Support

I had already thought about that, in both Admin Tools and Akeeba Ticket System context. It sounds like a great idea... until you realise the security model is non-existent.

It all comes down to how email works. It's not like sending a letter. Letters are in envelopes and it's obvious if someone read it in transit (50's spy movies steam trickery notwithstanding). Email is more like sending a postcard. The content is visible to anyone who can get their hands on the postcard. Putting a login link in an email makes it possible for a man-in-the-middle attack where an attacker intercepts the email anywhere between your server and the user's computer. That's why you're told you should never send passwords over email. And what you're asking is, essentially, sending a password over email. Bad idea :)

If someone got the code they would be immediately logged in to the Joomla! site as that particular user. They could just ignore the ticket reply page and go to any other page protected behind a user login. This includes the My Tickets page where they can read older tickets. People tend to put their login credentials in tickets, so you see how bad this can get.

The best compromise is allowing replies through email, as described in our documentation. Granted, a malicious attacker COULD spoof the email and impersonate another user in the reply but at least they won't be able to get access to privileged information.

Another suggestion is putting a "Forgot my username" and "Forgot my password" link in the footer (or, better, the header!) of the emails sent out to users. Most of them are oblivious to the existence of these links unless you point it out to them.

You could limit the time the unique login link is valid (as commonly used for password request links) for like 2 days. If users want to login after this period they should go to the site and fill their email address for a new link.

So, within these 2 days the attacker has the opportunity to compromise the account. And how exactly is that a good thing? FWIW, I'd thought of making the link valid for 24 hours and expire it upon first use. But it's still the same problem.

For highly sensitive sites 2 factor would be a (future) option

In an ideal world the user would have a YubiKey and this whole conversation would be redundant. Plus, something you physically own is much more secure than something sent to you unencrypted over the ether, be it an email or SMS.

I'm curious what you think of the MITM problem with 'Forgot my password' links sent via email.

Equally bad for security, but you can't fix stupid (and I admit that I've been one of those stupid people forgetting my password myself, before I started using 1Password).

This is where Two Factor Authentication comes into play. Sure, someone can reset my password. But I'll eat my hat if they can log in to my site because doing so requires them to be in physical possession of my YubiKey, a secure hardware token. The attack is still theoretically possible, but much, MUCH harder to accomplish.

This is the whole concept of security: make it as hard as possible to be successfully attacked. Castles could be besieged and ultimately fall but it took far more resources than taking over a straw and mud hut.