Guest Blogger
Jonathan Baker
As a number of large businesses move beyond the long-established standard of password-based authentication, magic links have emerged as a new and popular form of authentication. So, what are magic links and why should your business consider using them? In this blog, we will explain why magic links are so useful while breaking down their strengths and weaknesses.
According to a study by Digital Guardian, the average American has upwards of 130 different accounts associated with a single email address. Assuming that they follow recommended password protocol, each of their accounts should have a different, hard-to-guess password. Unfortunately, over 60% of all survey respondents admitted to reusing the same password across multiple accounts. The reality is that the average person simply isn’t able to keep track of and remember hundreds of strong, unique passwords.
Magic links aim to fix this issue by providing a means for users to log in and authenticate without the need for a password. With a magic link, the user simply provides an email address and then clicks the link sent to them via email. With the click of the mouse they are redirected back to the website or app where they are automatically authenticated and logged into their account.
Magic links are quite similar to the process of setting up a one-time password, and they operate through the same flow as a “forgot password” workflow. To the user, magic links really do seem like magic. But in reality, it’s a simple process using hash functions and tokens. They work like this:
And just like that, the user is now logged in to your application without ever having to remember a password. If the magic link is clicked but no user is found, the authentication stalls and no further actions would occur. This approach is pretty straight forward, and with less than 10 steps total odds are high that it is very similar to your workflow for when users forget and must reset their passwords.
From the perspective of developers, magic links are a very easy and appealing way to validate user authentication. You won’t need to purchase any extra hardware and, assuming you already have a “forgot password” workflow, virtually no new code to write. Unfortunately, despite magic link’s convenience and ease of use, they aren't quite as secure as other forms of user authentication. With magic links, much of the burden of security ends up falling upon the user and their email provider.
Because the user logs into your app through a magic link sent to their email, this means that anyone with access to the user’s device or email login could potentially gain access to their account. If a user loses their device, or if their device is stolen, there isn’t much stopping the thief from having full control over the victim’s account. Even if a person doesn’t lose their device, a bad actor could still gain access to their account so long as they have the email login credentials. Beyond that, magic links are also particularly susceptible to man-in-the-middle (MITM) attacks if the user is not browsing on an encrypted network.
Ultimately, this puts the responsibility of keeping accounts safe on the users themselves. If you decide to implement magic links in your app, it is important to advocate that your users enable two-factor authentication for their email accounts, use a reputable and secure email provider, and avoid browsing on unsecured networks without encryption. Unfortunately, these are only suggestions and not anything you can enforce.
However, don’t despair; the security surrounding magic links isn’t all bad. Apps that use traditional password authentication are susceptible to weak and reused passwords which frequently lead to account breaches. With magic links there are no weak or reused passwords, so there’s nothing for hackers to brute-force or phish from unsuspecting users.
In a nutshell, magic links are intuitive, familiar, and simple for your users to access and understand. If you care about providing the best customer experience and accessibility, magic links are the gold standard when it comes to user authentication. However, magic links can get rather complex, and an easy, smooth customer experience can often create tension around the security concerns we mentioned above.
As we already mentioned, a reputable email provider is crucial for the success of magic links. Sometimes email providers will tag emails from new senders as spam, filtering an important email into the rarely-visited spam folder. If the user requests several magic links in a row without realizing the email is being filtered as spam, how should those links work? As soon as the user requests a new magic link, should the old ones expire? These are questions your team will need to solve for themselves. If you opt for expiring magic links, there are fewer security vulnerabilities but also fewer ways to log in, leading to potentially frustrating experiences for your users. This is a delicate balance your team will have to strike.
Similarly, some applications are set up in a way that makes their magic links automatically expire if used outside the same browser session that it was requested. It can be a bit frustrating for users to close their browser and find that the link they requested no longer works once they eventually try to log in. Although there can be some pains with customer experience, this route also ensures that each magic link doesn’t work longer than necessary. By default, magic links that persist indefinitely present heightened security concerns.
Finding that balance between ease of use and appropriate security measures is critically important because the improved customer experience is absolutely worth it.
Ultimately, a smooth customer experience does wonders for business. If the process of creating and registering a new account is simple and easy to do, more users will sign up. If any of those users then return to your application but don’t bother to log in, then you are missing out on valuable user-behavior data that would be associated with their account. If you want all the benefits of their user data, getting them to log in is paramount. If you can help guide your users to log in by making it as easy as possible, you will reap the benefits. Plus, magic links work seamlessly across all platforms and devices, making it easier for users to log in however and whenever they want.
An added bonus to using magic links is the ability to guide users towards new features and drive increasing engagement throughout the app. You can establish a redirect so that once your users log in using their magic link, they are automatically prompted to interact with any new features or content. Highlighting any new features and guiding your users to interact with them help to improve customer experiences and drive user interactions.
Magic links provide a great opportunity to create a smooth and easy customer experience without compromising too much on account security. Would magic links work with your application? That’s a question only you can answer. Does your application handle sensitive user data such as financial or healthcare records? If that’s the case, magic links probably aren’t the best choice for your app. If your app centers around something like entertainment or online shopping, magic links would likely work great.
Contact us to see why the brightest companies trust Lithios.
Get in touch