Issues I’ve encountered building an app with magic links:
1. Include a fallback sign-in code in your magic link, in case the user needs to log in on a device where accessing their email isn’t practical.
2. Make sure the sign-in link can handle email clients that open links automatically to generate preview screenshots.
3. Ensure the sign-in link works with email clients that use an in-app browser instead of the user’s preferred browser. For example, an iOS user might prefer Firefox mobile, but their email client may force the link to open in an in-app browser based on Safari.
We've been using Magic Links for a few years (and yes, one reason was to avoid the security issue of storing user passwords when we were just at MVP stage) and found the top problems with it are:
1. Some users (0.1%) just don't ever get the email. We tried sending from our IP, sending from MailGun, sending from PostMark, having a multi-tier retry from different transactional tools. Still, some people just will not ever be able to log in.
2. People click old Magic Links and get frustrated when a 6-month old link "doesn't work". We've decided to remedy that by showing them a page that re-sends the link and explains the situation (like Docusign does) instead of an error message.
3. People will routinely mis-spell their email and then blame the system when they don't get the code.
All of this still results, I feel, in way fewer support tickets than the email+password paradigm, so I'm still in favor of Magic links.
I've been a loyal Mercury customer for a while now, but their forced use of magic links as a third authentication factor any time my IP address changes (after authenticating with a secure password from my password manager and after a valid TOTP) has me ready to move my company's banking elsewhere.
I could understand requiring a third factor to authenticate if signing in from a different location or a different ISP than I've been using for the past 5 years, but it's ridiculous to do so if nothing has changed (except the final octet of my DHCP-assigned address) since I last signed in yesterday. I use a different computer (via SSH) to read my email than I do for web browsing, and cutting-and-pasting a signin link that's hundreds of characters long (spanning multiple lines in Emacs, so I have to manually remove \ where it crosses line boundaries) is a PITA.
Adding friction on every sign-in colors all subsequent interactions I have with an app, and makes me hate using it.
I think this is really great as a response to 404's post last week. I love 404 but I'm as annoyed by Magic Links as OP for the same reasons they mention.
Ricky Mondello wrote a really great blog last week[1] about how passkeys, as OP alludes to at the end, can be used alongside Magic Links, that I think is worth a read.
Am I misunderstanding something, or are passkeys not actually an alternative to magic links?
Every implementation of passkeys I've seen has presented me with the option to create a passkey after I've already logged in with some other method. I'll admit that I haven't dug into it deeply, but the UX I've been presented with consistently makes passkeys appear to be an alternative to the "Remember this computer" button, not to passwords in general. Somehow the service has to know that this new device is authorized. I know depending on the provider there's such a thing as passkey syncing, but that doesn't solve the problem of getting the initial authentication done.
The key insight with magic links is that your security system is no stronger than its recovery mechanism. We are never going to get to a world where passkeys are treated as the only authentication mechanism—there will always be a recovery mechanism, and in most cases an automated one via email. Given that that is the case, magic links simplify things by just not pretending that we have a more secure layer on top. By making the recovery mechanism the primary means by which you interact with the authentication flow you're being more honest about the actual security of your auth system.
I refuse to use any service that only supports magic links for auth. It is incredibly user-hostile, and absolutely worse from a security perspective than passwords (with a password manager). Most critically it simply does not work in my personal setup where I do not have access to my email account from the machine I am using to login, precisely for security reasons and the safety of my accounts.
Anthropic has been the once exception to this personal policy simply because Claude is the best LLM out there. But it's a mountain of pain every time I have to re-login, and I've complained to them multiple times about this.
Best implementation I see of this requires you to click the link on whatever device you receive the email on, but it doesn’t transfer the session there - it just triggers completion of the login process on whatever device you initiated the process on.
> Anti-mobile. As mentioned by 404 in their own article, this breaks the ability to use in-app browsers, which is quite annoying especially for RSS reader type apps. It makes interacting with any local link in the RSS feed extremely annoying.
To be fair, in-app browsers should die, especially those without an "open in regular browser" opt-out – which RSS readers should readily offer anyway.
Way better option: emailed OTP code and passkey with Conditional Mediation UI. If the user is logging in from a device that already has a passkey, the CM UI will let them just select it and log in instantly. If they are logging in from a device which doesn't, we can make the UX such that it asks them to enter the emailed code, and after that is successfully it immediately asks the user to set up a passkey for instant sign-in.
This gets the best of both worlds: the security of passkeys on existing devices, and the passwordless setup and account recovery for new devices.
Bonus: it even avoids vendor lock-in where cloud providers have all your passkeys.
I suspect a hidden "benefit" to the companies implementing this is that it makes it much harder to share your account. You are probably happy to share your Netflix password with your mom, but not your email password.
They can present it as a "more secure" login method, obscuring the reason they actually like it.
I like the Kagi qrcode login option. You scan the QR code with any device you are already logged in and boom, you can login with a button. Its like steam guard but with no app. It’s in fact so simple that I don’t understand why it’s not universal.
You still need another method for the first login.
Magic link are so, so stupid.
Sure, make it an option for Grandma, but don't trot them out like they're amazing, they're terrible.
God I hate the way the Internet is going - idiots making technical decisions.
I seriously HATE magic links. My email inbox is barely better a social network's time suck. Lots of urgent, little important, wrecks any flow I had.
Forcing me into my inbox is highly likely to cause me to forget about the reason I was there (to get into your app). Or, at best, it slows me way down and nearly always breaks my flow.
Perhaps this is acceptable for the security boost (?) for the average user, but man, when I get forced into magic links I sometimes just abandon the app altogether.
Disclaimer:
1. I have/pay for a password manager, which helps with the forgotten password problem a lot. It also allows me to have extremely hard-to-crack passwords.
Good post. I chose to only implement magic links in a previous project and had an issue with users complaining that the (one-time) link would always be expired when they clicked. I could not reproduce it and just left it. Then this thread appeared and I instantly knew the problem: email client previews. Lesson learnt.
The article doesn't even touch "people enter their email incorrectly when registering an account".
I've received magic links to my Gmail account that belong to other people, for accounts that have ordered flight tickets, or clothing, or digital services.
Those people, I guess they now have no way to access their online account, as they cannot password reset (if that was the fallback), or change their email (usually requiring confirmation), or receive their magic link.
There's nothing I can do here, except to delete the email, I don't have any indication as to what the correct email should be, and the person's name is the same as my legal name and there are a lot of people with that name in the World.
Few services verify an email during sign-up, because I'm sure data shows that added friction during sign-up results in fewer people signing up.
Virtually all online streaming services in India now use a OTP sent to registered mobile number as the way to login to the app on any device.
Magic links and OTPs have become common for many other sites I use -- Udemy, Teachable etc. come to mind.
Recently I bought a cheap "smart watch" for my kid. Mostly for the digital display with configurable clock faces and simple step counting. The app would refuse to activate the watch unless we provide a valid mobile number and OTP. Why the hell do I need to give them a working mobile number just to use a smartwatch. Even if I wanted (which I did not) to get notifications / calls / texts / caller ID / contacts from my paired smartphone ... the smartwatch app does not need to know my phone number for that functionality to work. Feel so powerless.
My data point as an edge case: on a certain website, I have a throwaway account registered with a throwaway gmail account. I don't use that gmail account for anything else, and in order not to affect my regular Gmail login, I use incognito window. Now, whenever I need to log in to the website on a new device, I have to also login gmail as well (since the login credentials are never kept between sessions). This has been very annoying, and would not happen with password with 2FA.
I'm having a good experience with a recently implemented magic link system. I did it via WhatsApp instead of email, which is much more reliable. Of course, this is only possible because in my country every single person uses WhatsApp.
I'm building something for a very tech illiterate audience, and everybody loves the simplicity of it.
I have a very personal reason to hate magic links:
I'm quite fast at passwords and 2fa. The whole thing is second nature, I have a password scheme to deduce the password for any site but keep them long and high entropy, and I can do 2fa calculations from any trusted device without taking my hands off the keyboard (thanks to oathtool), and anyway my passwords are sync'd securely and I can look them up with hands on keyboard.
This is strictly better than "single point of email failure". Why force me to be less secure and less usable.
Please, just allow me to use passwords and regular old TOTP.
Honestly, having run a number of experiments with magic link, I wouldn’t recommend them. We saw our login success drop noticeably. We tried a few different approaches over the course of a quarter but even our best attempt only mitigated the drop compared to having email/password and Google Login.
Obviously, your mileage may vary but it was a good reminder to always validate your assumptions, especially in your critical user flows.
I've never liked magic links. I've found multiple sites that will just clobber the existing login session when you access the magic link, meaning someone could trick you into logging into another account.
I creates a bar management/sales platform for our group of friends. It's self service so people purchase their products on their phone and pay later.
People get... intoxicated... after which passwords appear to become quite the problem. Magic links solved that.
To solve the multi device and in-app browser problem people can also open the links on another device. That'll show a short code they can enter on the original device to actually log in. It's not perfect, but it works.
I do fully agree that passwords should always be an option as well.
Been saying this for a bit now. OTP/magic links have some upsides but the second your SMS or email provider doesn't deliver said thing your users are in trouble.
> Stratechery, powered by Passport, uses this type of scheme (click link OR type in OTP), which is still shifting annoyances onto end-users to free developers from implementing passkeys, but at least has a bit more of an appreciation for end-users.
With Stratechery, once you get to the website with the magic link, I can then copy the authenticated podcast RSS feed to Overcast and the authenticated RSS feed for the articles to NetNewsWire.
Those subscriptions are then synced to Overcast and NNW on my iPad and Mac via iCloud.
Each podcast RSS link is personalized and you go to the show notes page and click on the link to Manage your account. It will take you to the website using the embedded browser where you can manage your subscription and get access to the various feeds.
Speaking of Overcast, even though its doesn’t create a username and password by default, you can create one. But it’s only to access the web version of Overcast.
I hate those tragic links, some of them were sent from third party and infested with tracking links. Worse, it looks like from the site I'm logging in to, but the href is a tracker with redirection to the actual link. I see this frequently because my dns blocks those trackers.
I once had an app send me a code in the email. But if I opened my email app to check the code, and then return to the app to enter it, it would lose context! It would ask me to enter my email again, and proceeded to send a new code. There was no way to log in using only my phone.
I'm okay with magic links IF the website using it doesn't invalidate my session for no reason after some random period. If I have to do the email song and dance every week I'm very likely to eventually not bother with the product (looking at you Claude).
While I agree with most he says, I really don't get why people would push for passkeys like this, it's probably the worse system in existence in terms of UX (as the more likely to get you locked-out of your account) while providing minimal security benefits (the account recovery mechanism is the weakest link in the chain, and as such it's not any better than magic links). The only ones benefiting from passkeys are Google and Apple (and app/website owners who can't avoid mismanaging user passwords, but they have little stake in this game anyway).
I agree with magic links being bad, but passkeys aren't the right solution for multiple devices either, because it requires sharing the account or password manager they're saved in between devices, and I'd rather keep my private accounts and passwords away from work devices. With plain old passwords, I can open my password manager on a trusted device and type the password into an untrusted one.
Revolut [1] does this and while I like their service overall, I hate the login mails. My email box is full of these login mails and it feels like abuse of the email system to me. I have all kinds of alternatives, Yubikey, TOTP, Password Manager etc. - everything would be better than this magic login link.
> Of course, as stated in the article, such email links are harder to phish than passwords
On the other hand, training users to expect and use hard-to-read login-links in emails is not really good either. It promotes a broad range of scams, phishing, and potential malicious code exploits, even if the a particular sender's site has been hardened somehow. (e.g. a TOTP app on a phone.)
Feel like the solution to this problem is probably to offer an app that turns magic links into notifications. As well as to probably untether the magic link from the cookie in the browser, so that you are not required to hit the magic link in the same browser that you called the link from.
Username and password combo works. All these ceremonies around OAuth, passkeys, and magic links solved one problem but introduced two more. My job as a service provider isn’t to coddle people who can’t be bothered to use a password manager.
Auth is the worst part of building a service and sucks all the fun out of it. API auth is a mess because people can’t keep a token string secret. Now we need JWTs, OAuth, token refreshing, and a whole bunch of BS that no one enjoys.
One reason why OpenAI and Anthropic APIs are so much more fun to use than Google and AWS offerings is that you get a token and are responsible for keeping it safe. It makes the entire workflow dead simple. I’m not creating a new project or fiddling with IAM just to try out an endpoint.
Most users do live with a single device. If they have a work computer, they also have a work email (the client of which is unfortunately probably already opened for other reason when they want to login to the site).
The most-devices people I know are those who have a laptop, phone and tablet. That's it, I literally cannot think of anyone I know with more then this, and most of those with tablets are using it for games or reading or for the kids.
Magic links are indeed the best solution for the average user. Type in your email with autocomplete, get a notification from the mailbox, click, click, and you're in.
I really hate magic links. Only time I think they could be acceptable is if it is an app where you just log in once or maybe once every couple of years.
I recently encountered a food delivery website that insisted on a magic link / 2FA code check after a password login. Come on... I'm trying to order a pizza.
If you want strong security, offer passkey login. It's safer than email and much more user friendly especially with FaceID/TouchID on Apple devices.
Magic links are so useful in specific circumstances. We have a client with hundreds of users that infrequently need access to a bespoke tool.
Setting up and managing user accounts for them is out of the question, but a magic link letting them sign in using an email of their corporate domain solves the issue easily.
Just a pet peeve with passkeys (and other authN) that presses users towards biometrics -
In the US, because the Fifth Amendment Self-Incrimination Clause, passwords cannot be demanded. Passwords are testimonial evidence. [United States v. Hubbell (2000); re Grand Jury Subpoena Duces Tecum (11th Cir. 2012)]
Biometrics on the other hand are not. The court ruled that a defendant could be compelled to unlock a phone with biometrics because it is not testimonial. [Commonwealth v. Baust (Virginia, 2014); State v. Diamond (Minnesota, 2017)]
Basically, passwords cannot be compelled to be disclosed, while biometrics can.
There is similar legal stance in Canada, UK, Australia, India, Germany, and Brazil to name a few.
Finally, under duress, passwords can be held, while biometrics cannot, without self harm.
> 1. Multiple devices. Who doesn’t use at least a few computers weekly? I don’t have my email on my gaming PC, nor do I have it on my work laptops.
"Who doesn’t use at least a few computers weekly?"
I don't. And many, many other people.
See what I did there? I assumed that everyone's like me, just like you did in your blog post. Without data, both of us are wrong.
----
I'd add that magic links also act as a distraction: you open your email client, and it by default opens your inbox, and you start going through all of those unread emails that you just found in your inbox...
Shopify is a big proponent for magic links because they went all-in on their new "Shop" customer accounts. What a disaster.
Branding something with such a generic word as "shop" is terrible and average customer doesn't understand that it's supposed to be a brand name.
Magic/tragic email links: don't make them the only option
(recyclebin.zip)706 points by gepeto42 7 January 2025 | 504 comments
Comments
1. Include a fallback sign-in code in your magic link, in case the user needs to log in on a device where accessing their email isn’t practical.
2. Make sure the sign-in link can handle email clients that open links automatically to generate preview screenshots.
3. Ensure the sign-in link works with email clients that use an in-app browser instead of the user’s preferred browser. For example, an iOS user might prefer Firefox mobile, but their email client may force the link to open in an in-app browser based on Safari.
1. Some users (0.1%) just don't ever get the email. We tried sending from our IP, sending from MailGun, sending from PostMark, having a multi-tier retry from different transactional tools. Still, some people just will not ever be able to log in.
2. People click old Magic Links and get frustrated when a 6-month old link "doesn't work". We've decided to remedy that by showing them a page that re-sends the link and explains the situation (like Docusign does) instead of an error message.
3. People will routinely mis-spell their email and then blame the system when they don't get the code.
All of this still results, I feel, in way fewer support tickets than the email+password paradigm, so I'm still in favor of Magic links.
I could understand requiring a third factor to authenticate if signing in from a different location or a different ISP than I've been using for the past 5 years, but it's ridiculous to do so if nothing has changed (except the final octet of my DHCP-assigned address) since I last signed in yesterday. I use a different computer (via SSH) to read my email than I do for web browsing, and cutting-and-pasting a signin link that's hundreds of characters long (spanning multiple lines in Emacs, so I have to manually remove \ where it crosses line boundaries) is a PITA.
Adding friction on every sign-in colors all subsequent interactions I have with an app, and makes me hate using it.
Ricky Mondello wrote a really great blog last week[1] about how passkeys, as OP alludes to at the end, can be used alongside Magic Links, that I think is worth a read.
[1]: https://rmondello.com/2025/01/02/magic-links-and-passkeys/
Every implementation of passkeys I've seen has presented me with the option to create a passkey after I've already logged in with some other method. I'll admit that I haven't dug into it deeply, but the UX I've been presented with consistently makes passkeys appear to be an alternative to the "Remember this computer" button, not to passwords in general. Somehow the service has to know that this new device is authorized. I know depending on the provider there's such a thing as passkey syncing, but that doesn't solve the problem of getting the initial authentication done.
The key insight with magic links is that your security system is no stronger than its recovery mechanism. We are never going to get to a world where passkeys are treated as the only authentication mechanism—there will always be a recovery mechanism, and in most cases an automated one via email. Given that that is the case, magic links simplify things by just not pretending that we have a more secure layer on top. By making the recovery mechanism the primary means by which you interact with the authentication flow you're being more honest about the actual security of your auth system.
Edit: filmgirlcw has a link to an article that is much better than this one that explains how the two actually complement each other: https://news.ycombinator.com/item?id=42628226
Anthropic has been the once exception to this personal policy simply because Claude is the best LLM out there. But it's a mountain of pain every time I have to re-login, and I've complained to them multiple times about this.
When links in email come into mind, so does phishing.
I hate these magic links a lot.
To be fair, in-app browsers should die, especially those without an "open in regular browser" opt-out – which RSS readers should readily offer anyway.
This gets the best of both worlds: the security of passkeys on existing devices, and the passwordless setup and account recovery for new devices.
Bonus: it even avoids vendor lock-in where cloud providers have all your passkeys.
They can present it as a "more secure" login method, obscuring the reason they actually like it.
You still need another method for the first login.
I seriously HATE magic links. My email inbox is barely better a social network's time suck. Lots of urgent, little important, wrecks any flow I had.
Forcing me into my inbox is highly likely to cause me to forget about the reason I was there (to get into your app). Or, at best, it slows me way down and nearly always breaks my flow.
Perhaps this is acceptable for the security boost (?) for the average user, but man, when I get forced into magic links I sometimes just abandon the app altogether.
Disclaimer: 1. I have/pay for a password manager, which helps with the forgotten password problem a lot. It also allows me to have extremely hard-to-crack passwords.
I've received magic links to my Gmail account that belong to other people, for accounts that have ordered flight tickets, or clothing, or digital services.
Those people, I guess they now have no way to access their online account, as they cannot password reset (if that was the fallback), or change their email (usually requiring confirmation), or receive their magic link.
There's nothing I can do here, except to delete the email, I don't have any indication as to what the correct email should be, and the person's name is the same as my legal name and there are a lot of people with that name in the World.
Few services verify an email during sign-up, because I'm sure data shows that added friction during sign-up results in fewer people signing up.
Magic links and OTPs have become common for many other sites I use -- Udemy, Teachable etc. come to mind.
Recently I bought a cheap "smart watch" for my kid. Mostly for the digital display with configurable clock faces and simple step counting. The app would refuse to activate the watch unless we provide a valid mobile number and OTP. Why the hell do I need to give them a working mobile number just to use a smartwatch. Even if I wanted (which I did not) to get notifications / calls / texts / caller ID / contacts from my paired smartphone ... the smartwatch app does not need to know my phone number for that functionality to work. Feel so powerless.
I'm building something for a very tech illiterate audience, and everybody loves the simplicity of it.
I'm quite fast at passwords and 2fa. The whole thing is second nature, I have a password scheme to deduce the password for any site but keep them long and high entropy, and I can do 2fa calculations from any trusted device without taking my hands off the keyboard (thanks to oathtool), and anyway my passwords are sync'd securely and I can look them up with hands on keyboard.
This is strictly better than "single point of email failure". Why force me to be less secure and less usable.
Please, just allow me to use passwords and regular old TOTP.
Obviously, your mileage may vary but it was a good reminder to always validate your assumptions, especially in your critical user flows.
I creates a bar management/sales platform for our group of friends. It's self service so people purchase their products on their phone and pay later.
People get... intoxicated... after which passwords appear to become quite the problem. Magic links solved that.
To solve the multi device and in-app browser problem people can also open the links on another device. That'll show a short code they can enter on the original device to actually log in. It's not perfect, but it works.
I do fully agree that passwords should always be an option as well.
With Stratechery, once you get to the website with the magic link, I can then copy the authenticated podcast RSS feed to Overcast and the authenticated RSS feed for the articles to NetNewsWire.
Those subscriptions are then synced to Overcast and NNW on my iPad and Mac via iCloud.
Each podcast RSS link is personalized and you go to the show notes page and click on the link to Manage your account. It will take you to the website using the embedded browser where you can manage your subscription and get access to the various feeds.
Speaking of Overcast, even though its doesn’t create a username and password by default, you can create one. But it’s only to access the web version of Overcast.
1. enter username
2. choose password or magic link (select password)
3. enter password properly
4. Thank you for logging in. Please click your magic link to log in.
Why did you waste my time putting in a password when the magic link was the only option?
Our response to above: https://wideangle.co/blog/passwordless-authentication-magic-...
Conclusions:
Magic Links good? Yes.
Magic Links the best? No.
We dumped them for a host of reasons, but included in there was their use of tragic link logins.
Absolute clowns. Glad to see this practice getting the negative attention it deserves.
[1]: https://www.revolut.com
Since the application only sends a weekly email (a markdown template for goal/task tracking) it seemed easier to just use a magic link, only.
I am happy at how much easier the auth code ended up, and fail to see much downside for such an application.
I'm not sure it would be a good system for more complex apps and services.
On the other hand, training users to expect and use hard-to-read login-links in emails is not really good either. It promotes a broad range of scams, phishing, and potential malicious code exploits, even if the a particular sender's site has been hardened somehow. (e.g. a TOTP app on a phone.)
Unfortunately blocked on my (work) network -- classified as miscellaneous / unknown category.
Agreed with some other folks that Passkeys is not a replacement for email verification.
Would it be possible to bookmark the login link so that in the future I don't first have to go to my email in order to log into the service?
Auth is the worst part of building a service and sucks all the fun out of it. API auth is a mess because people can’t keep a token string secret. Now we need JWTs, OAuth, token refreshing, and a whole bunch of BS that no one enjoys.
One reason why OpenAI and Anthropic APIs are so much more fun to use than Google and AWS offerings is that you get a token and are responsible for keeping it safe. It makes the entire workflow dead simple. I’m not creating a new project or fiddling with IAM just to try out an endpoint.
The most-devices people I know are those who have a laptop, phone and tablet. That's it, I literally cannot think of anyone I know with more then this, and most of those with tablets are using it for games or reading or for the kids.
Magic links are indeed the best solution for the average user. Type in your email with autocomplete, get a notification from the mailbox, click, click, and you're in.
There's even cooler ways that are already working including nsec bunkers.
This is the way of the future IMHO, most people just don't know it yet.
If you want strong security, offer passkey login. It's safer than email and much more user friendly especially with FaceID/TouchID on Apple devices.
Even something small thing like email -> hit enter -> then we show password input, will cause me to stop using your service.
Don't send me a link, tell me where to find it, after I log in.
What? You have your email on literally every device -- be honest.
In the US, because the Fifth Amendment Self-Incrimination Clause, passwords cannot be demanded. Passwords are testimonial evidence. [United States v. Hubbell (2000); re Grand Jury Subpoena Duces Tecum (11th Cir. 2012)]
Biometrics on the other hand are not. The court ruled that a defendant could be compelled to unlock a phone with biometrics because it is not testimonial. [Commonwealth v. Baust (Virginia, 2014); State v. Diamond (Minnesota, 2017)]
Basically, passwords cannot be compelled to be disclosed, while biometrics can.
There is similar legal stance in Canada, UK, Australia, India, Germany, and Brazil to name a few.
Finally, under duress, passwords can be held, while biometrics cannot, without self harm.
> 1. Multiple devices. Who doesn’t use at least a few computers weekly? I don’t have my email on my gaming PC, nor do I have it on my work laptops.
"Who doesn’t use at least a few computers weekly?"
I don't. And many, many other people.
See what I did there? I assumed that everyone's like me, just like you did in your blog post. Without data, both of us are wrong.
----
I'd add that magic links also act as a distraction: you open your email client, and it by default opens your inbox, and you start going through all of those unread emails that you just found in your inbox...
Shopify is a big proponent for magic links because they went all-in on their new "Shop" customer accounts. What a disaster. Branding something with such a generic word as "shop" is terrible and average customer doesn't understand that it's supposed to be a brand name.