Why Kinde likes OTPs better than magic links
By Alex Norman —
People have asked us why we email one-time passcodes (OTPs) instead of magic links for passwordless authentication. This blog post explains why we prefer OTPs.
OTPs are one-time passcodes that enable a user to authenticate.
The user enters their email address on the sign-in screen, they are sent a 6-digit code, which they enter to complete authentication.
Magic links enable a user to complete authentication by clicking a link.
The user enters their email address on the sign-in screen, they are sent a magic link, which they click and are logged in to the system.
OTPs and magic links have almost the same pros and cons.
Pros:
- Doesn’t require a password, so is generally more secure due to most user’s poor password hygiene
- Requires the user to have access to their email, which they generally do a much better job at securing
- Does not require the storage of passwords
Cons:
- Breaks up the flow by forcing the user to open their email to click on the link or get the code
- Assumes that the user’s email has not been compromised
- Can be used on a device that the user has not logged into their email from
At first glance, both email OTP and magic links act in very similar ways and have basically the same pros and cons. When we were deciding which direction to take for Kinde auth, we took a really close look and identified some extra risks with magic links that we didn’t want to take.
A user can complete the authentication flow on a different device than the one that originally started the flow.
Kinde uses device fingerprinting in the authentication flow, to prevent users from having their sessions stolen by attackers using another device. This is a core security control in our authentication system to prevent session hijacking and limit phishing effectiveness.
Opening users to this security risk was unacceptable.
Links can be hijacked and swapped out in transit by phishing programs, meaning users might not be clicking an access link, but a URL designed to trick them.
We are continually bombarded with emails that contain links and URLs that are unsafe. Kinde wanted users protected from this by providing a phishing resistant security method.
Sometimes antivirus products and email scanners will prefetch the URL, which then effectively ‘clicks’ the link and can accidentally expire it.
Both email OTP and magic links are meant to expire once used, but only magic links can expire before they even get to the user. This would frustrate anyone.
At the end of the day we decided email OTP is simpler and safer. And we stand by that decision.
Learn more about passwordless authentication in Kinde.