Magic links: The future of online authentication

Magic links are in fashion. Either when used to substitute passwords or to complement them, they have become an interesting solution to enhance online security without bothering users.

Learn what they are exactly, how they "magically" work and how to implement them in online authentication for your business.

What are magic links?

Magic links are authenticated URLs that contain a token to grant access to a specific user. They can authorize users to signup or login in a platform, or even authorize online payments, among other actions. Once the user clicks on the URL the user will be automatically authenticated.

Magic links have a limited duration and are unique, meaning they are not valid after a determined amount of time, for security reasons.

Magic links are a method to authenticate users online, and they can be used in a passwordless system or in a multi-factor authentication system.

How does a magic link work?

Normally, magic links are generated in onboarding flows. In this case, the user is submitting a form where they fill in their email or their phone number. In these flows, a magic link and its token are generated and then sent to the user's email or phone.

When the user receives the email or SMS, they need to click the authenticated URL and the action will be automatically verified.

What are magic links used for?

Magic links can be used in two main trends in online forms: passwordless authentication and multi-factor authentication.

Passwordless authentication

Passwordless authentication is any kind of system that does without passwords as a security system. Generally speaking, most online sites allow authentication by using the pairing of email and password, but this system starts to feel obsolete and other alternatives are arising.

Latest trends in this matter tend to use alternatives to passwords for several reasons — poor security and user experience being the most significant factors. In this context, passwordless authentication presents many advantages for any online site.

With a magic link, users can be securely authenticated and forget about using passwords. They will just need to enter their email or phone number and they will receive the URL they have to click.

• One-click signup. One-click signup or login are particularly interesting because of their celerity. Users tend to be annoyed when they have to create yet another account, they might forget their password, or they simply don't want to lose their precious time. Being able to sign up or log in simply by clicking one link is certainly a good solution that benefits us all.
• User verification. Clicking a link that is sent to an email account or a phone number implies verifying one of these means of communication. While the pairing email + password by itself can't get rid of bots, spam accounts or temporary emails, magic links in passwordless forms are a way to verify your users.
• More security. This "magical" way of authenticating users may seem vulnerable at first sight, but the truth is it enhances security when compared to passwords. Links are unique and limited in time, and they are much harder to break in.
• Less costs. Keeping a password database and maintaining it has an expensive cost. Forrester Research has estimated the cost of password resets in 1 million dollars a year.

Two-factor (or multi-factor) authentication

Two-factor authentication (or 2FA) is a way of authenticating users in two different steps. For instance, if the first security system is a password, a magic link can be the second method for authentication.

Two factor authentication (or multi-factor authentication, when more than two methods are applied) has increased lately, to ensure a more secure experience for the user. Applying several layers of verification or authentication is particularly useful in e-commerces or online banking, where sensitive transactions are executed and the user's money is involved.

• Frictionless system. Keeping two or more authentication systems increase the number of steps the user have to take. Yet, magic links present the less friction, since users just have to click the URL to finish the process.
• User verification. When the user clicks on the authenticated URL, they are verifying their phone numbers or email accounts, which can help you avoid spam accounts, bots, and other types of online fraud.
• Extra layer of security. Implementing magic links in multi-factor authentication is necessary if you deal with sensitive processes. Magic links are a secure way of authentication, but you can increase safety by combining it with other auth methods.

Whether you're interested in building a passwordless flow or a 2FA flow with magic links, you can implement both with Arengu. Build your forms with no code and start onboarding users with the latest authentication methods.

Do you want to build your form with magic links ASAP? Learn how to build a passwordless subscription flow with Stripe, or discover how to create a passwordless login form for a WordPress site!

‍