What are Magic Links and How Do They Work?

“Science is magic that works.” - Kurt Vonnegut. 

Magic links are URLs with embedded tokens that let users log in without needing a password. These links are mostly delivered to the user’s email account, but can also be sent via SMS and other messaging platforms like WhatsApp. If implemented correctly, magic link authentication greatly improves the user experience, reduces churn due to forgotten passwords, and increases app conversions.

Users find magic links familiar because they have already interacted with similar (although much unhappier) flows whenever they reset their password. They also work in a similar way to one-time passwords (OTP), except they are links instead of numeric PINs.

Although magic links remove the problems associated with passwords, they come with a few of their own security risks. For this reason, magic links are sometimes included in a multi-factor authentication (MFA) approach to improve security.

How magic link authentication works

Here is what users see when they go through magic link authentication:

1. The user enters their email address in the app login page.

2. The user gets an email with a link.

3. Once the user clicks the link, they are logged in.

The simplicity of the steps above is probably how the “magic” moniker arose. A few other things are happening under the hood, however. Here’s how magic links work in some more detail:

1. The user enters their email address in the application login page.

2. The email address is checked against the database to check if a registered user is trying to log in.

3. The application generates a token and embeds it in a magic link. The token is also stored for later validation.

4. The application sends the user an email with the link. Additional parameters can be added to the link, such as expiry time and session limits.

5. When the user clicks the link, the application checks the token.

6. The user is logged in.

If the steps above sound familiar, it’s because something very similar happens during password reset flows. While password reset links send users to a page to create a new password, magic links grant users one-time account access. 

Magic link authentication has been adopted by many applications, Medium and Slack being two prominent examples.

Also read: Passwordless Authentication 101

Benefits of using magic links

Magic links make the lives of users, developers, and product owners easier. 

Users

• Fast and seamless login experience: Users just need to enter their email address to login to the application. There are also no hardware dependencies to use magic links, unlike some forms of possession-based and biometric authentication. Here, the email account is the “something only you have” for users.

• Avoiding password pain: Users avoid the challenges and bad behaviors driven by passwords. They don’t need to create, remember, and manage yet another password. They avoid the friction of password reset flows when they inevitably forget their password. They also won’t have to reuse passwords, reducing the risk of account takeover if their password gets stolen from another application’s data breach.

Developers and IT teams

• Easy deployment: Since magic links follow a similar flow to password resets, implementing them usually only takes some minor code adjustments. Frameworks like Rails have also started including this functionality out of the box, further simplifying deployment.

• Fewer support tickets: Support and help desk teams will no longer have to deal with the large volume of password-related support tickets. Magic links will also help reduce failed login alerts for the security team, especially false positives.

• Reduced attack surface: With magic links, applications can free up infrastructure otherwise dedicated to encrypting, managing, and storing passwords. This also reduces the attack surface by making databases less attractive targets for adversaries. 

Product and business owners

• Reduce user churn: The login process is usually fraught with user friction, leading to churn and lost revenue. Magic links remove friction and can actually make the login experience an enjoyable one, increasing the likelihood of repeat user visits.

• Increase conversions: Magic link authentication can help marketing and growth teams by reducing the number of abandoned cart transactions due to forgotten passwords. They can also be embedded in marketing emails and text messages, making them useful for sending reminders, discounts, and product updates. 

Drawbacks of magic links

While magic links solve a lot of existing problems with password-based authentication, they bring some risks of their own.

• Only as secure as the user’s email address: In theory, the user should be the only person with access to their email account. However, email accounts continue to be prime targets for phishing and credential stuffing attacks. An attacker who gains access to a victim's email account can use magic links to access other applications fraudulently.

• Less admin oversight: Admins don’t have any visibility into the email account of the user. Thus, they cannot be sure if other people can also access the user’s email. If the user’s device is lost or stolen, bad actors can get access to their email and magic links.

• Depends on the email service: Applications using magic links work with an email delivery service and are dependent on the reliability and performance of that service. Missed emails – or emails that go to spam folders – cause a bad user experience and can lead to drop-off.

• Susceptible to some attacks: Although magic links remove many password-related woes, they also come with a few chinks in their armor. They are vulnerable to man-in-the-middle (MITM) attacks if users are on an unencrypted network, since attackers can steal the token and gain fraudulent access. As mentioned earlier, magic links can also be phished “by proxy”, since access to the email account can be phished. 

When to use magic links

While magic link authentication has many use cases, it is not a one-size-fits-all approach. Here are some situations where magic links are a good candidate:

• When user login is infrequent: Magic links are usually provided at the beginning of a user session and grant single-use access. This form of authentication is ideal when the user needs to log in only once or infrequently e.g. mobile apps, email accounts, and workforce collaboration apps like Slack. 

• When user account creation is a priority: Magic links remove friction from the user login process, which is usually a large source of churn. For organizations that are focused on getting as many users into the application as seamlessly as possible, magic links are a good option.

• When another form of authentication is also present: As covered earlier, magic links are not immune to security risks if used on their own. However, pairing them with other forms of authentication such as WebAuthn or OTP reduces the likelihood and impact of these links being phished or compromised. Using magic links in a multi-factor authentication (MFA) flow enhances security while still providing a good user experience.

Magic links with Descope

Adding, updating, and modifying magic links in an application's authentication flows can be time-consuming. Descope makes it very easy for developers to add and customize magic links with the help of a drag-and-drop workflow editor, SDKs, and APIs.

Sign up for Descope and add magic links to your app with a few lines of code.