What are some of the best practices for implementing magic links?

Magic links have become a popular authentication method. People enter their email address and receive a one-time link to sign in. No need for passwords anymore.

It's not without its problems though. So I'm curious what some of the best practices are. I'd especially like to hear from people who've been using them in production for a while.

Maker of WIP amongst other things.

Maker of WIP amongst other things.

Here's what I found so far myself:

Advanced users might still prefer the good old password-based login. As it lets them use a password manager and log in with just a few clicks. Without needing to switch to their email inbox and waiting for an email to arrive.

In some cases people might open the magic link in the wrong browser session. For example some email apps on iOS open links in their in-app browser. But that logs the user in, in that specific in-app browser. Not the regular browser. And if you use one-off magic links that immediately expire after use, then "open this page in the main browser" functionality won't do the user any good. I think this is typically solved by not immediately expiring the link.

A similar problem is with email scanning software. They might pre-fetch the link and thereby expiring it. The solution here is to have the link go to to a page which then uses Javascript or meta-refresh to redirect to the page that does the expiring.

From a security perspective you probably do want to expire the link at some point. You don't want it to sit around in an email inbox or browser history and still work a long time after.

👋 Join WIP to participate