Magic/tragic email links: don't make them the only option
509 comments
·January 7, 2025rickcarlino
mooreds
We went to a lot of trouble to make our magic link implementation work with anti-phishing software, corp link checkers and more. https://github.com/FusionAuth/fusionauth-issues/issues/629 documents some of the struggle.
I think that a link to a page where you enter a one time code gets around a lot of these issues.
andrei_says_
I arrived at the same conclusion after going through the steps and seeing that some corporate systems mark the login link as malicious, and there’s nothing I can do about it.
Sending a code goes around a lot of issues.
js2
Also: Safari can autofill codes from both email and text messages on macOS and iOS. It then automatically deletes the message too.
https://www.webnots.com/how-to-autofill-verification-codes-i...
hackernewds
one times codes are very vulnerable to phishing. users are prone to entering codes on any resembling website
klabb3
I was gonna argue that you can fix this but I realized that you’re right. It’s a MITM attack where there’s really no way to stop it, same as passwords. It’s basically the same feature (sign in in a different browser) that also lets attackers in.
That said, here’s how I would mitigate it:
- Like usual, time based limits on the code - Code is valid only for the initiating session, requiring the attacker to create a paper trail to phish
If you do have a magic link & want to use code as backup for authenticating a different device/browser, you could:
- Compare IP and/or session cookie between the initiating and confirming window. On match, offer login button. On mismatch, show the code and a warning stating how it’s different, eg ”You are signing in a different device or browser, initiated from $os $browser in $city, $country, $ip - $t minutes ago.”
It’s not perfect though and may still be prone to phishing.
adastra22
Why not just support a password?
mooreds
Oh, we support passwords! (And passkeys, and social login, and OIDC, and SAML.)
Just want to make sure magic links work as well as they can.
Different folks have different requirements, and since we're a devtool, we try to meet folks where they are at.
We actually recently added a feature which lets you examine the results of a login, including how the user authenticated, and deny access if they didn't use an approved method.
matt-p
Only having magic links gets you a load of stuff for free,
Higher level of security than just user+pass (w/ forgot password)
Email verification
Lifecycle management - in a SAAS when a user no longer has a corporate email, they can defacto not log in, wheras with a user+pass you need to remember to remove their account manually on each SAAS or have integration with your AD (for example)
davidmurdoch
One weird reason I've personal run into: when building on the edge, like with cloudflare workers, you can run into timeout issues because of how long password hashing takes.
ThePowerOfFuet
Because ≈everyone reuses passwords and so accounts get taken over.
presentation
I've had success with sending a code, and the link takes you to a page where the input is pre-filled with the code, and you just have to click "Login".
mooreds
Yup, that's a good option. Any kind of user action like a form submission is less likely to run afoul of a link checker.
lelanthran
> I think that a link to a page where you enter a one time code gets around a lot of these issues.
I've done both in my SaaS product - link is GET with the OTP in the link, the target page checks if the link is in the URL, and if not, then the user can type it in.
Only for signup, though. For sign-in, the default is to always have the user type it in.
null
ctm92
These days there's also to consider that some Mail Threat Protection Tools (at least Microsoft Defender in Exchange Online does this) click links in Mails to check them.
Recently ran into this issue as new mail accounts got confirmed automatically and magic links were invalid when the user clicked them, because Microsoft already logged in with it during checking.
TeMPOraL
Come to think of it, magic links by definition violate the principle that GET requests should not change state. Defender & preview tools are actually following the established norms here - norms that were established decades ago precisely because we hit the more broad problem with C, U & D parts of CRUD, and collectively agreed that doing destructive operations on GET requests is stupid.
kragen
You can GET a <form> which POSTs when you click the "log in" button.
robertlagrant
That seems like a really thoughtless idea.
aspect0545
What can you do to prevent automatic confirmation in that case?
mixedbit
I run an authorization service that allows to log-in using magic links and we managed to solve this. First approach was for the link opening GET request to do not log the user in, but to include an HTML page with JavaScript that issued a POST request with a code from the link to log the user in. This worked well for a long time, because email scanners were fetching links from emails with GET requests but did not execute JavaScript on the fetched pages. Unfortunately, some time ago Microsoft tools indeed started to render the fetched pages and execute JavaScript on them which broke the links. What works now is to check if the link is open in the same browser that requested the link (you can use a cookie to do it) and only automatically login the user in these cases. If a link is open in a different browser, show an additional button ('Login as <email address>') that the user needs to click to finish the login action. MS tools render the login page but do not click buttons on it.
The issue that MS tools introduced is broader, because it affects also email confirmation flows during signups. This is less visible, because usually the scanners will confirm emails that the user would like to confirm anyway. But without additional protection steps, the users can be signed up for services that they didn't request and MS tools will automatically confirm such signups.
miohtama
The link leads to a page where you need to press a button (HTTP POST).
sandermvanvliet
As far as I know there’s nothing.
The alternative is to send an OTP in the mail and tell the user to enter that.
In that way there is no link to auto confirm.
However, if you do that ensure that you have a way to jump straight to the page to enter the OTP because (looking at you Samsung) the account registration process can expire or the app is closed (not active long enough) and your user is stuck
devnullbrain
I've had this problem as a user, accidentally previewing a link in iOS by tapping for too long.
tuetuopay
This is even worse for copying the link. On iOS the contextual menu comes with the preview, which will destroy the magic link.
littlestymaar
> These days there's also to consider that some Mail Threat Protection Tools (at least Microsoft Defender in Exchange Online does this) click links in Mails to check them.
What an insane policy, why am I surprised Microsoft came up with it…
sbarre
It's not actually insane if the application hosting the link follows the principle that GET requests should not mutate state.
This problem is ~20 years old from when CMS platforms had GET links in the UI to delete records and "browsing accelerator" browser extensions came along that pre-fetched links on pages, and therefore deleted resources in the background.
At the time the easiest workaround was to use Javascript to handle the link click and dynamically build a form to make a POST request instead (and update your endpoint to only act on POST requests), before the fetch API came along.
tzs
4. Make sure the sign-in link on mobile works with your mobile app.
When McDonald's switched from email/password to magic links I had a hard time getting the magic link to work with the McD app. It usually would just open in the McD website.
Thus was quite annoying because about 98% of the time I eat McD's I would not do so if I could not order via the app [1].
I finally gave up and switched to using "Sign in With Apple" (SIWA). There was no way that I could find to add SIWN to an existing McD account, so had to use the SIWA that hides the real email from McD. That created a new McD account so I lost the reward points that were on the old account, but at least I could again use the McD app.
[1] They have a weekly "Free Medium Fries on Friday" deal in the app available for use on orders of at least $1. Almost every Friday for lunch I make a sandwich at home and then get cookies and the free fries to go with it from McD.
k4rli
McD app is the absolute worst.
1) rooted or bootloader-unlocked Android devices are not allowed (granted it's easy enough to get past it for now but the checks are still there). 2) 2FA requirements as if anyone would bother to steal coupons from others
It appears that they want ordering burgers to have the same level of enhanced security as banking apps. Not even crypto or trading apps bother to block unlocked devices in such a way. Blocking rooted devices doesn't even make banking apps more secure but for them I can at least understand the reasoning.
SOLAR_FIELDS
I have heard that you are basically paying double what you normally would if you aren’t hunting for deals in mcd’s app these days. How much truth is there to that?
packtreefly
A lot. MCD corporate seems determined to get on the user data gravy train, and appears to be subsidizing it for the franchisees.
Three large fries ordered at the counter costs over ten dollars.
bpeebles
It depends on order size. I think orders for one or two people over time you'd save close to 50% between deals and using points. For larger orders 20% off once a day is about the best you can do. (I'm my area/experience.)
andy800
"Normally would" is more likely, prices from the mid-2010's. The order I used to pay about $12 and change for in 2015 (I know this because I ate there at least once a week), is now about $13, by using the app deals.
However since the rollout of "value meals" last summer, they took away some of the better deals and now McDonald's is simply expensive (for McDonald's) even with the app.
red_phone
The difference isn’t nearly that dramatic, but there are definitely savings to be had via the app.
miki123211
One of the biggest advantages of magic links is that they're unphishable while still being easy to use (unlike passkeys).
Having a code completely negates that advantage, as attackers can just set up a fake website that asks for the code.
Magic links should log you in on the device you click them, not on the device that requested the login session. Anything else, while being a little bit less annoying, is a security issue and should be treated as such.
tarxvf
That would require I have my email on every device I might want to log in with.
I don't like that for a number of reasons.
hombre_fatal
The conventional password system requires you to have a shared password manager on every device or that your reuse or memorize passwords. And that none of the service's users reuse passwords.
It's all trade offs, else it would be easy.
hombre_fatal
When using magic links, you can still support the common UX polish of letting a user log in on a different browser/device.
If the user opens the magic link in the same browser that initiated the email, then just log them in. Otherwise, present them with the Apple-style "Do you want to authorize a login from 1.2.3.4 using Firefox on iOS possibly located in Portland, Maine? [Authorize] or [Reject]".
layer8
1 and 3 are mentioned in the article. It’s still annoying if there is no password option.
KronisLV
> For example, an iOS user might prefer Firefox mobile, but their email client may force the link to open in an in-app browser based on Safari.
Hey, wasn’t Firefox on iOS based on Safari related tech anyways?
https://en.m.wikipedia.org/wiki/Firefox
> However, as with all other iOS web browsers, the iOS version uses the WebKit layout engine instead of Gecko due to platform requirements.
I do agree with what you’re saying though! Just those two in particular will probably have pretty good compatibility, which I was amused to find out when I looked into it.
yieldcrv
One thing I recently found annoying with Slack was that I wanted the company chat on my phone, but I didnt want the company’s email on my phone given the overly broad control of my phone
so I got the magic link on their computer and then I made a qr code
but wait, the email quarantine system had altered the whole link so I had to extract that
but wait the redirect url back to slack was malformed because of the url encoding and i had to fix that and then make the qr code
like wow just give me a qr code or code instead in the original magic link email!
tzs
Would it have worked to forward the mail from your work email system to your personal email?
sthatipamala
If it’s a big corp, they probably have strict data exfiltration policies for corp email.
Maybe this one email would have been fine, but if it gets tripped, it’s not worth the headache.
adastra22
Now your private email contents are subject to discovery.
yieldcrv
It wouldnt have worked any differently from the first qr code with quarantine, and been a flagged violation, eventually
michaelmior
> Make sure the sign-in link can handle email clients that open links automatically to generate preview screenshots.
Any suggestions on what needs to be handled here? My first thought is UA checking to see if it looks like a real browser.
snthd
The link is a "safe" GET request. The page loaded via the link should do an "unsafe" POST for the login, via javascript with a form button for fallback.
https://www.rfc-editor.org/rfc/rfc7231#section-4.2.1
>The purpose of distinguishing between safe and unsafe methods is to allow automated retrieval processes (spiders) and cache performance optimization (pre-fetching) to work without fear of causing harm. In addition, it allows a user agent to apply appropriate constraints on the automated use of unsafe methods when processing potentially untrusted content.
Exactly the same for email unsubscribe links, or a one click "buy now" link.
apitman
If you want to do this without JS just add a page with a "Click here to complete login" button that does the POST.
justinator
Automatic link pre-fetchers know JavaScript too and will trigger your JavaScript to post.
I've had to implement a system where if the link was minted x minutes ago, the JavaScript on the landing page is disabled.
It's just another arms race. It shouldn't be this hard, but in email it seems everything is additionally harder to do.
rickcarlino
In my app, I just added an “Almost there!” Page with a button that the user needs to click. I still need to add a fallback option that uses a one time code for the other reasons mentioned above.
paxys
Save a browser cookie when the login is initiated. When the link is clicked check if the same cookie is present. If not, ignore it. Expire the link and the cookie after n minutes.
Macha
Surely this breaks the "email is not on same device as login" use case? At least with normal magic links, they're merely incredibly annoying but doable (via e.g. typing in the URL)
michaelmior
After reading the other replies, this seems like one of the more effective approaches. Thanks!
timfsu
Using a time-based expiration rather than a usage-based expiration should help
nine_k
E.g. require to click a button to actually sign in, don't consume the token and establish the session on mere URL access.
sebastiennight
We've been using Magic Links for a few years (and yes, one reason was to avoid the security issue of storing user passwords when we were just at MVP stage) and found the top problems with it are:
1. Some users (0.1%) just don't ever get the email. We tried sending from our IP, sending from MailGun, sending from PostMark, having a multi-tier retry from different transactional tools. Still, some people just will not ever be able to log in.
2. People click old Magic Links and get frustrated when a 6-month old link "doesn't work". We've decided to remedy that by showing them a page that re-sends the link and explains the situation (like Docusign does) instead of an error message.
3. People will routinely mis-spell their email and then blame the system when they don't get the code.
All of this still results, I feel, in way fewer support tickets than the email+password paradigm, so I'm still in favor of Magic links.
255kb
It's indeed interesting the number of people misspelling their email address, or having an inbox so full that it cannot receive emails anymore.
I never tried to add magix links, but I added Google Sign in to my SaaS several month ago, and since then, it accounts for more than 90% of new sign-ups (users are devs, so rather tech savvy and privacy aware). I'm now convinced that no other method is a priority (I still have email/password of course).
wodenokoto
> but I added Google Sign in to my SaaS several month ago, and since then, it accounts for more than 90% of new sign-ups (users are devs, so rather tech savvy
I do it for services I don't care about. In my mind it is more privacy for me. Keeps you out of my real inbox and my password out of your system and I believe that I can - to some extend - remove myself without having to go through whatever crap account deletion process that services has tried to cobble together.
Worst offenders let me login with google and then immediately asks for name and phone number or email and asks me to verify it.
lolinder
> my password out of your system
This shouldn't be a factor because your password should be a random series of characters that are unique to that site.
> I believe that I can - to some extend - remove myself without having to go through whatever crap account deletion process that services has tried to cobble together.
To an absolute minimal extent: you can make it so Google won't tell them whatever it was they already told them again. But you can't make them delete the data that they already lifted from your Google account.
For keeping surfaces out of your inbox, that's what email aliases are really good for. Register with an alias and then block that alias if they abuse it.
kstrauser
I have my HN username at a venerable webmail service. I check it about once a year, tops. My name isn't unimaginably rare, but neither is it "Smith".
I am shocked, shocked, by the number of different K. Strauser people who have typed that email address into some random website or another. I've gotten bank notifications, loan documents, Facebook signup info, meeting minutes from some random volunteer work, and all kinds of other things. When I can figure out from context who the intended recipient is, I try to let them know so they can fix it. On one occasion, the person sent me back a swear-laden diatribe for "hacking their email". Sigh.
I think this has made me a better engineer, though. When someone says something in a meeting like "...as long as they type their email correctly", I can jump in and address that myth head-on. No, people will not type it correctly. If it's a minor pain in the neck for me, with an uncommon name, I can only imagine the traffic that the world's John Smith's get.
jdhawk
Same issue. I've had university professors put my email address in their sylabus instead of ____.edu, and been carpet bombed by assignments, excuses, and pleading diatribes.
I'm listed as the email address for _many_ utility bills, doctors offices, and more political campaigns than I can count.
Comical how many people mess up their own email address.
watermelon0
Wouldn't privacy aware users prefer passkeys or passwords, instead of any kind of SSO?
In general, I do understand that use of SSO is due to convenience. Especially since in many cases websites provide less friction when signing up via SSO instead of using username+password.
hackernewds
Believe it or not, most users are not that privacy cautious
255kb
That would be my guess too. I think convenience always win.
yvoschaap
The number of support requests I got last year because of [hotmail|gmail|msn|yahoo].con > 30
revicon
I just auto switch any incoming .con to .com on the back end. 100% of the time it is a user typo
sebastiennight
A couple of years ago I think I saw a frontend library that warned the user / auto-fixed those typos, but I can't remember its name, and all I can find now are SaaS offers for that kind of service.
Which I'm not entirely enthusiastic about as it leaks all user emails to some random service.
cchance
Funny part is most of those apply to passwords too, using an old password and complaining its not working, mistyping shit and complaining that its the system, and requesting a password reset and not getting the mail LOL so i only see upsides
skerit
Magic links can be very useful, but for some users the issue is in only supporting magic links.
tjoff
... but the usability is a nightmare.
graemep
Absolutely. Users have to wait for the email before signing in, it does not work on devices without email without copying the link, etc.
watermelon0
Email should not be considered a secure channel.
Username+password (or passkeys) with a password manager (which ensures that credentials are used on the correct domain) via HTTPS is probably the only end-to-end encrypted way of exchanging credentials with good UX for general public.
danenania
With password reset, you are also trusting email.
gepeto42
Even with passkeys or TOTP 2FA, we've decided email is the root, for better or for worse (for people with gmail, it's likely better than SMS would be on a crappy carrier, but it depends on so many factors, including how many hundred apps have Gmail read access via OAuth...)
Jolter
If you are storing sensitive information in the system, by all means, you should act accordingly and require higher-security login than magic links. But if you do, you really should not be accepting username+password either. You need to at least put some 2FA on there to step up one level of security. And not SMS- or email-based 2FA either.
90% of web apps don't handle that kind of information, and for them a magic link is at least as good as passwords (as this article explains). Those that do handle things like personally identifiable information (beyond an email address) really should be enforcing 2FA or proper electronic IDs.
There is a whole profession writing recommendations about information security, and every web developer needs to be able to do this kind of analysis at a rudimentary level. We don't need to wing it, we can analyze security requirements in a systematic way.
flessner
Also what's the reasoning behind not wanting to store passwords?
It's not like the rest of the customer's data is not valuable? If you don't feel comfortable storing passwords, the amount of data I'd trust you with is strictly zero.
lolinder
No, kudos to them for looking at a piece of data and asking themselves if it's worth storing—more companies should do that with more data. It's not that the rest of the data isn't valuable to some extent, it's that every piece you have makes the blast radius of a leak that much bigger, so why hold stuff you don't need?
Planning for a breach doesn't make you more likely to have one—if anything it makes you less likely!
gepeto42
To be fair to 404, they're trying to limit the amount of data they hold which IS good, but in the end they need to have the email address of subscribers.
Kiro
In my country even the social security number of people is public information.
danenania
The UX debate is valid, but magic links (and emailed one-time codes) are clearly more secure than password + password reset. Control of the email account gets you in either way. Passwords are an additional attack vector.
dpifke
I've been a loyal Mercury customer for a while now, but their forced use of magic links as a third authentication factor any time my IP address changes (after authenticating with a secure password from my password manager and after a valid TOTP) has me ready to move my company's banking elsewhere.
I could understand requiring a third factor to authenticate if signing in from a different location or a different ISP than I've been using for the past 5 years, but it's ridiculous to do so if nothing has changed (except the final octet of my DHCP-assigned address) since I last signed in yesterday. I use a different computer (via SSH) to read my email than I do for web browsing, and cutting-and-pasting a signin link that's hundreds of characters long (spanning multiple lines in Emacs, so I have to manually remove \ where it crosses line boundaries) is a PITA.
Adding friction on every sign-in colors all subsequent interactions I have with an app, and makes me hate using it.
MaxGabriel
I’m the CTO of Mercury
You shouldn’t get the device verification requirement if you’ve used the device before (we store a permanent cookie to check this) or for the same IP. Any chance your cookies are being cleared regularly?
We added this after attackers created clones of http://mercury.com and took out Google ads for it. When customers entered their password and TOTP on the phishing site, the phisher would use their credentials to login and create virtual cards and buy crypto/gold/etc. The phisher would also redirect the user to the real Mercury and hope they figured it was a blip.
This device verification link we send authorizes the IP/device you open it on, which has almost entirely defeated the phishers.
Since WebAuthn is immune to this style of phishing attack, we don’t require device verification if you use it. I highly recommend using TouchID/FaceID or your device’s flavor of WebAuthn if you can—it’s more convenient and more secure. You can add it here: https://app.mercury.com/settings/security
That said, we are talking internally about your post and we do recognize that as IPv6 gets more traction IPs will rotate much more regularly, so we’ll think if we should loosen restrictions on being a same-IP match.
dpifke
Yes, I clear cookies every time I close my browser, as a layered approach to privacy on top of uBlock Origin and NoScript. There isn't a great way to exclude certain sites from this, other than setting up a dedicated web browser in a container just for Mercury.
I wasn't aware that WebAuthn didn't have this requirement. I prefer TOTP because I actually like having a second factor in addition to a credential stored on my computer's hard drive (whether a password or a private key in my password manager), but I might be willing to reduce my security posture to get rid of this annoyance.
One suggestion: the link would be half as annoying if it was easily cut-and-pasteable rather than a long email-open-tracking link spanning multiple lines. This is what it looks like when I copy it out of my email:
https://email.mg.mercury.com/c/eJxMzs1u4jAUBeCncXZB9vVfvPACZshoWIwYoiasdgkra2KV_JCGqPTpK-imq7xxx40vlO9IKia6ggL6zUlQHObdF6\
JI0alRHBWQvWKRuD4loLZxsJSRXZAwfNBQeQWozasdgeWsMyFZozE4RKZ4d151NOFtuq9w6IqLb-d5fGdyzaBmUIdx_NkzqBeacrqXkZaMxGSNQyQmf7_9GW7\
Hf1cJ8zW9TshAwwba3ccLuN3u_r_PR9j_GkxxxmadDu32c59jMfkYFmKKP0baIT0vzP4ynHN_-yyhZOTy9jmPPQn6gL-VLMfvvIA_XxbywRYhUbZUp0RpVCUC\
qDsbasJHeObFMZ4YrFw1cAAAD__4XPZXw
Edit to add: looks like email.mg.mercury.com is hosted by Mailgun. Are you intentionally sharing these authentication tokens with a third party by serving them through this redirect? Do your security auditors know about this?
incompatible
I set Firefox to delete cookies at shutdown, and also an add-on called Cookie AutoDelete, but they both have an option to whitelist a site.
packtreefly
> I wasn't aware that WebAuthn didn't have this requirement. I prefer TOTP because I actually like having a second factor in addition to a credential stored on my computer's hard drive (whether a password or a private key in my password manager), but I might be willing to reduce my security posture to get rid of this annoyance.
I've seen passkeys support something like what you're after. The browser will produce a QR code you scan with your phone, and then you authenticate with the passkey via the phone, which then authorizes the original browser.
I'm not absolutely certain that this is part of the spec or how it actually works. I'd like to know. It solves a couple different usability issues.
You could always use something like a Yubikey.
mhitza
At the very least, you can be creative with workarounds for such issues. A bookmarklet can be convenient.
javascript:void(window.location.href = window.prompt().replace(/\\\n\s*/g, ''));jeremyjh
You have to send emails through third parties or people won't get them, because you are also always sending them to third parties who host the recipients email and manage their spam. It might be a good reason not to send magic links but here we are talking about a tertiary confirmation, so its useless on its own right?
thefreeman
So you are intentionally crippling your browser and ability to access email (you need to ssh to another computer and access via terminal). You also aren’t able to handle emacs wrapping of long lines. And you are complaining that the security in place to prevent stolen credentials is “inconveniencing you”.
adastra22
Pretty sure that is eMacs formatting, not the email itself? Can you kill-copy the URL?
lyime
What would be a more secure (yet reliable) method for email delivery for such emails?
null
miyuru
> IPv6 gets more traction IPs will rotate much more regularly
unfortunately, only few ISPs do IPv6 correctly by assigning a fixed prefix to customers. most of the ISPs apply the ipv4 logic when adding ipv6 planning hence this situation.
hopefully this will improve in the future and more stable prefixes will be given to users.
m463
I like the schemes that send a numeric verification code that you manually type in without an email link. can also use a text message. Maybe allow this to be configured.
security = 1/convenience
but also vice versa
null
filmgirlcw
I think this is really great as a response to 404's post last week. I love 404 but I'm as annoyed by Magic Links as OP for the same reasons they mention.
Ricky Mondello wrote a really great blog last week[1] about how passkeys, as OP alludes to at the end, can be used alongside Magic Links, that I think is worth a read.
[1]: https://rmondello.com/2025/01/02/magic-links-and-passkeys/
danudey
I haven't had these specific issues with magic links specifically, but I do remember when Epic launched the Epic Games Store and they would e-mail you two-factor codes to log in. I consistently had issues where I wanted to log into their store, got prompted to enter the two-factor code they e-mailed me, got no email for several minutes, requested another code, didn't get that either, gave up and did something else, and then got both codes 30 minutes later.
The fact is that even in the best of times, e-mail isn't reliable. Things go to your junk folder. Links get blocked by work spam filters. Mailboxes get full (I assume? it's been a while).
Personally, I have my e-mail on my iPhone and anywhere else (work laptop or gaming PC) I have to log into icloud.com to check my e-mail; it's cumbersome. Let me put in a password. Let me scan a QR code like embedded devices do. Give me at least one other option.
lolinder
Thank you, this is a better piece than TFA! Reading TFA I was rather confused at how passkeys are an alternative to magic links—it makes a lot more sense to view them as a complement. Magic links allow you access to passkeys, which are basically "Remember this Computer" on steroids.
gepeto42
Thanks for that link, I had not seen it and if I had known Ricky Mondello had written that, I probably wouldn't have bothered.
I'm still used to Apple people being almost completely invisible publicly.
cmiller1
I'm confused, what's going on here? Is there a reason you wouldn't have bothered reading a post from that specific person?
gepeto42
I meant Ricky’s post is great and if I had known about it first I might not have written mine! Added a link to it at the bottom of mine.
filmgirlcw
thanks for writing what you wrote -- I think it's important that we have this conversation as broadly as we can
lolinder
Am I misunderstanding something, or are passkeys not actually an alternative to magic links?
Every implementation of passkeys I've seen has presented me with the option to create a passkey after I've already logged in with some other method. I'll admit that I haven't dug into it deeply, but the UX I've been presented with consistently makes passkeys appear to be an alternative to the "Remember this computer" button, not to passwords in general. Somehow the service has to know that this new device is authorized. I know depending on the provider there's such a thing as passkey syncing, but that doesn't solve the problem of getting the initial authentication done.
The key insight with magic links is that your security system is no stronger than its recovery mechanism. We are never going to get to a world where passkeys are treated as the only authentication mechanism—there will always be a recovery mechanism, and in most cases an automated one via email. Given that that is the case, magic links simplify things by just not pretending that we have a more secure layer on top. By making the recovery mechanism the primary means by which you interact with the authentication flow you're being more honest about the actual security of your auth system.
Edit: filmgirlcw has a link to an article that is much better than this one that explains how the two actually complement each other: https://news.ycombinator.com/item?id=42628226
filmgirlcw
I think as Ricky wrote last week [1], they should augment Magic Links or other auth methods. There are some positives about Magic Links for sure (though I don't know if making your email an even stronger attack vector is necessarily one of them), but for people who use a password manager, for example, they are a definite friction point that I think passkeys most certainly could alleviate.
There are definite UX problems around passkeys that could be improved and I think exporting will make syncing across systems a lot better (one of the reasons I use 1Password as my primary password and passkey system is so I can use my passkeys across devices; of course it helps that my employer uses 1Password as our system so I am logged into my personal and enterprise accounts and can auth then from personal or work devices, provided additional auth or enrollment isn't needed) -- but if the problem as 404 defines it is that they don't want to be responsible or even have to worry about storing your passwords/auth controls, I think passkeys is at least better for a subset of users than Magic Links.
But again, like Ricky, I don't think it should be viewed as either or. It should be both.
[1]: https://rmondello.com/2025/01/02/magic-links-and-passkeys/
lolinder
Thank you for the link! I saw your other comment and actually edited mine to point to that, because it's definitely the answer to my question!
> though I don't know if making your email an even stronger attack vector is necessarily one of them
I'm unconvinced that magic links do make your email an even stronger attack vector. Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised. All magic links do is make this the primary way to interact with the auth flow.
The bad guys already know that your email is the best target. Magic links just make that very explicit.
filmgirlcw
>The bad guys already know that your email is the best target. Magic links just make that very explicit.
That's a good point. I guess my rationale is that it being explicit makes me feel less comfortable for my parents/non tech-savvy friends, who already may not follow best-practices for email hygiene (and may not use email providers that enforce stricter hygiene like 2FA or other methods of protection) and thus, systems like this, make their email even more explicitly the ultimate place to go for access to stuff.
adastra22
> Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised
Well, don't do that.
Gigachad
Passkeys are in a transition period right now. There is no reason you have to have an alternative login method if you are using Passkeys, but no service has switched over to being Passkey only yet. Some users on older OSs / Linux might not be able to generate and store Passkeys yet, many users are not using a cross platform credential manager so if you've created passkeys with iCloud Passwords, there isn't a way to log in via linux right now.
Give it a few more years and I suspect we will start to see services start with creating a passkey and never collecting a password. The passkey portability specs will be implemented, and hopefully Gnome/KDE implement passkey support.
lolinder
What does the final end state of passkeys look like? What happens if I lose the device I created the passkey on, if it gets bricked, or if I get banned by the platform that was supposed to be syncing my passkeys?
skybrian
Passkeys are essentially an API for logging into websites that requires a password manager to use. The end state is that we become completely dependent on our password managers. To avoid a single point of failure, hopefully you own multiple password managers, and they’re on independent devices, and there is a way to sync them.
Gigachad
I'd think it's exactly the same as using a password manager. Yes in theory you could memorize 500 unique passwords or write them down, but no one is doing that.
There are a few things unique to passkeys though. You can register multiple passkeys for the same account so you could in theory have a physical USB key and cloud synced passkeys. Not many people would do this I would think though it would be easier than memorizing every password. There are also data portability specs in progress right now that let you export/import passkeys between services.
But at the end of the day I would suggest that it should be straight up illegal for a company to freeze your account without letting you export your data. It probably actually is by the GDPR. This problem also already exists for email too. If Google bans you, you'll find a lot of your accounts become unusable. Anything with email OTPs wont work, and some services like Discord won't allow updating your email without access to the existing one.
superq
> hopefully Gnome/KDE implement passkey support
sigh TBH, I hope not. Maybe optionally, but for now the friction might keep companies from going passkey only, which (I think) would be a total nightmare from a security and usability perspective.
Glyptodon
The first thing I thought when I read this is how can the author make the specific criticisms of links/otp codes and then suggest passkeys, which have pretty much the same issues x10. Like if using a OTP from your phone or copying a link from your phone when using a work PC to visit a website is a pain, how much easier/better/same is it to try and have your work computer work with your personal passkey from a laptop or something?
avianlyric
> how much easier/better/same is it to try and have your work computer work with your personal passkey from a laptop or something?
Passkeys support authentication via a secondary device over Bluetooth (and this is supported in every major browser on every major platform). So you can login to a site on a machine that’s completely disconnected from your personal passkey store by scanning a QR code with your personal phone.
The login flow basically goes “request login with passkey” -> “browser recognises it doesn’t have the needed passkey, and offers a QR code to scan” -> “scan QR code with phone” -> “phone and browser handshake via Bluetooth” -> “passkey handshake happens between website and phone” -> “login completes”.
I’ve personally used this flow with my work laptop and my personal iPhone many times. iOS has built in support for the Passkey QR codes, so you can scan the code with the standard camera app. Additionally iOS supports allowing 3rd party passwords managers to take over the Passkey flow once you’ve scanned the QR code. So in my case I complete the flow with 1Password.
End-to-end the flow is pretty damn seamless, I’ve never personally had it fail, and take 30seconds to complete. The most annoying part is trying to remember where my phone is.
superq
Even if we assume that you're ok with connecting discrete and disparate devices together (and you always have your personal tracking device near you all the time), Bluetooth is basically comprised of a giant bag of vulnerabilities and weaknesses.
> take 30 seconds to complete
also, ouch.
apitman
What if the target device is a workstation or library desktop with no Bluetooth?
adastra22
I refuse to use any service that only supports magic links for auth. It is incredibly user-hostile, and absolutely worse from a security perspective than passwords (with a password manager). Most critically it simply does not work in my personal setup where I do not have access to my email account from the machine I am using to login, precisely for security reasons and the safety of my accounts.
Anthropic has been the once exception to this personal policy simply because Claude is the best LLM out there. But it's a mountain of pain every time I have to re-login, and I've complained to them multiple times about this.
budding2141
>absolutely worse from a security perspective than passwords
Is it though? Majority (if not all) services I frequently use have email as recovery option for forgotten passwords.
adastra22
It is certainly not all, and most security conscious sites offer other recovery options like one time use codes. Many also allow for time delayed account recovery, which aren’t a usable option for magic links.
In any case the correct approach here is to fix password reset/account recovery (e.g. with social key recovery) rather than reduce everything to the lowest common denominator.
It also can be said to lower security because it instills the behavior of clicking on links in incoming emails as a standard practice.
apitman
Sadly not enough people use password managers for it to be worth it for companies to target those flows.
jerieljan
Every time I see magic links, I always think: "I thought we weren't supposed to click links in emails in the first place?".
When links in email come into mind, so does phishing.
I hate these magic links a lot.
crazygringo
Is anyone confused by that? Password reset links have always been sent to email.
The point is not to click suspicious links. If you know a magic link was sent, it's not suspicious.
That being said, I hate them just for the delay.
gepeto42
As someone in the security industry, I find it amazing how much we've told people (in awareness training) to "not click things on the thing-clicking machine™" while simultaneously having processes like password resets that require doing it.
™Kelly Shortridge 2021 (https://x.com/swagitda_/status/1503751776134180873)
adastra22
I don't like password reset links either. Send me a code I can type in, but only to the original browser session.
efreak
Be careful of those as well, but in this case it's quite simple: password reset links should only be sent when the user explicitly requests them; of you receive an unexpected email asking you to reset your password, don't click the link.
makeitdouble
Fake password reset links are also a common attack vector, so yes people are told to be also cautious of those.
Otherwise it's been a while I haven't seen an reset link instead of a reset code. Copy/pasting is not much of a hassle, and it works even if the mail is checked on a different device.
The only real link I had to deal with were app callbacks that were explicitly labeled as such (with instructions from the app to explain what to expect)
tylersmith
Nobody is actually confused, it's just performative whining.
SV_BubbleTime
Ok. So now my users get random login links for sites we may or may not use… sure, you Silicon Valley Cool Guy aren’t going to fall for it, but my blue collar Detroit UAW guys might.
Click that stupid magic link for a service we use, and they’re asked for their Office 365 credentials… all the while I’m telling them not to click links in emails.
m463
I don't even load images. email address -> ip address.
apple's email privacy scheme seems interesting (apple always loads all images), but I don't know if there are drawbacks.
jameshart
Best implementation I see of this requires you to click the link on whatever device you receive the email on, but it doesn’t transfer the session there - it just triggers completion of the login process on whatever device you initiated the process on.
layer8
This is bad (phishing). The better solution is have the login only work on the device where the link is opened, and for cross-device use to also provide an OTP code the user can read on the receiving device and easily type in on the initial device. (Or only provide the OTP code and no link.)
jameshart
How is that secure against the same phishing attacks that a clickable link is vulnerable to (basically the idea that someone can socially engineer you into a situation where you think you are supposed to complete the auth flow with them, enabling them to sign in as you?)
danudey
Well, it doesn't solve the issue of someone sending you a fake login e-mail that you then mistakenly click on, that's true, but the whole point of magic links is that there isn't an auth flow; there's no password for them to steal from you.
In other words:
1. A malicious individual sends them a fake login link
2. The link can't ask them for a username and password because the site doesn't have passwords, just magic links
3. The site could ask them for your OTP code if they have one, but the bad actor doesn't have their magic link and the OTP code expires in a few seconds anyway
4. Without the bad actor actually getting access to a legitimate magic link nothing happens
It does solve the issue of:
1. You visit the site on your device at the same time as they visit on their device
2. They get two e-mails and maybe click on the one that approves your session instead
3. Your session on your device logs in; theirs doesn't so they figure it's a bug and go click the other one. Now you're both logged in.
If you require the session to be logged in by the link directly, it ensures that only the device you're viewing the e-mail on gets signed in; in the above scenario, your malicious session is never logged in, but their legitimate one is.
layer8
It doesn’t protect from telling them the OTP code, that’s true.
Sn0wCoder
Agreed! If they all worked like this would be a happy camper. Nothing worse than being in one browser, opening the email, then it opens and authenticates you on the default browser or even better on a different device and needing to forward the link to the other device so you can open it there (yes odd scenario but try not to access certain emails from certain devices).
Sites that send an OTP (crazy-pink-horse-3837) that you can copy, and paste is a good middle ground if implementing the link that just Auths the original request is too difficult.
jameshart
Or in the Gmail client on iOS which opens links in an embedded browser.
Glyptodon
Even on Android that behavior is the bane of my existence.
crazygringo
You can change that in settings.
portaouflop
OTP is the only sane option - there are too many edge cases for magic links to make them a good user experience
ultimoo
so anyone can log in as you if you receive an email and accidentally click on it?
Sn0wCoder
This is a fair point to bring up.
Most sites will have a confirmation once you click the link that includes the browser version and IP address. I have seen that info only in the email itself too with no confirmation afterwords, but not for some time. Have never seen one that is just a link with nothing else that once clicked allows the other device in but supposes could be implemented that way.
The article itself is about not making them the only option (which is fair), and the OP says if they do it should login the device which originally made the request (which I agree). If the implementation is just an email with only a link, no other information with no confirmation (yes, it's fine to let this device in), then I would have to agree with you it's very risky and could allow anyone to login as you (hopefully no sites are doing this, but...)
sbrother
Or if your mail client, spam filter or anything else tries to prefetch the link...
jeffalyanak
If you really want to allow for another browser to authenticate a login request, you can at least limit it to sessions coming from the same IP.
That would let you authenticate your desktop browser from an email you opened on your phone if you're on your home network, but without becoming widely exploitable by phishers.
null
Gigachad
To be safe the link can load a page with a form / button that says confirm the login.
layer8
Some people will still click the button because they expect it will give them more information about why they received the link. You can add text along the lines of “authorize login on $other_device”, but it’s still risky.
josephh
AFAIK, McDonald’s does this with their mobile app (they weren’t letting me log in with my password) But the problem with their implementation was that the magic link that they send you is wrapped in a click tracker whose domain is blocked by pihole (and the likes), and I could not reach the actual auth URL to complete the login process.
paxys
If you have a halfway competent security team they will never ever let this fly. You are begging your users to get phished.
portaouflop
Almost no one has a competent security team and if they do they don’t listen to them. Security is just compliance checkboxes and lists nowadays
jameshart
A fully competent security team will, on the other hand, carry out a more comprehensive threat modelling exercise and make a pragmatic choice about whether this kind of auth flow is appropriate for your usecase.
The phishing risks for a bank account login are very different than those for a ‘returning player’ login to a casual gaming site for example.
megous
A phisher's dream.
Findecanor
BankID scams in Sweden worked because it did not require there to be authentication between the device that logged in and the device that authorised the login.
The victim got a phone call in which the she got manipulated into authorising something in the BankID smartphone app. But what she was actually doing was authorising the attacker to log into her online bank account.
First after several years (of blaming the thousands of victims for their millions lost) did the system start using QR codes on the screen scanned by the smartphone.
nicce
All the email scanners likely trigger the process anyway.
jameshart
Solvable with the right information in the authorizing email.
Remember that the flow the magic link is part of is one you initiate, that causes you to get an email you are expecting.
That email, and the landing and confirmation page it links you to, can explain very clearly that you are only supposed to authorize this if you are trying to log in on known device in known location that is displaying recognizable number on the screen right now.
avidiax
Rather than a recognizable number, users should be prompted to select a matching non-pronounceable glyph. Something like the keypads from KTANE [1].
That makes it impossible to text or speak it to a phisher.
Bonus points if you show the symbol as a noisy animated glyph, something like [2], or a link to a DRM'd video showing a symbol. That would make it very difficult to view even with screen recording or remote desktop software.
[1] https://www.bombmanual.com/web/index.html#:~:text=On%20the%2...
Mystery-Machine
You're assuming users read.
michaelmior
> the flow the magic link is part of is one you initiate
There's nothing stopping anyone else from initiating the flow assuming the common implementation where only an email is required to initiate sending the link.
gepeto42
Yeah exactly. Plus, sometimes SOMETHING will click the link before it even gets to the person's inbox (some enterprise spam filter with a sandboxed browser for example).
edit: saw that nicce basically said that a second before I hit post.
portaouflop
Many email clients will click the link and invalidate it - for example outlook is a classic here - so the best implementation does not use redirects/links at all.
OTP is far better than an actual magic link - you can still include a link that pre-fills the code.
Spivak
Yes but clicking the link itself shouldn't log you in. Any implementation of magic links that does this is broken because of link previews.
You click the button on the page which knows the session you're logging in from and link code and does a POST which completes the login. This is how all the "login by scanning QR code" flows work.
portaouflop
I see - but then you can just use OTP instead - it works in the same way and you can even use it cross device
pimlottc
I’ve been stung by this before, where I’d already closed the original browser tab since I assumed the magic link would open a new tab (as they usually do)
pwdisswordfishz
> Anti-mobile. As mentioned by 404 in their own article, this breaks the ability to use in-app browsers, which is quite annoying especially for RSS reader type apps. It makes interacting with any local link in the RSS feed extremely annoying.
To be fair, in-app browsers should die, especially those without an "open in regular browser" opt-out – which RSS readers should readily offer anyway.
pcthrowaway
Seriously, this needs to be ended by the harshest penalty of law.
Throw every product manager responsible for forcing in-app browsers upon their users in jail.
hackernewds
What is an RSS reader?
tzs
An RSS reader is the client software for reading RSS feeds. Here's a description of RSS feeds [1]. Here is a list of some readers [2].
[1] https://en.wikipedia.org/wiki/RSS
[2] https://en.wikipedia.org/wiki/Comparison_of_feed_aggregators
yawaramin
Way better option: emailed OTP code and passkey with Conditional Mediation UI. If the user is logging in from a device that already has a passkey, the CM UI will let them just select it and log in instantly. If they are logging in from a device which doesn't, we can make the UX such that it asks them to enter the emailed code, and after that is successfully it immediately asks the user to set up a passkey for instant sign-in.
This gets the best of both worlds: the security of passkeys on existing devices, and the passwordless setup and account recovery for new devices.
Bonus: it even avoids vendor lock-in where cloud providers have all your passkeys.
pat2man
Asking users to enter an emailed code does not protect against MITM attacks unfortunately
yawaramin
True, but pushing passkeys as the primary auth method reduces the risk to a great extent. It's a huge difference. As long as the user keeps using a relatively stable set of devices, they will 'approximately never' be exposed to MITM.
Also, when logging in from a new device, many accounts which use password-based auth today send a confirmation email and ask users to either enter the emailed code or click on the link. This is part of their existing security protocol. So we are not introducing a new unique thing here.
lolinder
> As long as the user keeps using a relatively stable set of devices, they will 'approximately never' be exposed to MITM.
As long as the user keeps a relatively stable set of devices and knows to be suspicious if they get asked for an OTP on a device that they know has a passkey. If they don't know to be suspicious (which let's be real, most people won't), they'll happily follow the instructions and fork over the OTP to a phisher who can use it to complete the authentication somewhere on their end.
Magic links without an OTP fallback are more secure as the initial setup process because they can't be phished unless someone's actually MITM'ing their HTTPS traffic (at which point nothing can save you anyway). A phisher can get someone to send themselves a magic link, but it's much harder to get them to provide the link to them.
gregates
I suspect a hidden "benefit" to the companies implementing this is that it makes it much harder to share your account. You are probably happy to share your Netflix password with your mom, but not your email password.
They can present it as a "more secure" login method, obscuring the reason they actually like it.
pcchristie
I'm pretty sure Medium (who was the first implementation of this that I know of) uses it as a way of blocking pay wall bypassers (which on Medium I think manipulated/deleted cookies to get around the 3 article limit).
gepeto42
Yeah that would not surprise me, in general. I don't think that would be 404's goal, since they provide full-text RSS feeds I could share with a friend easily, but I could see that happening with other services.
muppetman
Magic link are so, so stupid. Sure, make it an option for Grandma, but don't trot them out like they're amazing, they're terrible. God I hate the way the Internet is going - idiots making technical decisions.
dmattia
They are sometimes required. Say you are on a mailing list for some company you gave your email to at some checkout counter one time, and you want to unsubscribe. You probably don't have an actual account with a login with that retailer, they just have your email address.
In this case, what alternative is there than having a magic link in the footer of that email that says "unsubscribe" that includes a token unique to that email address that acts as proof of owning an email account when you then click that link and ask to unsubscribe?
ale42
There are many options where such links are a reasonable option. I'm okay to receive such a link to validate my e-mail for an account creation, or to unsubscribe from a mailing list at a place I don't have an account at, or to display an order status page at a shop where I ordered as a guest without creating an accoung.
But using them as the only option to login is really, really annoying. Mails can get trapped in spam filters, delayed by intermediate server overload or spam filters that sometimes take 10 minutes, servers doing graylisting... Plus all the other annoyances listed in the article (e.g. multi-device users, in-app browsers). At the very least, support passkeys if you really don't want to store (hashed) passwords. And no, SMS is not an alternative: I was several times barred from logging in to a service because SMS wasn't properly working (can happen easily while roaming abroad).
null
Issues I’ve encountered building an app with magic links:
1. Include a fallback sign-in code in your magic link, in case the user needs to log in on a device where accessing their email isn’t practical.
2. Make sure the sign-in link can handle email clients that open links automatically to generate preview screenshots.
3. Ensure the sign-in link works with email clients that use an in-app browser instead of the user’s preferred browser. For example, an iOS user might prefer Firefox mobile, but their email client may force the link to open in an in-app browser based on Safari.