3 min read security

0x001 - Magic Links 🪄

0x001 - Magic Links 🪄

Hi, y’all! This is the first issue of unzip.dev, a newsletter dedicated to developer trends, where we unpack trending dev concepts. My name is Agam More, and I’m a developer generalist that loves learning & sharing. Join the ride and have fun!

I wanted to thank @TomGranot and @KtzAndy for great insights on this issue.

Synonyms: Magic logins, link authentication, (a special case of) Passwordless authentication.

TL;DR:

  • Problem: Password authentication is a hassle.
  • Solution: Authenticate users by sending them a one-time login link to a trusted source.
  • In sum: It’s emerging as a popular authentication method, but it has some drawbacks.
Source: magic.link

How does it work? 💡

  1. When the user wants to log in, they enter their email.
  2. A magic link (login link) is sent to their email.
  3. They access their email (trusted source) and click the login link.
  4. Now they are logged in! 💰

Use cases ✅

  • MVPs and applications without a bank-level security concern.
  • You want to ship fast and not tackle password authentication hurdles.
  • Better suited for B2C products as enterprise users are still not used to it and in some cases it might be a compliance issue.
  • Your users login infrequently (so links aren’t a big deal).

Why?🤔

  • Simplicity:
    • No need to maintain complex security infrastructure (password policy, hashes, salts...). Side note: as simple as OAuth flow but you aren’t tied to the service.
    • No need to implement password reset flow.
  • UX:
    • Frictionless login experience for the user - only clicking a link.
    • No need to remember a password.
  • Security: No more password data breaches (password dumps) and less phishing.
  • Support: Fewer support tickets on password-related issues (resets and logging-in).

Why not? 🙅

  • Education: Users might feel annoyed that they need to go through new-and-additional steps to log in (ie they use a password manager).
  • Security concerns:
    • The trusted source (mostly email) needs to be secure, impersonation can happen by sharing the link.
    • You are trusting a 3rd party service with your authentication, this might be a no-go for sensitive projects.
  • Expensive: Magic links hosted platforms can be more expensive (ie magic $0.0085 vs AWS Cognito $0.0055).
  • Compliance: There might be some compliance issues (reference) - you should check each solution separately.
  • Other solutions: You can use 3rd party OAuth, so the user won’t use a password.
    • Side note: some users don’t like using 3rd party login providers.
  • [UPDATED-JUL-2022] Your sign-in rates will be tied to email deliverability rates if magic links are the only way to sign-in.
  • [UPDATED-JUL-2022] On mobile, the bowser is proprietary to the app opening the link (in most cases) so the cookies only stay there, meaning the session won't be permanent in the default browser in some cases - which causes frustration.

Tools & players 🛠️

  • passport-magic-login - magic links with Passport.js.
  • magic.link - Dev-friendly magic links that uses the blockchain 🤯
  • LoginRadius - Yet another magic link login service.
  • WorkOS - Yet another magic link login service.
  • okta - Yep, Okta also has this feature.
  • auth0 - Auth0’s take on magic links.
  • Firebase - Did you think Firebase would miss out on the fun? Plus, magic links are free (!)
  • (Update) Descope - Developer-first authentication and user management platform.
🤠
My opinion: I would go with Firebase or magic.link for personal projects, as they are not super enterprise’y, relatively cheaper, and pretty known in this space.

Note: I will indicate any kind of ad or sponsorship anywhere in the newsletter (none here), and I promise it will never affect my choices in any way.

Forecast 🧞

  • Market adoption: I believe that more and more startups and B2C companies will use passwordless logins, as they are becoming a more prominent way to log in (because they are easier to use). Plus magic links play nicely with WebAuthn. I’m not sure magic links will be the prominent type of passwordless logins, but they will play a role. I still believe there is a place for passwords, but they are becoming less popular.
  • 92% of Businesses Believe they will adopt Passwordless Authentication.
  • Security impact: I believe that some security incidents will happen, but massive password breaches will become a rare occurrence.
  • Cloud providers: I can see more cloud providers integrating this feature as an out-of-the-box service (as opposed to developing it from scratch).

EOF

Extra unrelated things I thought to share:

  • GitHub: Hacker-laws, a bunch of useful engineering related rules.

As a developer, it’s really hard to gauge the quality of my writing. It feels like using those old room-sized, punched-card computers where you had to wait all weekend for the results and only then get feedback 😪 So your comments are, truly, most appreciated:

Tweet at me @agammore or simply reply to this e-mail.

Why not help your friends by sharing this with them? ❤️

Agam More

Agam More