NOPE. Magic Links are dieing. This is probably the 20th time I've seen a start-up posting proudly about how they chose magic links over standard auth and I don't think any of them have stuck.
It is a TERRIBLE user experience.
* We have a tab open on your site, it tells us to go to our e-mail to get a link, and then that opens up a different tab.
* Or we only check that address on phone which means we can't easily login on desktop unless we also have that e-mail address logged in on desktop as well.
* It removes our ability to use password managers.
* Doesn't allow us to have multiple e-mail addresses easily. Now I have to remember what e-mail address I used for your service to go find the magic link.
STOP doing it. Give people two-factor authentication. Give people options if you want and see if anyone opts into magic links.
All that being said... It looks like this service does require password for sign-up and login right now unless you use google auth? Not sure how this blog post relates to the actual company. Maybe its something they are thinking about doing?
I recently moved all of my email forwarding away from ImprovMX and a big reason was the obnoxious passwordless system. There are a few others I've bailed on as well for the same reason.
We have implemented magic link in our new product, also as a way to trying out the tech and understanding user feedback. Appreciate your comments and a lot of great feedback from the discussion on this post in general.
Offer a password option, people! Back it up with a magic link if you must but offer a password!
Especially if your magic links go to spam.
I wonder if it could be securely done with the web notifications API, to make it 1 click?
You can't assume the email will be delivered so quickly.
Who wants to get locked out of their account because the email has not arrived?
Login links can be a convenience feature but they must not be the only mechanism for login.
2fa + password means they could compromise the e-mail and still not be able to reset a password without the TOTP.
Social Auth is even more secure than magic links because the larger companies like Facebook and Google have already implemented SECURE 2fa and they've also implemented IP / Computer tracking so that if abnormal authentication happens you have to go through better verification.
If a magic link gets opened from Argentina when the user traditionally logs in from North Dakota, are you blocking that until they go through more verification? If not its not more secure.
1. wait for the email to arrive
2. click on the link
3. navigate back to my inbox
4. delete the email
5. navigate back to the app/website
(this is my inefficient way of doing it, I just don't like to have emails lying around that I don't need anymore)
> All this work just for the auth, which is not your core product and not what users come to you for.
What is part of my core product, if it's not something as basic as the authentication? I dislike the idea to outsource every tiny bit of a solution, especially if it's something I better keep control of.
It's forcing you to centralize your access to a single account, which sounds bad, but at the same time it's always been that way since most services provide a "forgot password" feature.
If someone gets into your email, your accounts are all fucked anyways.
For me personally, the least friction I experience in a site is one that asks me to put a password and a username on registration and login. Subsequently, if I can optionally enable 2FA from the settings/profile page, I am happy. I use a password manager so this allows me to use a given site pretty easily.
1. Enter email
2. If the hidden password field autocompletes, use it
3. If not, send a magic link email that doubles as “someone is trying login” notification AND show the password field
So at this point you covered:
- people with password managers
- people who remember passwords
- people who don’t remember passwords
There are a lot of occupations where you don't have your own computer, and share one with many other people.
For many jobs, the value is not in the person, but in the position, so the position has a single computer for a function that multiple people fill. Especially if you work for a company that operates 24/7.
For example, each person person operating a control computer at a recycling station does not have his own computer. There is a computer for each position, and who mans that position will change from day to day.
Freight dispatchers, retail sales, customer service, airline operations, and many broadcast positions are in the same boat.
Imagine how big an airline ticketing counter would have to be if "In this day and age, you should not login to anything from someone else's PC" was reality.
I don't think I've seen anyone use e-mail for 2fa. All the devices I listed above are in real-time through TOTP timings. E-mail is NOT in real-time.
Email was never meant as a means for synchronous communication, so stop pretending it is!
As others have noted, passwordless does hinge on email deliverability and that hasn't been easy to nail. That said, almost all login flows tend to rely on email delivery for both verification and password resets.
For those used to the convenience of password managers, its an extra step that can add friction. Longer sessions help.
How so? I only have one service that I use which employs magic links, and I use it on a desktop with no problems.
I'm starting an internal project for my company which will utilize magic links. About 50% of the users are expected to be on desktop, and 50% on iPads, so I'd like to know what the problem is for desktop users before I go too far.
What can happen is better federated SSO using OAuth2 like Apple, Google, FB, Github, and/or similar for web applications to defer or eliminate yet another mandatory password.
Then you get locked out of like 9 things at once when {you ragequit github for political reasons and forget to migrate everything, google kills yet another thing, google locks your account for funsies, apple locks your account until your macbook pro refund is processed correctly,....}
I think passwordless-only is a bad call for the consumer market. Notion ran passwordless for years but we dealt with constant issues of users losing access to their email and having no (easy for them) way to prove ownership of the related Notion account. We switched to normal password accounts.
It bears the same risk of the unique access being lost as having unique access to your finger for finger print scanning, minus the risk of physical injury on compromise.
And I don't like federated emails because I can't tell Google (I can tell FB, ironically) that I don't want all my data shared with the service I'm logging in with (some services like Samsung phone stuff wants to get everything)
So thanks but I'd rather only share an email/password in some cases
