Dor Shany
May 8, 2022

Authentication: The Rise and Fall of Magic Links

One of the emerging trends of passwordless authentication which is magic link has been seen in recent years.

Because of this, many companies now use Magic Links to authenticate without requiring a password. Magic Link authentication may help mitigate risk, but it has some serious  security weaknesses that organizations should consider before implementing.

Magic links in 60 seconds

A magic link is a single-use link sent once to the customer during the authentication process. When the user enters their email address or username, an email is sent to their email address with a unique URL. Users authenticate themselves without entering passwords, and for some, this might seem like magic, hence the name.

Magic links are attractive because they can eliminate the need for customers to create and remember passwords. You are at risk from password-based attacks if users choose easy-to-guess passwords and use them across personal and business accounts.

Behind the scenes of Magic Link

Magic links contain a token that can replace passwords. In addition, most platforms require device registration to prevent malicious hacker access to magic links.

To receive the magic link, the user can enter their username or email address at sign-on once their device has been authenticated. The authentication server embeds a token in a URL sent to the end-user. The end-user has a set period of time to use the magic link before it expires. As with the one-time password, the link expires after use.

Alternatively, the user can use a static password instead of a magic link, and the password can be recovered as a backup.

Are magic links secured?

Magic links are designed to make the login process easier and more secure. However, each of the reasons why magic links are attractive for passwordless authentication comes with significant security risks.

A recipient's identity is not guaranteed

The magic link email might be intercepted by an attacker if the user's email service is compromised. As long as the token received is what the server expects, magic links work.

Compromised email account

An email account can be compromised in a number of different ways. In some cases, your password may be weak and easily guessed or obtained through a public breach. In other cases, you may have clicked on a malicious link in an email, social networking site, or webpage. Or, you may have downloaded an app or file that contained malicious scripts. Once the user email account has been compromised, the attacker can easily log in using the magic link email.

Loss of device

Magic Links' security model assumes that the user controls the device, which gives the app developer the ability to enforce a "something you have" authentication step. The Magic Link capability is compromised if the user loses a device without a password or biometric login controls on it, as someone now has access to the app, device, and email.

Option for MITM attacks

Magic links are also vulnerable to man-in-the-middle attacks if the user is on an unencrypted network, which could lead to a hacker stealing the token.

UX can be much better

Passwordless authentication can be implemented without leaving the login screen with some authentication solutions. Although magic links are a huge step forward for eliminating the password, there are other methods to do it.

So, what will be the right passwordless solution?

Password hygiene risks such as reusing passwords or using weak passwords are mitigated by Magic Links. Despite the lack of official best practices, they continue to be used by many organizations as a way to enhance security.

While Magic Links remain relatively weak forms of passwordless authentication, malicious actors can still circumvent these measures by launching brute force attacks or gaining access to email accounts.

A more robust passwordless authentication method incorporating biometric authentication through the user's device is essential for organizations.

By leveraging the biometric capabilities of a device, such as FaceID/Touch ID or  Fingerprints you can ensure authentication is not compromised by email compromise or loss of the device when it uses the device's biometric scanner. By eliminating passwords, it gives users a frictionless experience when using apps, and reinforces the best multi-factor security measures.

Final thoughts

Using magic links is an excellent way to make it easy for users to login. However, they pose serious security risks to your company's customers' identities. Authentication via biometrics offers the perfect balance of user experience and advanced security measures. Now is the time to go truly passwordless for both your customers and the organization.