Would you like to know what magic links are?
In a perfect world no passwords need to be remembered, you could login in a sec by one click. That would be pretty awesome, right? Fortunately, there is a new approach that eases the login process: by using magic links. Read further to see what these magical links are; how they work; are they improving the user experience; and whether they are secure or not.
What are magic links?
Magic links were invented to provide passwordless or multi-factor authentication. Instead of filling in the username/email and password combinations, you only need to add your email address. Then you receive a link in email and by clicking it you automatically get authenticated.
Magic links are specific URLs with an embedded token that authorize users to signup or login, or even authorize online payments. They are unique and have a short lifetime for security reasons.
Now let’s see how magic links work, check the pros and cons of them and analyse whether they are safe enough.
How do magic links work?
The process can be defined as three simple steps:
- The user enters their email address.
- The user receives an email with a magic link, if he/she is registered on that site.
- The user clicks on the magic link and gets authenticated.
Clicking the link sets a cookie that keeps the person logged in for the session duration.
This flow is similar to the password-reset process, in which the user receives a specific link that enables them to update their password.
Are they safe?
Using magic links, security is strongly tied to the user’s email account.You think, passwords provide very secure authentication. Are they though? Well, I mean yes, if you use a different strong password on each site and you use a password manager. Are you using a password manager? Most of the users don’t even know what those are or how they work. Most users write down their passwords in their notebooks, digital documents or even put a sticky note on the edge of their screen. So if you are taking these facts into consideration you might say that magic links are waaay more secure.
Imagine that someone manages to log into your email account. This way he/she can easily reset your password and so hack your account. Basically, the email account is the key in both cases, so magic links cannot be less secure than passwords. On the other hand, if the email provider is not so reliable, then magic links are not the most secure way of authentication.
User experience
What would you choose? Typing in your complicated password every time or typing in your email (which you know by heart) and then clicking a link. Let’s say you chose the second option. Of course, because that is a really simple and intuitive way of authentication.
Dealing with registering and logging in is a big pain point for most of the users. Passwords need to meet some restrictions, they have to be remembered, they also should vary between different sites. If account creation is easy to do, then more customers are willing to sign up.
The decision ain’t easy, let’s see the pros and cons of magic links
The benefits of magic links are:
- Simple, fast authentication.
- No need to remember complex passwords.
- Familiar, intuitive user experience.
- Easy implementation.
- They work across devices: laptop, tablet, smartphone, desktop.
There are several advantages of magic links that ease our life but let’s not forget the drawbacks either:
- Security is strongly tied to the user’s email account.
- Admins have no control over link sharing.
- Susceptible to interception hacking attacks (e.g. man-in-the-middle).
A real life example
Slack is one of the most well-known examples that uses magic links. Yes, I’ve tried it, and now I share my screenshots with you. It was simple, easy to follow and fast.
Implementation
For the developer readers here is an implementation example in pseudocode:
Magic link creation
BEGIN
SET token = random string
save token to database
SET magic link = https://www.{{domain}}.com?token={{token}}
send email to user containing the magic link
END
Action when user clicked on the magic link
BEGINSET token = get the token from query parameters
SET user = find corresponding DB entry based on token
IF user
authenticate the user
ENDIF
END
Summing up
Now you know that magic links are not so mysterious, spooky things. They are pretty practical and can be the future authentication method thanks to their simplicity. Would you use them? Or would you stick to the well-tried password-based authentication?
References
- A guide to magic links: how they work and why you should use them
- Magic Links: Passwordless Login for Your Users
- User-friendly magic links
- Should we embrace magic links and leave passwords alone?
- Magic Links : A One-click solution to most of your funnel conversion problems
- What are Magic Links and how are they Used?
- Magic in Cybersecurity: Magic links to replace the password
- Magic links: The future of online authentication