Magic Link Authentication- Choose the right path

Thukaraka
3 min readDec 24, 2020

--

Episode- 02

Fig.1. Different ways have their own pros and cons

Hello Friend!
In my previous article, I discussed What is Magic Link Authentication? and Why Magic Link Authentication? You can read that article here . In this article, I shall discuss different approaches used in the implementation. Let us examine the depth-in flow of magic link authentication.

Fig.2. Flow diagram of Magic-Link Authentication

Implementing the Magic Link Authentication

The communication flow between the user interacting the system

  1. User: Click the send Magic Link Button.
  2. System: Generate an authentication token that is unique to the user and embeds the generated token in the URL send to user by email.
  3. User: Click the magic link URL from the email inbox.
  4. System: Extract and verify the token in the magic link and return the authenticated status to the user if the token is valid.

The core of the implementation falls into two main things.

1.Token generation

2.Token validation

Different approaches to implement Magic Link Authentication.

Fig.3 Stateful Vs Stateless

Stateful Implementation

1. Generate an authentication token as an arbitrary string. (e.., a random string).

2. Store the generated tokens in the server’s data store with associate user info and expiration date.

3. Send generated token with the magic link.

4. Token verification is accomplished by matching the state of the token stored in the server’s data store.

Fig.4. Pros and Cons of Stateful

Stateless Implementation

1. Generate an authentication token with user information that is digitally signed

2. Send generated token with the magic link.

3. Token verification is accomplished through electronic signature verification.

The main difference between these two types of implementation is that stateful implementation needs a separate datastore on the server-side whereas a stateless implementation does not require that. To achieve a stateless implementation JSON Web Token (JWT) can be used. Stateless authentication stores the user session data on the client-side. The data is signed by the key of IdP to ensure the integrity and authority of the session data. Since the user session is stored on the client-side, the server only can verify its validity by checking whether the payload and the signature match.

Fig.5. Pros and Cons of Stateless

Why it is good to use JWT in Magic Link Authentication via Mail?

A Compromised email account seems to be a moot point because a password can be retrieved using a password reminder. We already depend on email accounts. Furthermore, the security around email is far superior (device recognition for example) to most self-built applications. Passing the JWT token as a query string parameter is not a risk if you use HTTPS.

Fig.6. The Flow of the Magic Link authentication with JWT

You can experience the existing Magic Link implementations in Medium, Slack etc.

Fig.7. Magic Link WorkFlow in Medium

References

[1] https://magic.link/

[2] https://product.qz.com/implementing-passwordless-login-with-magic-links

[3] https://reallifeprogramming.com/how-to-implement-magic-link-authentication-using-jwt-in-node-8193196bcd78

Thank you for reading …

--

--

Thukaraka
Thukaraka

Written by Thukaraka

Software Engineer@ SyscoLabs Sri Lanka| Undergraduate | Computer Science and Engineering | University Of Moratuwa

No responses yet