A guide to passwordless authentication with magic links

Passwords are the most common and most vulnerable way to access protected sites, apps and platforms. These credentials are easy to guess, easy to hack and easy to replicate across multiple accounts.

So, what’s the solution? A step in the right direction is using a secure password manager that requires complex combinations of letters and numbers, rather than easy-to-guess phrases (like the name of your first pet).

An even stronger approach is going passwordless using authentication methods like magic links. By sending a unique, time-sensitive to your email address, you can keep your accounts protected without having to remember yet another complex string of characters.

Magic links give you instant access to your accounts while keeping apps and sites secure from intruders. From a technical standpoint, understanding how magic links work can help you figure out if they’re a good fit for your company or app.

Passwords are expensive to manage, hard to remember and easily compromised. It’s why we believe the future of authentication is passwordless, using other secure methods to verify your identity and grant access to secure resources.

Passwordless authentication uses two types of authentication factors to authenticate users: possession factors (such as one-time passwords and security keys) and biometric factors (such as fingerprint scans, facial recognition tech and retina scans).

What do these two factors have in common? These factors are extremely hard to fake or replicate. While passwords can be easy to guess, passwordless authentication factors are tied to an individual’s physical traits or a private, tangible item.

There’s a final category of passwordless authentication that is gaining popularity as a secure alternative to usernames and passwords: magic links.

Just like digital certificates, a pair of private and public keys are what drives passwordless authentication. It can be helpful to think of the public key as a padlock, while the private key is the specific key that unlocks it.

Here’s the thing: only one private key will unlock a public key. To produce this pair, you’ll create a secure account (such as signing up for a mobile app or social networking site). This will generate the public-private key pair.

From here, the private key will live on your device and will be accessed when you attempt to log in with a fingerprint, PIN, OTP or magic link. The public key will be shared with the system or app you’re trying to join.

Rather than entering a username and password, magic links allow users to authenticate simply by clicking a few buttons. This method of passwordless authentication works in a similar way to one-time passwords (OTPs): you enter your email address, you receive an email containing a magic link, and clicking it unlocks access to this app or platform.

Ever hit the ‘Forget password?’ button on a site? If so, you’d be familiar with the process of magic links.

If you’ve lost your credentials or can’t remember which email address you signed up with, the magic link option gives you the ability to securely access a platform using a one-time access link.

Along with forgotten password flows, magic links can be used as part of multi-factor authentication (MFA). If you’re having trouble remembering your credentials, you can opt for a magic link to gain access instead.

Magic links are a type of email-based user authentication. What drives this process is code that allows users to sign in with just an email address (no password required).

A basic magic link login flow looks like this:

• An app asks you to provide your email address
• The app generates a unique, magic link (embedded with a token) and sends this to your nominated email address
• You open the email and click the magic
• The app checks the token and authenticates your access to the app

The ‘magic’ label comes from one of the best-known examples of this authentication method: Slack. When you opt to authenticate access with this method, you’ll see a screen displaying a magic wand. This allows you to send a magic link to your inbox to sign you in to your Slack account instantly.

As a user, these magic links live up to their name. But on the back end, magic links use a combination of tokens and hash functions to enable passwordless authentication to happen.

Passwordless authentication removes friction for both users and companies. For magic links specifically, there is a range of drawcards that include:

• User experience: digging up the right username and password can be tedious, especially if you’ve set unique credentials for every app you use. With a magic link, logging in can happen in just a few clicks. It also removes the need for secure password management, which can be time-consuming and costly (particularly if you’re updating passwords every few months and needing to pay for software to store them securely).
• No need to store and manage passwords: for companies, using password-based authentication flows means creating, handling and managing the infrastructure around password storage. Every user that signs up to your platform will have their own login credentials, which you need to encrypt, store and keep safe. As you’d imagine, this process can take significant effort and can come with high costs to keep this sensitive data secured. On the flip side, magic link flows free up time and resources to invest in other parts of your company.
• Removes the threat of password breaches: this has to be the biggest drawcard of passwordless authentication. As data breaches become increasingly common, companies need to find ways to safeguard users’ data. With no passwords to compromise, magic links are a proven way to retain the integrity of your platforms (particularly if you’re handling sensitive data, such as financial records and medical information).
• Lowers customer service requests: customer service can be resource intensive, requiring team members to be on-call and available during all hours of the day. Slow response times, short opening hours and hours spent on hold can damage your company’s reputation and cause users to take their business elsewhere. 50% of all help and support tickets come from password-related issues. Using passwordless authentication (such as magic links) makes these resourcing headaches obsolete.
• Efficient user onboarding: setting a username and password can be an added point of friction for users. By using magic links, you can combine the signup and log-in processes into one flow. This can be helpful if your top priority is to boost your user count and scale your user base rapidly.
• Low barrier to entry: importantly, magic links aren’t reliant on physical tech or costly hardware. Every link is shared through software your users likely use on daily basis: emails. This gives magic links the edge against other passwordless methods like dongles or key fobs.

It’s important to be realistic and understand some of the potential drawbacks of magic links, which can include:

• Dependant on email deliverability: at the core of magic links is the use of emails. While this tech is typically robust and reliable, it can come with slow delivery times and glitches. If an email provider experiences an outage, users won’t be able to gain access (with the potential to abandon sign-up entirely). This is where picking the right email delivery services comes in, meaning you need to carefully choose the right provider for your needs.
• Lost in spam: similarly, magic link emails can end up in the user’s spam folders if email filters aren’t optimized. This can add, not remove, friction in the user experience.
• Security is tied to email: one of the vulnerabilities of magic links is relying on a user’s email address. If a user’s inbox is hacked or compromised, the security of your platform can be at risk, too.
• Limited visibility for admins: the other major disadvantage of magic links is visibility. As an admin, you can’t control the email accounts of your users and have no control over who opens and accesses magic link emails. This can pose serious security risks if emails end up with the wrong recipient.

Magic links offer advantages for companies looking to fast-track their onboarding and sign-in processes. But convenience shouldn’t come at the cost of security.

To keep your platform secure while using magic links, it’s important to understand what best practice principles you should be following.

• Use one-time-only links: prevent sharing and lower the chance of unauthorized access by making sure your links can only be used once.
• Harness MFA: magic links come with vulnerabilities. With multi-factor authentication enabled, you can add an extra layer of security that will keep your platforms safe (even if a user’s inbox has been compromised). This could be a text message, an OTP or a fingerprint scan, just to name a few.
• Make sure your links expire: putting a time limit (such as one hour) on your links means every link expires, narrowing the window for hackers to access your platforms. If this email is shared or stolen, this expiry date will offer another line of protection.
• Optimize your subject link and “From” name: make it easy for users to spot your emails by clearly identifying your company and magic link emails in the subject line. Personalizing your “From” name can also lower the chance of your emails being caught by spam filters, too.
• Avoid message threading: some providers (like Gmail) can bundle similar emails together into a single thread, which can get really confusing really quickly. Prevent this by using unique subject lines or reference header values in each magic link email you send.

Emails are the software that makes magic links possible. Your user experience depends on picking the right email provider, which means weighing up the following factors:

• Speed: the longer it takes to receive an email, the more likely a user is to go elsewhere. Look for email providers that prioritize email delivery speed, ideally offering 10 seconds or under for magic link emails.
• Reliability: getting flagged for spam is one of the biggest pain points for users when it comes to magic links. Look for providers with a good sender reputation, including expert advice about how to prevent your emails from getting caught up in spam.
• Support: make sure your provider is compatible with your favorite languages and frameworks as well as the authentication protocols you’re using (like SPF). This is key to ensuring integrating email links into your app is fast and simple.

While the exact steps you need to follow will depend on the framework you’ve used to build your app, there are three key things you need to consider when adding magic links to your app:

• You need to generate and save a unique token for each user.
• You need to generate a link for that token and include this link in an email that is sent to your user.
• Your app needs to be able to receive the query at the magic link endpoint and authenticate your user.

We wanted to offer a smarter, safer way to sign up and sign in. Give your customers a secure way to sign in to your apps and websites using just an email address.

With our passwordless authentication codes, you can combine the benefits of multi-factor authentication with the security of email.

We’ve made getting set up with Kinde fast and easy. Use an SDK or API to quickly integrate Kinde into your product.

See how Kinde compares to other authentication providers.