Magic Link Authentication
A passwordless authentication method that sends a unique, time-limited login link to the user's email address, granting access when clicked.
Description
Magic link authentication is a passwordless approach where users enter their email address, receive a unique login URL via email, and are authenticated when they click the link. This eliminates the need for passwords entirely, shifting the authentication factor from 'something you know' to 'something you have' (access to the email account). The approach is used by services like Slack, Notion, and Medium for its simplicity and security advantages over weak passwords.
The flow works as follows: the user submits their email, the server generates a cryptographically random token, stores it with the user identifier and an expiration time, and emails a link containing the token. When the user clicks the link, the server validates the token (exists, not expired, not already used), authenticates the user, invalidates the token, and creates a session. The security of this mechanism depends on the security of the email channel and the properties of the token.
Key implementation considerations include: generating tokens with at least 256 bits of entropy, setting short expiration times (10-15 minutes), making tokens single-use (delete or mark consumed immediately on use), rate-limiting link requests per email address (prevent email bombing), binding the token to the requesting IP or device fingerprint for additional verification, and using a separate short-lived token in the URL that maps to the actual authentication token server-side (preventing token leakage in referrer headers or server logs). Always serve the callback URL over HTTPS and consider implementing a confirmation step before completing authentication to prevent email pre-fetching from consuming the token.
Prompt Snippet
Implement magic link authentication: generate a 256-bit token using crypto.randomBytes(32).toString('hex'), store it in Redis with key magic:{token_hash} (store SHA-256 hash, not plaintext), value user_id, and TTL of 15 minutes. Send the link as https://app.example.com/auth/verify?token={token}. On callback, hash the received token, look up in Redis, verify existence, authenticate the user, and immediately DELETE the key (single-use). Rate-limit requests to 3 magic links per email per 15 minutes. Add a confirmation page ('Click to continue login') before consuming the token to prevent email scanner pre-fetching from invalidating links.Tags
Related Terms
Session Management
The practice of securely creating, maintaining, and destroying user sessions to track authenticated state across stateless HTTP requests.
WebAuthn / Passkeys
A web standard for passwordless, phishing-resistant authentication using public-key cryptography with hardware or platform authenticators.
Multi-Factor Authentication (MFA)
An authentication method requiring users to provide two or more verification factors from different categories (knowledge, possession, inherence) to gain access.
Social Login (OAuth Providers)
Authentication via third-party identity providers like Google, GitHub, or Apple using OAuth 2.0/OIDC, allowing users to sign in with existing accounts.
Rate-Limited Login Attempts
Restricting the number of authentication attempts a client can make within a time window to slow down automated attacks while preserving access for legitimate users.