How do magic links work and why should you use them?

According to this NordPass survey, the average American has over 168 online accounts. Yet 48% of passwords are being reused, according to this Dashlane report. 

Humans just can’t remember so many strong passwords. There has to be another way. 

With magic links, you don’t need a password to log in. You simply enter your email, click the link sent to you, and you’re in.

In this article, we will:

• Discuss how magic links work on a technical level.
• Review the security implications of using them.
• Look into how they improve the customer’s experience.

Let’s start by explaining what magic links are.

What are magic links?

Magic links are a passwordless authentication method that allows users to log in to an application through a unique, one-time-use link sent to their email. When a user wants to access an app, they provide their email address, and the system generates a special URL containing a unique token. This link is then emailed to the user. Clicking the link verifies their identity, granting them access without needing to enter a password.

These links act like temporary keys with a built-in expiration. Once the user clicks the link and logs in, it becomes invalid, or it may expire after a set period to prevent unauthorized access. The idea behind magic links is to simplify the login process while avoiding common password-related problems, such as weak passwords, forgotten credentials, or password reuse.

How magic links work

Magic links have a similar setup to one-time password (OTP) authentication, and they go through the same flow as a “Forgot Password” workflow. At a high level, the process looks like this: a user gives an email address to an app, clicks the magic link sent to their email, and voilà, they’re logged in.

One of the most well-known magic link authentication flows is Slack’s process. Slack leans into the “magic” aspect and enhances the experience with a magic wand, as seen below.

From an end-user’s standpoint, a magic link sure does seem like magic. But really, it’s just using tokens and hash functions. 

Let’s take a look from a technical standpoint. (Note that all code below is pseudocode.)

1. A user visits an application or website.
2. The website requests the user’s email address.
3. The user enters their email address.
4. The application generates a token for the magic link and forms the magic link.
5. The application sends the magic link URL to the user’s email.
6. The user opens the email and clicks on the magic link.
7. The application receives the query at the magic link end point.

If a user is not found in the system, the app won't authenticate them, and nothing further will happen. By not providing any additional error messages, you prevent giving away clues about which email addresses are registered, making it harder for hackers to identify valid accounts.

Pretty easy, right? With fewer than 10 steps, it closely resembles the 'Forgot Password' flow many users are already familiar with, except without the added step of setting a password. 

Now that you understand how magic links work, let's take a closer look at the security implications you should consider before implementing them.

The security implications of magic links

From a developer’s perspective, magic links are a very appealing form of user authentication. There’s no extra hardware to purchase and barely any new code to write if you already have a “Forgot Password” workflow. 

However, they come with certain security trade-offs. The main burden of ensuring security falls on the user and their email provider, which means magic link authentication isn’t as secure as some other authentication methods.

Magic links are susceptible to several risks:

• Device loss or theft: If a user's device is lost or stolen, an unauthorized person could access the magic link in the user's email, potentially gaining access to your app.
• Email account compromise: If the user’s email password is hacked, a malicious actor could access the inbox and retrieve the magic link, leading to unauthorized login.
• Man-in-the-middle (MITM) attacks: Magic links are also vulnerable to man-in-the-middle (MITM) attacks if the user is on an unencrypted network, which would let the hacker steal the token.

Because magic links rely on the security of the user's email, a lot of responsibility is shifted to the user. The best you can do is recommend steps they can take to protect themselves:

• Enable multi-factor authentication (MFA) for their email account.
• Use a secure email provider.
• Avoid using networks without encryption.

Unfortunately, these all suggest nothing is enforceable.

Similar to passwords, magic links may be shared with others, often unknowingly, increasing security risks. Enforcing restrictions on link sharing is difficult, which leaves the account vulnerable if the link falls into the wrong hands. 

Here are some of the best ways to be sure that magic links aren’t shared beyond the account holder:

• Mitigate risk by making each magic link work only one time.
• Set an expiration time for each magic link (e.g., 15 minutes).
• Make the same browser or device must open links or device.

Despite these challenges, magic links still have a significant advantage: they eliminate the risks associated with weak or reused passwords. There’s nothing for hackers to brute-force or phish away from a customer.

They can be appropriate for many consumer-facing applications, such as entertainment, online shopping, or social media, where convenience and ease of access are top priorities. In these cases, the risk associated with magic links is typically lower, and users benefit from a frictionless login experience.

However, for apps handling highly sensitive data, such as financial services, healthcare, or government-related information, magic links may not provide sufficient security. These industries often require more stringent authentication measures, such as multi-factor authentication (MFA), biometric verification, or Single Sign-On, to meet regulatory requirements and safeguard sensitive data.

How magic links provide a great customer experience

Magic links are intuitive, familiar, and simple for end users. If you care about providing a great customer experience, magic links are the go-to for user authentication. After all, what’s easier than typing in your email address (which, hopefully, you know by heart and don’t have to look up, unlike a password) and then clicking a link?

Magic links can, however, get complex. An easy user experience often creates tension with the security concerns we mentioned above. You have to strike a balance between security and usability. 

Here are the factors you should consider:

• Spam filtering issues: Sometimes, email providers mark magic link emails from new senders as spam, funneling an important email into the rarely-visited spam folder. Your user might request link after link, not realizing they’re being sent to spam. Use a reputable email provider with an IP address that common spam filters recognize as trustworthy (such as one without many complaints). 
• Expiring previous links: If your app sends a magic link, for instance, and the user requests another — should it expire the first one? Users can easily end up frustrated if they’re clicking through multiple emails and links, looking for the most up-to-date one. (Of course, users could likely stand to be more patient, but in the heat of login frustration, we can’t count on that.)
• Restricting browser sessions: Some sites restrict users from using magic links outside of the same browser session where users requested the magic link. A magic link appears a whole lot less magic when you exit your browser and find it doesn’t work when you do eventually try to log in.

But of course, there’s the balance: This restriction helps ensure magic links don’t live for too long. Magic links that persist for too long can become security vulnerabilities.

Despite these complexities, the benefits of a simple and user-friendly login experience are often worth it:

• Increased sign-ups and logins: Easy user experiences tend to be good for business. If account creation is easy to do, more users will be willing to sign up (especially if creating an account provides extra benefits). Plus, magic links work across devices, which means users can easily log in on their tablet, laptop, desktop, and mobile device.
• More insights: Sometimes, users already have accounts but don’t bother to log in. That means the applications are losing out on valuable user-behavior data by not being able to associate that user’s visit with their account. Getting them to log in is paramount. If you can tempt them to log in by making it easy, you’ll get access to that sweet and savory data. 
• Better engagement: Do you know any PMs? They’re likely to tell you that one of their biggest headaches is directing customers to new features and upping engagement. Magic links can help drive user engagement by directing users to new features right after they log in.

Adding magic links for your app with WorkOS

Want to give magic links a try? With WorkOS, magic links are free for your first one million users. You can use your email service and custom-branded email template to send the link to the user. 

Plus, if you decide to offer Single Sign-On (SSO) down the line, the transition will be seamless because implementing magic links already sets you up for SSO — both methods use the same process to fetch user profiles.

Ready to get started? Check out the example apps or follow this launch checklist to go live.