.
It just shifts the responsibility of account security to another party and makes it both less secure and tedious to log in imo.
Compartmentalization is the best approach to security, but not like this. Password manager, 2FA, hardware keys, passkeys. They should be top priority, not magic links.
Edit: Also, this forum for Trakt is running on Discourse 3.5.0.beta4, and I know for a fact (as I use other forums that use Discourse, some much older than this version) that Discourse supports TOTP 2FA. But not here. Maybe it’s intentionally disabled so it can use the same session cookie as the website? I’m just guessing.
The future is now:
(World Password Day has been replaced by World Passkey Day this year)