Magic Links – Are they Actually Outdated?

Even if you have not heard of magic links, the chances are that you have already encountered them when signing up for third-party applications or websites. Simple yet effective, this passwordless method is convenient for end-users to confirm their identity and easy for developers to implement: Instead of having to enter a password, a simple click is all it takes to log you in.

Given its foolproof infrastructure and widespread use, one might think it would be unnecessary to change a winning team. Scratching beneath the surface, however, it soon becomes evident that this method also has limitations. While we strongly recommend implementing password-free authentication for every organization, as a relatively old passwordless method among ever-changing digital innovations, magic links might no longer be the most secure alternative for this purpose.

With this article, we aim to determine whether magic links are still viable as an authentication method or if you are better off using newer passwordless alternatives.

What are magic links? – The Origins

"Magic Links" describe a passwordless authentication method that allows users to log in by clicking a one-time link mailed or messaged to them rather than using their password. This link is automatically sent to the provided email address upon toggling a login request on the platform. This simple but innovative process of users authenticating themselves by merely clicking a button may seem magical to some, thus the name.

Though no official record of the first use of this method seems to exist, research suggests that their concept dates to the early 2010s. In the following years, as the problem with passwords started to arise slowly, various platforms started implementing two-factor authentication: In addition to entering a password, 2FA provides a secondary layer of security by requiring the user to verify their identity via a second (passwordless) factor. One of the most used secondary factors at the time was a code sent via SMS or email. In 2014 however, a revolutionary new method started gaining traction that promises the same high-end security features like 2FA, but by only relying on a single factor: Passwordless. Since biometric characteristics were not yet as widespread as they are now (partially due to the older smartphone models), the most straightforward and low-tech solution proved to be the implementation of one-time links – or, as we call them today, magic links. Thus, in the mid-2010s, various platforms started to experiment with passwordless, one of the most notable examples being Medium, which sparked a debate regarding the legitimacy of this newly discovered login method.

How do they work?

Contrary to what the name implies, magic links are only seemingly magical – in reality, they operate using code, tokens and hash functions. Akin to any other login process, it starts with the user visiting the respective platform or application with the desire to access it through their profile. The platform requests the user's email address upon navigating to the login page. Immediately following the email submission, a token is generated and the magic link is formed, which is automatically sent to the address in question. By clicking on the link, the user enables the application to receive the query at its endpoint, and thus the authentication process is completed.

The advantages

Considering their widespread use, it is no surprise that magic links have significant advantages for developers and end-users alike. While the strengths of passwordless over password usage have already been discussed in greater detail, this list will merely focus on the pros of magic links over alternative passwordless methods.

• Easy and affordable implementation: Due to magic links' near-identical functionality to password resets, implementing them is merely a matter of making a few slight modifications in code. Thus, you do not have to worry about extra costs either.
• Not device-dependent: Unlike biometrics, which generally require devices capable of scanning the users' physical characteristics (f.e. fingerprint or face), or hardware tokens that must be plugged into a specific port, sign-ups via magic links have no such resource demands. They are therefore viable on any device with an internet connection.
• Familiarity: Since this technology has been used for password resets for a long time, end-users are likely already familiar with the functionality of magic links. This familiarity makes for an easy and transparent sign-up and login process.

The disadvantages

While they have many advantages, magic links are also not without their shortcomings compared to other passwordless options.

• Email Security: If you frequently use magic links to log in, it is vital to also keep an eye on the security system surrounding your email account: Should someone gain access to another user's inbox, they simultaneously receive the keys to logging into profiles that run on magic links. Therefore, a single cyber-attack on your email could lead to unwanted activity on many of your utilized virtual services.
• Email Provider: Apart from the measures you take to protect your email account from unwanted access, the reliability of your used service is also worth evaluating. Since logins via magic links are heavily reliant on the user receiving the link, it is essential that the provider actually manages to deliver the awaited email.
• Less convenient than other alternatives: Apart from security, magic links also fall short compared to other passwordless methods in terms of login convenience. While the process is faster than MFA, magic links still require the user to leave the login screen instead of alternatives like biometrics or physical tokens.

In conclusion

To answer the notorious question this article has posed regarding the viability of magic links; the answer is unfortunately not black-and-white. While magic links might still be considered a safer authentication method than using plain passwords, they ultimately seem to pose more security risks than other passwordless options.

Most of this method's disadvantages correlate to the fact that magic links rely on a third-party service to handle a significant part of the authentication process. Accordingly, even if the developer has made no mistakes in implementing a magic link-based login system, complications could still arise on the email provider's end. Additionally, while authentication processes via biometrics or physical tokens are dependent on specific device resources, they still have the advantage of being either non-replicable or more challenging for other people to access.

To sum it up: If you have a device capable of authentication via a biometric factor or a physical token, you might want to gravitate towards those options for maximum login convenience and account security. Alternatively, magic links are still a relatively safe option for a familiar and facile login process. In that case, however, it is strongly advised to protect your email account via highly secure authentication factors, to avoid unwanted activity on a multitude of your utilized virtual services.

Join the GitHub Discussion if you are interested about the state of magic links in ZITADEL. Today ZITADEL supports Passwordless with FIDO2/WebAuthN and support of the upcoming Passkeys, this should give your users a secure and convenient alternative to classic magic links. You can send an email with a link to pair and onboard a FIDO2 compatible device or request a QR code to pair and onboard a FIDO2 compatible device.