Magic links are a type of password-less login that allows the user to simply click a link rather than typing in their username and password every time they wish to sign in. This is useful for users who access an application or platforms multiple times during any given day but don’t want to keep track of dozens of different passwords.
How Magic Links Work
When the user first signs up for access to an application or platform, they will be asked what email address they would like the magic link sent to.
Once logged into the application or system, the user can see all approved magic links under “settings” or “user profile” in an accessible menu. They choose which one they would like to use, and simply click on the link to be signed in. The user will then be redirected back to the application or system upon successful authentication.
Technology Involved With Magic Links
When a user signs up for access to an application or system that uses magic links, they are assigned their own unique login URL. That login URL is used exclusively by them and is accessed via either SMS text message or email.
When a user clicks on that link to sign in (and have no password), a second tokenised field known as a “magic token” is passed with the request, which identifies the user and allows them to authenticate securely without having to provide any credentials other than clicking on the single link provided.
This decreases friction between signing in and actually accessing the application or system, and can decrease the average number of steps a user must take to access an application or system from about three down to one.
Magic Link SMS Authentication
If the user signs up for magic links via SMS text message, they will receive an SMS authentication token immediately upon signing up. They can access that token by logging into their account on the “my link” page, or clicking the “I forgot my password” function if they cannot otherwise log in to their account. The user must then open a new browser tab or window and copy-paste the login URL found there to use as a magic link.
From Email to Login
If the user signs up for magic links via email, they will receive an automatic confirmation message that asks if they would like to be signed up for magic links. The first time a user clicks on a link sent to their email address at that domain name, they will be redirected back to the application or system from whence they came having successfully authenticated without providing any credentials other than clicking the single link provided.
Impact on Security Using Magic Links
Since the user must click on a link sent to their email address or via SMS text message in order to sign in, it is important that this information be kept private. Anyone who knows both the application URL and your email/SMS can access your account if either one becomes compromised—for example, if you signed up by clicking a magic link in an email from someone pretending to be your ISP or bank. If these two pieces of information are not sufficiently protected, other malicious users may take advantage of them as well.
To prevent abuse of this feature, several restrictions may be implemented if a user signs up for magic links via email. These restrictions vary from system to system and are typically implemented on a case by case basis, although there are some standard ones such as preventing the use of this method if an account has been “locked” (ex: due to failed login attempts) in the past.
Implement Magic Link Access With Evolok
Magic links provide users with the convenience of passwordless login without compromising their account security. This is an ideal solution for businesses that use a paywall to restrict access to their premium content. Magic links are secure, quick, and most importantly, smart.
Get in touch us today and find out how Evolok can implement magic link access to your platform creating a great user experience and easier access for your customers with our secure technology.