Magic links provide a way for users to authenticate without a password (or what it’s called “passwordless authentication” that we already talked about weeks before).
The entire authentication process with a magic link involves the user providing their email and then clicking on said “magic link” to log in.
The truth is, that more than 60% of users admit to having reused passwords somehow.
Humans just can’t remember hundreds of strong passwords.
That’s why we’ll delve into how magic links work, on a technical level, review the security implications of using them and discuss how they improve the customer experience.
What are Magic Links and How do they Work?
Magic links are time-limited and unique, meaning they are not valid after a certain time, for security reasons. Magic links are a method of authenticating users online and can be used in a passwordless system or multi-factor authentication system.
Let’s explain Magic Links by imagining that a URL with an embedded token is sent via email and sometimes SMS instead of the user entering login credentials to log in.
Once the user clicks on that link to authenticate, they are redirected to the application or system that has successfully logged in, as if using a “magic” password, but without the actual password.
As many organizations move beyond password-based authentication, magic logins are emerging as a popular method of consumer authentication, based on enterprise risk appetite.
Whether users need a magic link from Slack, a magic link from Tumblr, or a way to easily access their apps and services, magic login frees them from remembering a long list of passwords.
Magic Links are similar to setting up a One Time Password (OTP) for authentication and follow the same flow as a “Forgotten Password” workflow.
At a high level, it goes like this: a user gives an app an email address and then clicks the magic link that is sent to their email, and voilà, they’re connected.
From the end user’s point of view, a magic link appears magical. But really, it only uses tokens and hash functions. Let’s take a look from a technical point of view.
- A user visits an application or a website.
- The website asks for the user’s email address.
- The user enters their email address.
- The app generates a token for the magic link and forms the magic link.
- The application sends the URL of the magic link to the user’s email.
- The application receives the query at the endpoint of the magic link.
If a user is not found, we will not be authenticated and nothing else will happen. This is a step to help stop hackers dead in their tracks. How? There are arguments that error messages are a way of giving hackers clues as to who does and does not have an account on their system.
Developers can configure whether the link remains valid for set time intervals or for the life cycle of the user’s session.
Magic Links Pros vs. Cons
Are Magic Links safe?
Well, it has been proven that organizations that implement magic links benefit in various ways. For example…
Simple implementation and use of authentication. Since magic links follow a nearly identical flow to password resets, implementing them means making minor tweaks to your code at no additional cost.
- Users just need to enter their email addresses and click the magic link to sign up for an app, providing a simple and engaging onboarding process.
- By exchanging passwords for magic links, organizations experience reduced administrative overhead, spend less time dealing with failed login security alerts, and no longer need to act on new password requests.
- A positive experience with the “magic” password login process can encourage users to continue using your app. Magic links allow you to build loyalty and a returning fan base.
- Simplifying the login process at checkout means you’ll have fewer customers abandoning their purchases, opening the door to more conversions on both web and mobile.
- Each set of weak or recycled credentials is a window of attack on your organization. By not having a password, you will reduce the risks of account takeovers and data breaches through compromised credentials.
From a developer’s perspective, magic links are a very attractive form of user authentication.
There’s no additional hardware to buy and hardly any new code to write if you already have a “Forgot Password” workflow.
Unfortunately, they are not as secure as other forms of authentication. That said, much of the responsibility for security rests with the user and the user’s email provider.
But don’t worry, the security around magic links isn’t all that bad.
Weak passwords and reused passwords have huge security issues that lead to account breaches. Hackers have no business using brute force or impersonation of a customer.