Advanced users might still prefer the good old password-based login. As it lets them use a password manager and log in with just a few clicks. Without needing to switch to their email inbox and waiting for an email to arrive.
In some cases people might open the magic link in the wrong browser session. For example some email apps on iOS open links in their in-app browser. But that logs the user in, in that specific in-app browser. Not the regular browser. And if you use one-off magic links that immediately expire after use, then "open this page in the main browser" functionality won't do the user any good. I think this is typically solved by not immediately expiring the link.
A similar problem is with email scanning software. They might pre-fetch the link and thereby expiring it. The solution here is to have the link go to to a page which then uses Javascript or meta-refresh to redirect to the page that does the expiring.
From a security perspective you probably do want to expire the link at some point. You don't want it to sit around in an email inbox or browser history and still work a long time after.
Here's what I found so far myself:
Advanced users might still prefer the good old password-based login. As it lets them use a password manager and log in with just a few clicks. Without needing to switch to their email inbox and waiting for an email to arrive.
In some cases people might open the magic link in the wrong browser session. For example some email apps on iOS open links in their in-app browser. But that logs the user in, in that specific in-app browser. Not the regular browser. And if you use one-off magic links that immediately expire after use, then "open this page in the main browser" functionality won't do the user any good. I think this is typically solved by not immediately expiring the link.
A similar problem is with email scanning software. They might pre-fetch the link and thereby expiring it. The solution here is to have the link go to to a page which then uses Javascript or meta-refresh to redirect to the page that does the expiring.
From a security perspective you probably do want to expire the link at some point. You don't want it to sit around in an email inbox or browser history and still work a long time after.