What’s the Magic Link and what’s “magical” about it?
You may not be familiar with the Magic Link, but it’s very likely you have already used it while browsing the Internet: maybe when signing in to a website, or to quickly log back in after losing a password. It’s a simple means of authentication, with a twist that offers a significant advantage - that of not having to create a password when registering or signing in to a website where the option is available. Gone is the time wasted creating a password (including complex ones: @#/?;!), as well as the tricky part of actually memorizing them, and the risks of them being stolen. Pretty magical, isn’t it?
It doesn’t operate magically, though, but simply with your email.
On a website that offers Magic Link as an authentication method, all you have to do is put down your email address and click on “receive a Magic Link” (or login link). You will then automatically receive an email with the precious « Magic Link », and all you’ll have to do is open your mailbox (Gmail, Outlook, Yahoo…) in order to click on the link it contains.
This email usually appears as an interface, with a link that can often be accessed through a button:
To sum up, it’s a simple and efficient authentication method which combines both security and user experience. In this article, you will find out more about its mode of operation and benefits.
In 2018, a research conducted by Dashlane (a password manager) and Virginia Tech University showed that a user used more than 150 accounts on average. By the end of 2022, this figure could reach up to 300. This raises a crucial issue: password memorization. To respect security conventions, a user should - in theory - use a different password for each one of these services. And yet, in practice, this is virtually impossible: the study reveals that around 52% of people only slightly amend their password, or even just use it again without changing it. The passwordless option solves this problem and offers users a better experience. It doesn’t require memorizing, nor storing or regularly amending your password. Using Magic Links is simple, fast, and removes the step of actually remembering your login details.
Another one of Magic Links’ advantages is the fact that their use does not rely on the security of other websites, which greatly lessens the risks associated with a website failure. Indeed, according to data revealed by Verizon, an American telecom company, more than 2000 security breaches were registered in 2016, leading to billions of login IDs being leaked. If we use the same password on several websites and one of these sites has a data leakage, then all of our services will be compromised. Thus Magic Links allow us to avoid this issue.
Besides, one of the main causes of cybersecurity issues are the breaches originating from insufficiently secure passwords (too weak, too short, too common). As a matter of fact, these authentication problems are ranked in the top 10 security risks of Web applications according to the OWASP (Open Web Application Security Project). Such problems were ranked #2 in 2017 and #7 in 2021. Therefore, Magic Links offer a solution to this issue by suppressing users’ need for login IDs.
When it comes to companies, ID management represents considerable costs. According to a study done by Forrester, some of the companies surveyed were spending more than €890K ($1M) in password support. With Magic Links, this is no longer a necessity: no need to store, encrypt or protect users’ passwords given that they’re not using any.
By simplifying the sign-in process, consumers save time and are therefore more inclined to create an account. Account creation is a step users would happily get rid of. This also ensures they will be less prone to churn during the registration process. According to a study conducted jointly by Oxford University and Mastercard, more than a third of all baskets are abandoned due to passwords being forgotten.
Lastly, Magic Links do not rely on third-party devices. For instance, you won’t need a phone - whereas you do when using two-factor authentication -, nor will you need a USB key for biometric authentication… Although these other authentication tools can still be used to ensure increased security: they are complementary solutions.
Although Magic Links are relatively secure and handy for users, they remain imperfect if implemented on their own. The perfect solution does not yet exist.
If Magic Links are used independently, authentication security will depend on the safety of the user’s mailbox. The weaker the user’s password on their mailbox, the higher the risk of the Magic Link being compromised. Recommendations regarding password strength are available on the ANSSI website (French National Agency for the Security of Information Systems). Nonetheless, as mentioned previously, solutions do exist and can guarantee better security. One of the most common techniques that has been used in recent years is setting up a 2FA solution (Two-Factor Authentication), though there are other solutions out there, such as biometric authentication.
Single-use Magic Links
Limiting Magic Links to a single use allows to ensure better security for users. This way, we avoid any malicious use of the link.
Login links with time expiration
Another method that allows to secure our system a little more is setting up a time limit for each link. This way, if a person manages to retrieve our link, no matter how they do it, they won’t be able to use it if its lifetime has expired.
Reinforced security of the email address and/or app
Setting up a two-factor authentication is a possibility. This double authentication, once combined with a Magic Link, guarantees optimal security for users. This solution works for the user’s mailbox as well as the app. WebAuthn standard (which offers an interface for authenticating users to Web-based applications using public-key cryptography) allows for this type of reinforced security.
An easily noticeable email, with a clearly identified sender
In order not to lose the user along the way, it’s preferable to use an email with a title that’s easy to notice and a sender that’s clearly identified. This way, the user will be able to easily spot the email they received and click on it without having to browse through their emails.
A straightforward email
No need for information overload - it would be pointless and unbeneficial. Making sure the email is clear and concise is the best thing to do. A logo, a short text, the validity period and a clickable link and/or button are more than enough.
A mailbox that must be fast, reliable and recognized
Magic Links depend heavily on email servers, both in terms of speed and reliability. As far as speed is concerned, by using the Magic Links, the user may save some valuable time. Conversely, if the client’s email comes in late, it may make them lose some time. Therefore, a speedy mailbox is a must-have.
In terms of reliability, if an email gets “lost” along the way, it might make the user lose patience. So we’re taking the risk of them giving up on their registration or refusing to log in. On top of speed, the mailbox has to be reliable.
One last key fact about the email server: it has to be recognized. This prevents emails from being considered as spams by other mailboxes. It’s very important that users don’t lose time when receiving the email. An email that lands in the spam section is harder to notice.
Most services are compatible with the use of Magic Links, although some of them are not. Email servers, for example, wouldn’t be able to use this type of authentication because one needs to access one’s mailbox to be able to click on the link. Nonetheless, if the links are sent by SMS, then access to the mailbox is no longer necessary. This would make it possible for such services to use Magic Links.
Other services, like banks, have a tendency to resort to other solutions such as 2FA. To make sure that the person trying to sign in actually is who they’re claiming to be, the 2FA is indeed the most efficient solution.
As mentioned earlier, if the Magic Links can work with most services, there are some services that are particularly well suited for their use. Indeed, using them as reference links is a possible solution - and a very advantageous one at that (simplified login process, one click equals one successfully used link).
In e-commerce as well, their use is a considerable advantage. As we’ve seen, as much as one third of all users give up on their basket after forgetting their password.
For all the services where authentication remains a one-time occurrence (lab results, event…), Magic Links offer users a better experience. They prevent them from having to remember a password for “single-use” services.
Magic Links, though already very interesting in terms of security and UX, are also an efficient tool to increase clients’ conversion and retention rate. Their ease of operation makes it possible for a majority of users to use them by removing the pain points during registration and further login processes. They can be implemented by different types of websites: e-commerce, SAAS, Fintech… The latter can use them to streamline their authentication experience, as well as re-engaging inactive users through a login link sent by email. Marketing campaigns may also improve their conversion rate thanks to the registration link included in their prospecting emails.
So, are you ready to put a little “magic” in your authentication? Find out more on Cryptr.