Are Magic Links Outdated?

MagicLinks are a mobile nightmare. Mobile email clients use their own browser and cookie jar which consume the session cookie you&#x27;re trying to put into the user&#x27;s main browser. This results in users &#x27;never staying signed in&#x27; and a lot of frustration.<p>Sending a one-time code via email fixes this, and is in practice about as easy to use as a link on desktop.<p>In our app (Loomio) we default to magic&#x2F;codes, but let users use passwords if they prefer.

A totally unbiased article for sure &#x2F;s<p>These guys sell a auth&#x2F;login system, it&#x27;s no surprise they are anti-magic-links.<p>I understand the annoyances for the more tech-minded among us, myself included, but I&#x27;ve implemented this before and for your average user it&#x27;s a pretty good system. With Universal Links&#x2F;App Links you sidestep a number of the issue with email clients having their own in-app browser. Also this makes your signup&#x2F;signin process the same flow (and only 1 step) which is easier for people who aren&#x27;t as technically minded.<p>I used this method for a food festival (you buy the festival&#x27;s currency to spend on food&#x2F;drinks, it&#x27;s just a digital version of the paper&#x2F;ticket&#x2F;token-systems a lot of a festivals use) and we only had 1-2 people who had issues (email took a few minutes to get to them for some reason) out of thousands.<p>It&#x27;s all about knowing your customer base, in the future I might implement the ability to set a password but I&#x27;d be the number of people who use that option will be vanishingly small (again, based on the demographics of people using my platform).

I hate them. Force me to go to my mailbox while I have a good password manager and just want to use that instead. I get the idea, but this should be an alternative, not a default. Also sends loads of single use emails that will remain for ever in users mailboxes.

There&#x27;s a near-infinite amount of not-so-small gotchas when implementing magic links:<p>- If magic links are the only way to sign in, authentication success rate is now directly tied to your email deliverability rate.<p>- Single-use tokens (immediately expiring after clicking) can be followed by spam filters, and thus immediately become invalid for the actual user trying to sign in.<p>- MTAs using greylisting can cause unexpected delays in email delivery.<p>- If a session audit trail is implemented, malware scanners following links might cause sessions from unexpected locations showing up.<p>etc.

Magic links are great for low trust model applications where the user is required to use the app but is a limited stakeholder.<p>Case in point: SportSignUp, which is a platform&#x2F;app that allows you to manage your little league&#x2F;basketball&#x2F;soccer team, etc.<p>The use cases for parents are basically figuring out where games&#x2F;practices are, telling coaches that they will be&#x2F;not be there, checking scores, and signing up to volunteer for various tasks.<p>Life is complex. You have non-custodial parents, nannys, older siblings, etc helping out. The easiest path is to send the magic link to the family text group.

Another relatively new problem with magic links specifically on mobile is that your email client will likely open the link in an embedded browser which is typically isolated from the main browser app and doesn&#x27;t share the cookies with it.<p>There are some workarounds for this but they don&#x27;t seem very secure, plus they add some complexity. E.g. once the backend validates the magic link click, it logs the user in also in the browser that initiated the email send. I think a sort of a phishing attack is possible here. Also the page that initiated it should periodically refresh itself to see if the session was validated somewhere else.<p>I haven&#x27;t been able to find any more secure or simpler solutions to this problem. Any thoughts?

&gt; Email Security: ...Should someone gain access to another user&#x27;s inbox, they simultaneously receive the keys to logging into profiles that run on magic links. Therefore, a single cyber-attack on your email could lead to unwanted activity on many of your utilized virtual services<p>This statement only partially covers the problem.<p>I once had a cofounder leave my company on bad terms. He had access to the bank accounts, I had email admin.<p>It took me 5 seconds to get full bank account access and lock him out with access to his email (&quot;forgot password&quot;).<p>It&#x27;s astounding how much of a skeleton key our inbox has become. This community doesn&#x27;t need reminding, but our families do.

Another issue that I don&#x27;t see covered here is that some email clients (looking at you, Outlook) pre-fetch links to see if they are security risks. If you build a magic link system which handles plain old GETs, the one time code gets used up before the user can actually log in.<p>We ran into this at FusionAuth and had to do implement some workarounds, documented here: <a href="https:&#x2F;&#x2F;github.com&#x2F;FusionAuth&#x2F;fusionauth-issues&#x2F;issues&#x2F;629#issuecomment-832778247" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;FusionAuth&#x2F;fusionauth-issues&#x2F;issues&#x2F;629#i...</a><p>Edit: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32081192" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32081192</a> mentions this and some other issues.

Article fails to mention that &quot;Magic Links&quot; are not only possible via email, but any out-of-band method, so you could use Whatsapp, Telegram or IRC even. Obviously, the user is assumed to have a secure setup regarding whatever method you send the link via.<p>Which the &quot;Email Security&quot; section kind of hints to as well, that it&#x27;s important users have a secure email setup. What they fail to mention, is that this is important not only if you use &quot;Magic Links&quot; but also if you have username+password login with &quot;Reset my password&quot; functionality, as otherwise intruders will be able to change your password anyways.<p>In conclusion, the article seems to have been written with the goal of saying &quot;Everyone is using Magic Links, how can we get them to use Zitadel (their product) instead?&quot;, rather than an honest look on how &quot;Magic Links&quot; can be made more secure.

One of my healthcare providers uses this and I abhor it. With their website I can see appointments, billing, etc., but instead of simply going to the website and logging in with 1Password, I have to go to the website, enter my email and click log in, switch to my email and wait for the email, open the email and click the link which takes me back to my browser.<p>It drives me nuts.

It is strange to me that both this article and commenters in this thread complain about &quot;email security&quot; as being a limitation of magic links, given that the vast majority of password authentication websites allow an email-based password reset flow. Magic links aren&#x27;t any more or less secure than allowing email-based password reset.

I use Magic Links because I don&#x27;t trust the security of my hobby app and don&#x27;t want to deal with storing credentials.<p>What I would like is a service like Firebase or OAuth but that I communicate with through my backend. So a user sends in username&#x2F;password to my server and I relay that to a service which returns a token or something. I&#x27;ve had too many issues with the Firebase front-end JS that I no longer trust it to handle the whole flow.<p>Anyone know a service like that? Basically just an API that is specialized in auth&#x2F;security that I can outsource the data to without having to store it myself.

&gt;Though no official record of the first use of this method seems to exist, research suggests that their concept dates to the early 2010s.<p>Early 2010s? Craigslist has been doing this since the 90s.

Somewhat related:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=31892299" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=31892299</a><p>This is very, very concerning and makes “magic links” a security threat to any platform that utilizes them.

I wrote a Rails plugin for magic links at <a href="https:&#x2F;&#x2F;github.com&#x2F;rocketshipio&#x2F;nopassword" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;rocketshipio&#x2F;nopassword</a> that doesn’t suffer from many of the problems I’m seeing in the comments.<p>The big thing is I only use a 6 digit numerical code that people have to copy and paste or type into the browser which they’re authenticating. I looked at stuffing a token into a URL, but it’s not a good idea because the email client may try opening the link to preview it or it may try opening the link in the wrong app&#x2F;browser, such as an in-app browser.<p>That may sound super insecure, but the 6 digit code is half the secret that’s needed to authenticate. The browser that the person is using to login has a much longer complex secret that must be included with the code. Additionally, this combination must be authenticated within a set number of attempts, 3 by default, within a certain timeframe, 5 minutes by default.<p>My motivations for creating this, instead of using something like devise with passwords, is because I have seen soooooo many non-technical people get tripped up by passwords. I know there’s sign-in with Google, MS, etc. via OAuth, but I wanted to give people a way to login to web applications without being under the watchful eye of big tech.<p>I’m currently using it in production for all of my Rails apps, like <a href="https:&#x2F;&#x2F;legiblenews.com&#x2F;email_authentication&#x2F;new" rel="nofollow">https:&#x2F;&#x2F;legiblenews.com&#x2F;email_authentication&#x2F;new</a><p>A better description of why and how it works at <a href="https:&#x2F;&#x2F;github.com&#x2F;rocketshipio&#x2F;nopassword" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;rocketshipio&#x2F;nopassword</a>

The magic link is basically using &quot;forgot my password&quot; e-mail recovery flow to just friggin&#x27; log in.<p>If you&#x27;ve served the user a link which takes them to a session where they can change their password, that session must be authenticated, by definition; you would not allow an unauthenticated visitor to change an account password!<p>And so, if that password change session is authenticated, then just treat <i>that</i> as fully fledged session. Don&#x27;t force the user to go back to the login screen and use their new password.<p>The next logical step after not forcing the user use their newly minted password is to just remind the user their forgotten password is still in effect, and that they can change it in their account profile settings.<p>From there to &quot;magic link&quot; authentication is just some minor UI tweaking.<p>I&#x27;ve always thought that asking the user to log in with a newly set password was an incredibly poor and unnecessary user experience, which just amounted to punishing the user for having forgotten their password and to train the user to believe that password recovery is inconvenient and should be avoided.

&quot;Opening an email and clicking on a link&quot; is one of the most risky things you can do with your computer; it&#x27;s a critical stage in many successful security breaches. Why would you train people to do it?

&quot;Not device-dependent&quot; is a false assumption. They are entirely dependent on you having convenient access to your email on the device. I have yet to to encounter one that was smart enough to authorize my session on the <i>original device</i> if I open the link on a different device (and there are probably good security arguments for not doing that).<p>Even in the ideal scenario where I have a proper mail client, the alternative they present is:<p>auto-filled password from my PW manager: 1 click<p>magic link: click to initiate the login session (1); click to focus my email client (2); [wait for email client to launch if not already open]; click on the email (3); click the magic link (4) click to close the superfluous second browser tab (5); click BACK to my mail client (6); click to delete the now-useless email (7); click BACK AGAIN to my browser (8).<p>Hate these things.

I wish there was a way to read all cookies of the current site and create a bookmarklet that sets them again.<p>So I could log into GitHub and save the cookies in a bookmarklet.<p>Then every time I want to use GitHub, I click the bookmarklet and it sets the cookies, so I am logged in.<p>I dabbled with the idea a bit, but it seems not straight forward. Maybe due to some metadata that cookies carry. They are not just key:value pairs.<p>For example here on HN, when I type &quot;document.cookie&quot; into the console, I get back an empty string.

They don’t seem that outdated to me, given the evidence presented. email provider security is a real problem but is usually considered the root of trust for persons…

Fuck magic links. What a horrible login flow. Am I the only person taht doesn&#x27;t have my email open in another tab?

I&#x27;ve been thinking about magic links using QR codes rather then email.<p>EDIT: The idea here is that on a device where you&#x27;re already logged in you generate a QR code, you photograph that code on another device, and then you confirm on the first device that it&#x27;s really you who photographed the code on the other device.

Another account to lose, when google bans you, because your kid liked something on youtube on a family account.

Magic links can be very helpful when needing to authorise people from an external system without API access, and they recently saved our asses from having to process over 10.000 refunds manually. Let me explain:<p>I work as a web dev for my local students union, and we recently had to develop a system to process refunds for basically every student there (9€ ticket related).<p>However, our university wanted nothing to do with that process, so we couldn’t use existing student login infrastructure to verify refund claims and limit them to one per student.<p>Luckily, each student gets a @stud.leuphana.de mail address. So all we had to do was send them a login link – if you weren’t a student or entered an invalid address you simply never received that, so you couldn’t apply.<p>The system worked great and with few issues, thanks to magic links!

They’re yet another way for logging in to suck for people who use a password manager.<p>Another example of this is consumer apps that insist that you should login with your phone number and make you click an extra button to change to the email login option.

I think magic links have some give&#x2F;take depending on your product&#x2F;platform&#x2F;audience.<p>One major use case that comes up more frequently is onboarding an untrusted device with a trusted one. WhatsApp seems to have mastered this class of problem using the QR code. Typing in codes and clicking emailed links is nice until you feel your phone&#x27;s camera instantly log you in on your laptop by scanning its screen. The obvious downside is that this is a chicken-egg situation and you have to already have one chicken (or egg) to make it work.

If you’re concerned about the security aspect of this, keep in mind that <i>most</i> web applications have this feature, but instead of calling it a magic link and for signing in, it’s called “forgot password.” It generates a short-lived code and emails the user a link that lets them access their account.<p>There are, of course, challenges with this being the <i>only</i> (or default) way to sign in, but the security concerns with it (e.g. weak email password) probably aren’t new!

It depends. I used magic links for a system where the user would log in every 6-12 months. It didn&#x27;t make sense to force them to make a password.

Magic links are half factor auth. They&#x27;re probably good enough for apps that no one actually cares about though.

A lot of people brought up scanners that auto-click links. How do these scanners deal with verification email links or unsubscribe links in general?<p>I mean unsubscribe links are commonly two-stage (you have to click a button on the target website), but now always. Never saw a similar two-stage verification link though.

The article doesn&#x27;t seem to cover a potential issue- updating an email address associated with an account (2FA aside).<p>If you&#x27;ve somehow lost access to email, a typical pattern is that you can login to your account, update the username and receive a validation email at the new address to confirm its validity.

Existed earliest in 2010? No way. Earlier. I remember in the 90s forgot your password link from e-mail signed you in, after which you could change the password.

the problem with using this technique alone is it’s basically 1FA all over again. hacked email means everything is hacked. excluding the need to remember a password, how are magic links an improvement?

This is just an advert by a competitor.

I think yes, because people hate magic ? Change it to Simple link might work.

Anyone have advice for creating easy-to-use-yet-secure login solutions for users who are less tech-literate?<p>My company is an ISP, and most of our customers are not very &quot;good&quot; at using technology. Any yet, they do sometimes want to log into our dashboard for one reason or another, and it tends to be a lot of trouble.<p>We&#x27;ve found that:<p>- <i>Many</i> people do not have an email. Some people don&#x27;t have a phone number. Many people have only one or the other, but not both.<p>- People typo their emails... a LOT. I initially had some very simple validation for email addresses, until I started getting droves of emails that were one character off. I&#x27;m at this very moment working on a feature to alert users if they type &quot;gmail.co&quot;, &quot;gmail.con&quot; or &quot;gnail.com&quot;, which are all very common (and two of which are completely valid domain names by the way!).<p>- Some people get confused by &quot;creating a new account&quot; or dealing with multiple accounts in general. They&#x27;ll say &quot;my email login didn&#x27;t work.&quot; Well, to me it&#x27;s obvious that they have a different password for different accounts, but to them it&#x27;s not.<p>- Building on that, they are not great at password resets. The &quot;send a password reset to email&quot; thing is confusing to them, because from their perspective their email <i>is</i> the account. Am I resetting my email password?? They don&#x27;t like it so they don&#x27;t want to do it.<p>- Since we are an ISP providing customers with WiFi, there is also confusion between the WiFi password and the dashboard password. I&#x27;ve had people successfully reset their dashboard password, expecting it to also set their WiFi password.<p>- Literacy can also be less than ideal. I once reset a customer&#x27;s WiFi password over the phone, and the new password contained an exclamation point. She didn&#x27;t know what an exclamation point was. I got her to do SHIFT-1 eventually, but it took a while. (I found out later that nobody else sees an exclamation point as an &quot;upside-down i&quot;, which is what I&#x27;ve always seen it as. The proper way to describe it to someone who doesn&#x27;t know is &quot;line with a dot underneath&quot;.) Now my password generator only uses A-Za-z0-9 (but not 0 or O).<p>So, I have been learning the hard way that not every person in the world is an avid Hacker News reader who knows what accounts and password hashes are and how everything works. And yet, these people deserve to be empowered by technology just like the rest of us.<p>The thing is, many of these folks <i>are able to use software just fine, it&#x27;s just that they have trouble getting logged in</i>. It really is the logging in that trips everything up.<p>So I&#x27;ve been thinking lately that I want to fix this for my company, but I&#x27;m unsure what to try.<p>I had the thought of trying Webauthn, but that seems unusable for me as per this comment I wrote a few weeks ago[0]. If I could solve the problem in that comment, I think a lot of my customers would use &quot;Login with TouchID&quot;, &quot;Login with FaceID&quot;, etc.<p>Anyway, my point is that no, I do not think magic links are outdated. We use a lot of magic links. Need to update your credit card? We&#x27;ll text you a link. Want to reschedule your install? We&#x27;ll text you a link. This is the best way we&#x27;ve found to actually get our software into the users&#x27; hands.<p>[0] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=31850471" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=31850471</a>

I think a lot of the complaints here are &quot;nerd problems&quot;.<p>For customers they seem like a super convenient thing, I was just implementing them in my app. Yes magic links have problems and it&#x27;s probably making me lean more towards the &quot;emailing a code&quot; option now, some of those problems outlined aren&#x27;t easy to ignore.<p>The app I&#x27;m working on, users would login probably once or twice a year. I just can&#x27;t imagine they want to deal with passwords, especially because my app is very niche, they&#x27;d use it once a year for one thing only. What I can imagine them having to do is constantly use the &quot;forgot my password&quot; feature anyway.<p>For conversion easy logins are really important.Anyone have any better ideas than magic links, passwords or one time codes in email?