Tech Basics

The Secrets Behind Magic Links: How They Work and Their Benefits

Internxt

7 min read
Magic links

Can you imagine a world without passwords? There’s nothing more annoying than trying to access an account you haven’t used in a while, only to find out you’ve forgotten your password.

As we need to verify our identities for almost everything, it is pretty easy to forget passwords to old accounts. This means you have to waste time remembering usernames, secret answers to questions, verifying, and creating and saving a new password.

Although these methods to protect your accounts, password management can become difficult unless you have a password manager. But what if there was a better solution to access your accounts?

This article will explore how to access accounts without a password using magic links. To find out more about how to use magic links, how they work, and what they mean for your account security, keep reading!

Table of contents

Magic links are one-time, single-use links sent to your email address to authenticate the user’s login. Once you enter your username or email, the system sends you a link to your email or text message so you can log in to the platform without a password.

Magic links are an attractive option because there’s no need to generate or remember passwords. As passwords have caused over 80% of data breaches in the past, magic links are often a more secure way to access accounts and prevent hackers from brute-forcing your password and stealing personal information.

Below is an example of a magic link from the popular business tool, Slack, which sends a unique code to your email address so you can login to your workspace without a password.

Creating a magic link happens behind the scenes of a website's code, known as the backend. This code handles several crucial tasks to ensure security, convenience, and functionality.

Here’s how the process of creating a magic link works:

  1. Account verification: First, the platform checks the database to see if your account exists. If your details don’t match, you will be shown an error and a prompt to create a new account.
  2. Token generation: Once your details return a match, the platform creates a cryptographically secure token for each login attempt linked to your account. The link will also expire after a certain amount of time for extra security.
  3. Magic link creation: Using your unique token, the magic link creates a unique URL that points to the platform's login endpoint. The link points to the platform’s login endpoint, which will verify the token once the user receives and clicks the link.
  4. Sending and verification: the link is sent via email or SMS. Once clicked, the platform checks the token:
  • Matches the one generated for that account
  • Hasn’t expired
  • Hasn’t been previously used
  1. Authentication: If the token is valid, the user can access their account.
  2. Token invalidation: To prevent the token from being resued, the platform either marks the token as expired or deletes it after login. Access can no longer be granted if the token expires before use.
How magic links work
Source: descope

Magic links benefit users by eliminating the stress of managing multiple passwords across different accounts. Instead, we get a single-use code for our email or phone, and we can access our accounts instantly!

There are also benefits of magic links for developers and businesses. Let's take a look.

  1. Simplicity: The main benefit is that you won’t need to remember passwords; simply click the link in your email, and you’re done!
  2. Security: As magic links will expire if they’re not used, this reduces the chance of hackers accessing personal or company accounts.
  3. Lower support costs: Customers can manage their accounts without waiting for customer support, reducing the workload for support teams and allowing users to access accounts quickly.
  4. Easier development: magic links can benefit developers as they may require less infrastructure and development than password systems.
  5. Reduce security vulnerabilities: by directly communicating with your email, you are less at risk from phishing attacks because even if a fake link is clicked, there is no password to exploit.
  6. Quicker security: magic links are accessible from any device, so if you fear a security risk or want to access your accounts from anywhere, you can do so easily with these links.

If you are interested in integrated magic links to your platform, here are some popular magic link services to help speed up the login process for your users.

Internxt file converter is a secure, free tool to convert files online.

Stytch

Stytch offers a free plan to integrate magic links into your platform for 5000 monthly active users (MAUs) via an API or SDK.

Javascript, React, and Next are available for SDKs with a pre-built customizable UI that you can change to fit your brand, or you can get more control by working with the API.

Paid subscriptions for more than 5000 users use a pay-as-you-go model and include more customizations for designs with no Stytch branding.

MojoAuth

MojoAuth is readymade to integrate with WordPress, Webflor, Bubble, etc., and is available on Node.js, Java, Android, PHP, and more.

Although there is no free plan, the basic plan starts at 1000 MAUs and includes features like unlimited users, logins, email OTP, and team management. If the platform isn’t for you, you can always take advantage of the 30-day free trial.

Developers can use the MojoAuth API to create custom applications, and the platform offers a 99.9% uptime guarantee.

Clerk

Clerk allows you to set up magic link authentication to your platform in just a few minutes, and you can add magic links as part of an MFA process.

The Clerk API is available for Next.js, React, and Javascript and will create magic link authentication for new email accounts, sign-ins, and verification.

Free plans start at 5000 MAUs and offer unlimited total accounts, custom domains, and support. MFA, custom durations for sessions, and other features are available on paid plans.

Descope

Descope magic links offers 7,500 MAUs for startups that want to integrate magic links or OTPs into their platform via SDKs or APIS.

Thanks to the no-code, drag-and-drop interface, flow builder, screen builder, and design customization, which helps with onboarding for new users.

Descope can also handle the session management for you, or you can integrate your own server to its services and get more flexibility from the REST APIs.

Despite the benefits of magic links, they are not a 100% solution to protect your accounts because there are still some vulnerabilities. When considering how to use magic links, you must also be aware of the measures you should take to add more security to your email account.

Internxt Object Storage is an affordable solution to store large scale data

Because magic links are primarily sent via email, you must have strong security to back up your email accounts. If your email account is breached, hackers can access other accounts more easily by sending the magic link to the stolen email and potentially gain access to financial, social media, or other accounts.

Another problem is that magic links expire after a set time. This can add friction to the user experience if they don’t have access to the internet, or if the email is filtered to the spam folder without them knowing.

To reduce the security concerns of magic links, start by securing your email to prevent unauthorized access to your accounts by doing the following:

  1. Generate secure passwords and change them every 3 months or if you suspect someone is trying to access your account.
  2. Enable Multi-Factor authentication by email, SMS, or a recovery email address from another account.

Here are some alternative methods to magic links to log in without a password or to add more security to your accounts.

Passkeys

Passkeys are another method of accessing accounts without passwords. Unlike magic links, which require you to open an email, passkeys use cryptographic keys stored on the user’s device that use biometrics (like fingerprints or facial recognition) or a device PIN to log in.

Passkeys help prevent phishing attacks because they don’t rely on email or traditional passwords. Since authentication involves cryptographic verification rather than entering credentials, attackers cannot easily trick users into revealing their login information.

One-time passwords

One-time passwords (OTPs) are similar to magic links, as they send a temporary code via SMS, email, or an authenticator app. The risk of OTPS is that they are vulnerable to SIm-swapping attacks, which gives the attacker access to the user's phone number, messages, and OTP.

Push notifications

A push notification sends an alert to the user's device, asking them to confirm the login. Google, for example, will ask the user to confirm a login by entering one of three codes that appear on the device.

Push notifications are a quick and secure method to log in, as they require the user to have their device with them to approve the login request.

Authenticator apps

Popular authenticator apps like Authy and Microsoft generate a time-sensitive code users enter during the login process. These are more secure than SMS alternatives since they don’t rely on cellular networks and reduce the vulnerabilities of SIM-swapping attacks.

Internxt is a cloud storage service based on encryption and privacy.

Magic links are a valuable way to implement a passwordless lifestyle online, but should be used sparingly. The security of your email accounts should be second to none, as, without proper measures to protect your accounts, magic links can be more of a danger than a benefit.

Whether you choose to start integrating magic links or not, stay updated with the latest cybersecurity protocols to ensure your accounts are protected against data breaches.

Protect your privacy with Internxt