Magic Links - Passwordless Email Login
About 2 min read
A magic link is a one-time login URL sent to the user's email address. Instead of entering a password, authentication is completed simply by clicking the link in the email. Services such as Slack, Notion, and Medium have adopted it, and it has attracted attention as an easy way to implement passwordless authentication. However, since its security depends entirely on the safety of the email account, it must be clearly distinguished from more robust passwordless technologies such as passkeys.
How Magic Links Work
The authentication flow of a magic link is technically similar to a one-time password (OTP). The difference is that, instead of a numeric code, an email is sent containing a URL with a cryptographically secure random token.
The following constraints are placed on the token.
- Expiration: typically 10 to 30 minutes. Expired links become invalid
- Single use: the token is invalidated immediately after being clicked. It cannot be reused
- Cryptographic randomness: use a token of sufficient length (128 bits or more) that cannot be guessed
- IP binding (optional): some services compare the IP address of the request with that of the click
Adoption Examples
Offers a "send a sign-in link by email" option as an alternative to entering a password. It is heavily used for the first login when joining a team.
Adopts magic links as the default login method, achieving a UX where setting a password is not required at all.
Offered as an authentication method alongside social login. A choice that prioritizes the ease of use expected of a content platform.
Advantages and Disadvantages
| Advantages | Disadvantages |
|---|---|
| No need to remember or manage passwords | Depends entirely on the security of the email account |
| No risk of password leakage or reuse | Wait time until the email arrives (seconds to minutes) |
| Simple to implement (no server-side password storage) | No phishing resistance (users can be tricked by fake emails) |
| Low barrier to user registration | Cannot log in in an offline environment |
The point to be especially careful about is that magic links have no phishing resistance. If an attacker prepares a fake login page and gets the user to enter their email address, a legitimate magic link is delivered to the user's email. When the user clicks that link, a man-in-the-middle attack scenario is established in which the attacker's session becomes authenticated. Check the article on email account protection for ways to strengthen email security.
Comparison with Passkeys
Both magic links and passkeys are passwordless authentication, but their security models are fundamentally different.
| Aspect | Magic link | Passkey |
|---|---|---|
| Basis of authentication | Possession of the email account | Possession of the device + biometrics |
| Phishing resistance | None | Yes (origin-bound) |
| Login speed | Slow (waiting for email) | Instant (fingerprint or face recognition) |
| Ease of adoption | Very easy | Somewhat complex (WebAuthn implementation) |
The article on the challenges of migrating to passkeys explains a phased migration strategy from magic links to passkeys.
Common Misconceptions
The belief that "magic links are safer than passwords" is half right and half wrong. While they eliminate the risks of password reuse and weak passwords, if the email account is compromised, every magic link falls into the attacker's hands. If multi-factor authentication (MFA) is not configured on the email account, the security of a magic link is little different from that of a weak password. Check the article on two-factor authentication for ways to protect the email account.passwordless authentication books on Amazon are also helpful references.
Real-World Use Cases
"After switching the login of our internal tools to magic links, password reset requests dropped to zero. However, there are cases where the email takes more than 30 seconds to arrive, and some users have complained that 'logging in is slow.' We settled on using passkeys for tools we log into frequently and magic links for tools we only use occasionally."
Was this article helpful?