Back
Question
Asked

Are there any security implications around magic link/passwordless apps?

Any resources in this area?


Someone can hack into your email and take over your accounts without the need of knowing the password of these accounts. Other than that I can't think of anything else.

Seems to me they are more secure than apps with a password because there is no passwords to leak.

Yes, I do think there are security implications as email clients aren't designed with this in mind.

For example, when you have push notifications enabled on your phone someone could potentially get your secret link.

That's an example that could be easily mitigated (include the link further down in the email so it will never show up in the notification preview), but it goes to show there are non-obvious concerns.

Having said that, Slack uses this approach. So it might not be that bad when implemented correctly. (e.g. make them one-time use, expire them after a few minutes, etc)

Edit:
I just realised password reset emails are quite similar in nature 🤔. So if you were planning on having password reset emails, then you might as well use the magic link approach instead.

Marc, are there types of applications you think this might not be suitable for? i.e those dealing with financial information

I recently implemented this. Set it to expire after a few minutes. Think thats quite safe.

But yeah I think the biggest security risk is if the user gets their email hacked.... But that's for anything really. You can even go via "Forgot Password" to get access to an account if you have your inbox compromised.