Magic Link Authentication
What is Magic Link Authentication?
Magic Link AuthenticationA passwordless sign-in flow where the user receives a single-use URL by email or SMS that, when clicked, authenticates the session.
Magic link authentication replaces the password step with a one-time, expiring URL delivered to a channel the user already controls — usually their primary email or a verified phone number. The link encodes a short-lived signed token (often a JWT or opaque nonce) that the application validates and exchanges for a session. Slack, Notion, Substack, Vercel, and many SaaS products use magic links as their default flow because they remove password reuse and storage problems. NIST SP 800-63B classifies it as an out-of-band authenticator (AAL2) when the channel is sufficiently independent. Risks include phishing of the link, email account takeover, and aitm relays; mitigations include short TTLs, device binding, single-use tokens, and combining the link with a passkey or device trust check.
● Examples
- 01
Slack workspaces letting members sign in by clicking a 15-minute link sent to their work email.
- 02
Vercel CLI's 'vercel login' command emailing a verification link that authenticates the terminal session.
● Frequently asked questions
What is Magic Link Authentication?
A passwordless sign-in flow where the user receives a single-use URL by email or SMS that, when clicked, authenticates the session. It belongs to the Identity & Access category of cybersecurity.
What does Magic Link Authentication mean?
A passwordless sign-in flow where the user receives a single-use URL by email or SMS that, when clicked, authenticates the session.
How does Magic Link Authentication work?
Magic link authentication replaces the password step with a one-time, expiring URL delivered to a channel the user already controls — usually their primary email or a verified phone number. The link encodes a short-lived signed token (often a JWT or opaque nonce) that the application validates and exchanges for a session. Slack, Notion, Substack, Vercel, and many SaaS products use magic links as their default flow because they remove password reuse and storage problems. NIST SP 800-63B classifies it as an out-of-band authenticator (AAL2) when the channel is sufficiently independent. Risks include phishing of the link, email account takeover, and aitm relays; mitigations include short TTLs, device binding, single-use tokens, and combining the link with a passkey or device trust check.
How do you defend against Magic Link Authentication?
Defences for Magic Link Authentication typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Magic Link Authentication?
Common alternative names include: Email magic link, One-time link login, Passwordless link.
● Related terms
- identity-access№ 793
Passkey
A phishing-resistant FIDO2/WebAuthn credential — a device-bound or syncable asymmetric key pair that replaces passwords with a cryptographic challenge-response.
- identity-access№ 1066
Social Login
An authentication pattern where users sign into a third-party site using their existing identity from Google, Apple, Microsoft, Facebook, GitHub, or similar providers.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- identity-access№ 1018
Session Management
The set of controls that issue, maintain, refresh, and revoke an authenticated session, binding a user's identity to subsequent requests until logout or expiration.
- identity-access№ 076
Authentication
The process of verifying that an entity — user, device or service — really is who or what it claims to be before granting access.