Episode — 01
While we all were adapted to traditional password-based solutions magic links are password-less authentication. Instead of entering user credentials as in the traditional way of log-in the password-less authentication implemented by sending an embedded token via a link in email or sometimes through an SMS. The token embedded in the magic link sent via an email is only privileged to authenticate a login request from the device and browsing context that introduced the request otherwise the authentication will be a failure one. For example, take an IOS user who will initiate his/her request in the Chrome browser and while the user clicks the magic link then IOS automatically opens up in the default Safari browser. This will lead to a failed authentication.
How do magic links work?
1. The user visits the login page, enters his /her email, and submits the form.
2. The system verifies whether it’s a registered email and the magic link is sent to the user’s email address.
3. If the click is valid and not expired user completes his Login process while clicking the link.
Magic links are one-time password authentication when the latest link is issued other links issued are invalidated. The expiry time for the link can be extended up to the level of security we needed. Also, we can decide the number of fail attempts allowed for an issued link within the expiry time. If the link fails new link should be requested.
What makes password authentication obsolete compared to magic link authentication?
When using the user credentials without our knowledge our sensitive data and passwords may get compromised. HaveIBeenPwned can be used to realize where breaches have occurred impacting companies like Adobe, Kick-starter, etc. Users find it hard to remember long passwords and they use the same passwords for different applications. If a database that stores password stolen by attackers they can directly make hundreds of billions of attempts to recover plaintext identifier + password pairs. Once they find the identifier + password pairs they possibly try these on other applications like bank accounts which will be a tremendous issue.
To avoid user sessions are being hijacked users need to be re-authenticated for every request so users have to enter his /her password every time and while using user credentials users may undergo many phishing attacks.
What are the advantages of using Magic Link authentication?
If the magic link comes to play a vital role in authentication then no need to store hashed+saltered passwords which makes the resource server clean and light-weighted.
As shown in Fig 02 there is a high number of login/signup compared to Fig 03. Users just need to enter their email address and click the magic link to register for an app, providing a simple and seamless onboarding process. By shifting from password to pass wordless authentication conversion rates can be increased.
Bypassing on authentication to a user’s email users have not to struggle to remember the passwords.
I hope this helps you to get a basic idea of Magic Link Authentication.
References
[2]https://www.okta.com/blog/2020/09/magic-links/
[3]https://auth0.com/docs/connections/passwordless/guides/email-magic-link
