Yes, I do think there are security implications as email clients aren't designed with this in mind.
For example, when you have push notifications enabled on your phone someone could potentially get your secret link.
That's an example that could be easily mitigated (include the link further down in the email so it will never show up in the notification preview), but it goes to show there are non-obvious concerns.
Having said that, Slack uses this approach. So it might not be that bad when implemented correctly. (e.g. make them one-time use, expire them after a few minutes, etc)
Edit:
I just realised password reset emails are quite similar in nature 🤔. So if you were planning on having password reset emails, then you might as well use the magic link approach instead.
Yes, I do think there are security implications as email clients aren't designed with this in mind.
For example, when you have push notifications enabled on your phone someone could potentially get your secret link.
That's an example that could be easily mitigated (include the link further down in the email so it will never show up in the notification preview), but it goes to show there are non-obvious concerns.
Having said that, Slack uses this approach. So it might not be that bad when implemented correctly. (e.g. make them one-time use, expire them after a few minutes, etc)
Edit:
I just realised password reset emails are quite similar in nature 🤔. So if you were planning on having password reset emails, then you might as well use the magic link approach instead.
Marc, are there types of applications you think this might not be suitable for? i.e those dealing with financial information