Magic Links: Is passwordless authentication the best way to authenticate?

Person thinking in front of a keyboard

More and more sites and SaaS products and services seem to use magic links as their preferred login method.  Whilst browsing over the weekend I noticed that Hotels.com have also joined the passwordless authentication trend (although they do still offer a way to use your password), and this got me thinking about magic links in general - are they a good thing?  Are they more secure?  Do they protect my account and personal data better than conventional password-based authentication?  What about how they compare to a conventional password and multi-factor authentication (MFA) combo?

Magic link login on hotels.com

Let's delve deeper into how magic links work, their advantages, and potential pitfalls compared to a conventional login process.

What Are Magic Links?

Magic Links are essentially unique URLs sent to a user's email address for authentication. In a magic link system, instead of entering a username/email and password, a user inputs their email address and is sent a unique, time-limited link. By clicking this link, the user verifies their email and gains access to their account. In this way magic links allow a passwordless login.

A typical magic link contains a unique token, often JWT (JSON Web Token), that securely identifies the user. It is encoded and encrypted to ensure data integrity and confidentiality, providing a secure authentication pathway. This token becomes invalidated upon use or expiration, making it essentially a one-time password (OTP).

The Case for Magic Links

Enhanced Security

Passwords are the bread and butter of traditional authentication systems, but they have inherent vulnerabilities. Users tend to create simple, easily remembered — and therefore easily hacked — passwords. They also tend to re-use their credentials across multiple sites and platforms, creating a domino effect if one account is breached. Magic links, on the other hand, act as single-use, time-limited passwords that is sent directly to the user's verified email, greatly reducing the risk of password-related breaches.

Furthermore, magic links eliminate the need for password storage, a frequent target for cybercriminals and hackers. Traditional systems must store passwords (albeit hashed and salted) for verification purposes. If these storage systems are compromised, so too are the passwords contained within them. Magic links sidestep this security concern entirely by rendering the password obsolete.

Improved User Experience

A typical user today likely has hundreds of accounts across multiple platforms. Remembering all these details can be taxing, leading to frustration, account lockouts, and frequent password resets. Magic links simplify this process by reducing authentication to an email and a click.

Moreover, magic links inherently incorporate two-factor authentication (2FA). The user verifies their identity by accessing their email account - something they own - and clicking the magic link - something they know. This seamless, integrated 2FA adds an extra layer of security without burdening the user with additional steps.

Potential Pitfalls of Magic Links

Dependence on Email Security

While magic links remove the password vulnerability, they introduce another - the security of the user's email account. If an attacker gains access to a user's email, they can request and use magic links freely. This dependence on email security transfers the responsibility of safeguarding access from the service provider to the user.  If, like most users, your email is accessible on your phone and your phone is stolen then (assuming the thief can unlock your phone) magic links can make it easy for your accounts to be accessed by a hacker or bad actor.

Inconvenience for Some Users

For users who stay logged into their accounts or use password managers, magic links can be less convenient than traditional systems. Magic links require users to switch contexts from the application they are accessing to their email and back. This additional step, while straightforward, may disrupt the workflow for some users.

Potential for Phishing

While magic links can help users avoid phishing attempts that target passwords, they can also become a tool for phishing if not carefully implemented. Users can be tricked into clicking malicious links disguised as magic links. To mitigate this, service providers should educate users on how to distinguish genuine magic links from phishing attempts.

Magic Links vs. Conventional Password Systems

Magic Links and conventional password systems each have their own strengths and weaknesses. Here's how they stack up:

Complexity and Vulnerability

Conventional password systems rely on users creating complex, unique passwords for each account and changing them regularly. This often results in weak or reused passwords, making these systems vulnerable to attacks. If you use a password manager this is not so much of a problem, but most users don't - according to BitWarden, just over a third of people (34%) use a password manager globally. On the other hand, magic links eliminate the need for password complexity by utilising unique, temporary tokens, significantly reducing the risk of breaches.

User Convenience

Password systems can cause frustration due to forgotten passwords or account lockouts. However, they can also provide a streamlined experience for users who stay logged in or use password managers. Magic links require users to access their email for each login or session, which can be seen as either an added layer of security or an inconvenient additional step.  What if the one-time email is classified as spam by your email provider and ends up in your spam folder? Suddenly the login experience has become dysfunctional for the user.   If you are logging in via a system you don't access email from (eg perhaps a smart TV) or your email provider is down suddenly a magic link email can be an inconvenience and interrupt the flow of what you are trying to do.

Security Responsibility

Password systems put the onus on service providers to securely store and protect passwords. Any breach in this storage system can have catastrophic consequences. Magic links shift this responsibility to the users, relying on the security of their email accounts. While this removes the risk of password storage breaches, it introduces the potential vulnerability of compromised email accounts.

Mobile phone with one time login dialog displaying

Wrapping Up

Magic links present a compelling alternative to traditional password systems, addressing many of their inherent vulnerabilities.  I personally consider that using a unique password for each site, product or service alongside multi-factor authentication offers the best solution for securing my account.  However most users won't do this and so I can see why so many services are implementing magic links - in a world where the majority of users don't use password managers or set up multi-factor authentication they can increase overall security, simplify the user experience and enhance security by eliminating the need for password creation, recall, and storage.

However, magic links aren't without their own challenges. The reliance on email security, potential inconvenience for some users, and susceptibility to phishing attacks are all considerations to be factored in.

Ultimately, the choice between magic links and conventional password systems is not binary and depends on the specific use case and audience. A hybrid approach, offering both methods and letting users choose, can also be an effective solution although this does mean passwords are still stored (albeit hashed) by the site, product or service.  As we continue to navigate the ever-evolving landscape of digital security, the exploration and adoption of novel authentication methods such as magic link authentication remain integral to securing our digital lives.