Would you like to know what magic links are?

 

In a perfect world no passwords need to be remembered, you could login in a sec by one click. That would be pretty awesome, right? Fortunately, there is a new approach that eases the login process: by using magic links. Read further to see what these magical links are; how they work; are they improving the user experience; and whether they are secure or not.

 

What are magic links?

 

Magic links were invented to provide passwordless or multi-factor authentication. Instead of filling in the username/email and password combinations, you only need to add your email address. Then you receive a link in email and by clicking it you automatically get authenticated.

Magic links are specific URLs with an embedded token that authorize users to signup or login, or even authorize online payments. They are unique and have a short lifetime for security reasons.

Now let’s see how magic links work, check the pros and cons of them and analyse whether they are safe enough.

 

How do magic links work?

 

The process can be defined as three simple steps:

  1. The user enters their email address.
  2. The user receives an email with a magic link, if he/she is registered on that site.
  3. The user clicks on the magic link and gets authenticated.

Clicking the link sets a cookie that keeps the person logged in for the session duration.

This flow is similar to the password-reset process, in which the user receives a specific link that enables them to update their password.

 

Security

 

User experience

 

What would you choose? Typing in your complicated password every time or typing in your email (which you know by heart) and then clicking a link. Let’s say you chose the second option. Of course, because that is a really simple and intuitive way of authentication.

Dealing with registering and logging in is a big pain point for most of the users. Passwords need to meet some restrictions, they have to be remembered, they also should vary between different sites. If account creation is easy to do, then more customers are willing to sign up.

 

The decision ain’t easy, let’s see the pros and cons of magic links

 

 

A real life example

 

Slack is one of the most well-known examples that uses magic links. Yes, I’ve tried it, and now I share my screenshots with you. It was simple, easy to follow and fast.

 

 

As you can see, they even use an eye-catcher magic wand which helps increase the user’s curiosity. Furthermore, they provide a button that helps you automatically open the email app on your phone. Go ahead, try it!

 

Implementation

 

For the developer readers here is an implementation example in pseudocode:

 

Magic link creation

BEGIN

SET token = random string

save token to database

SET magic link = https://www.{{domain}}.com?token={{token}}

send email to user containing the magic link

END

 

Action when user clicked on the magic link

BEGINSET token = get the token from query parameters

SET user = find corresponding DB entry based on token

IF user

authenticate the user

ENDIF

END

 

Summing up

Now you know that magic links are not so mysterious, spooky things. They are pretty practical and can be the future authentication method thanks to their simplicity. Would you use them? Or would you stick to the well-tried password-based authentication?

Varázskalap

References