Password-based authentication creates a lot of user friction, so it is not surprising that developers look for ways to streamline the authentication process. One method is called the magic link, which allows the user to log in without entering a password via a special web link.
While passwordless authentication is something we strongly recommend all organizations implement to protect their internal networks from hackers, magic links aren't a truly secure way to implement the technology, and aren’t actually passwordless. Below, we explain magic links and why organizations should consider better methods to implement truly passwordless authentication for their customers.
What are magic links?
Magic links are a one-time use link sent to the customer during the authentication process. After entering their username, the user is sent a URL, either to the user's email address or their mobile phone via text. The user clicks to authenticate themselves without entering a password, and for some, this might seem like "magic," thus the name.
Magic links are attractive because it is a simple way to remove the need for a customer to generate and remember a password from the process. With users still choosing easy-to-guess passwords and reusing them across personal and business accounts, your organization is at risk of password-based attacks.
How a magic link works
The magic link provided contains a token that can replace the password. Most platforms also require some registration of the device to prevent hackers from receiving magic links maliciously.
Once the user's device or browser is authenticated, they can enter their username or email address at sign-on to receive the magic link. The authentication server generates a token embedded in a URL sent to the end-user, who has a set period to use the magic link before it expires. And like the one-time password, the link expires after use.
There’s still an option for the user to revert to using a static password instead of a magic link, and the password is available as a backup for recovery.
Examples of when magic links are used
Perhaps the most well-known example of magic links is the Slack app. The magic link is part of the login process and is encouraged by a large "Send Magic Link" button.
However, Slack is just one of many apps and services that have implemented magic links. Other situations that make good candidates for using magic links include:
- Situations where authentication is infrequent: Magic links work well when a user must only authenticate once at the beginning of the session. Entering a complex password adds friction to the process.
- Situations where device authentication is already present: If you're already performing device authentication, magic links can be an option.
- Situations where quick and straightforward account creation is desired: Password-based authentication does create a drag on the account creation process. With the need for ever stronger passwords due to the rapid increase in password-based attacks, you'll need to force end-users to create complex passwords. Magic links make that unnecessary.
The user experience of magic links are certainly lacking. There's the possibility of your users never receiving the magic link, to begin with. The user's email provider may consider the email spam, forcing the end-user to search their spam folders. There can be a lag waiting for the link, and the user is just left waiting and is unable to complete their work.
So while magic links might sound like an easy method to implement passwordless authentication, it is not a perfect nor completely secure way to do it.
Security issues with magic links
Magic links are intended to make the login process easier and more secure. But each of the reasons making magic links attractive for passwordless authentication also has significant security issues:
- You should be authenticating your users continuously: The magic link is a one-time authentication at the time of login. The user is considered "trusted," and likely won't have to authenticate again. This is asking for trouble in today's threat landscape. Organizations should be implementing zero trust concepts, which require continuous user verification and trusts no one.
- There's no reason for the magic link if you're using device authentication: There are authentication solutions that do this and implement actual passwordless authentication without the need to leave the login screen. While magic links are a huge step forward for finally eliminating the password, there are better methods to do it out there.
- There's no assurance that the recipient of the magic link is who they say they are: If a user’s email service is compromised, an attacker might intercept the magic link email and use it to gain access. Magic links work as long as the token received is what the server expects.
What is a better and more secure authentication method for your customers?
While magic links seem like a more secure method to authenticate users without relying on passwords, there is a better way to implement passwordless authentication that truly protects your customers while still providing a frictionless experience.
A secure authentication platform should combine passwordless authentication, device authentication, and risk-based authentication into a single platform. That's why we created our customer authentication solution.
Our platform embodies the zero trust concept of "never trust, always verify." Our platform continuously authenticates the user during a session while monitoring for over two dozen factors that may be signs of trouble using invisible, passwordless MFA. This allows you to secure your customers without making them jump through authentication hoops that cause friction.
With a magic link, you're only authenticating a user once. Unless you're actively monitoring these users for suspicious activity, you won't know until it's too late if the user's device is infected with malware.