The beginner’s guide to magic links

Today, we type in account credentials to do nearly everything, from sending emails and transferring money to ordering groceries and watching TV. If a website or app has a traditional password-based login process, you have to search your memory (or password manager) for the unique username and password you made for that specific account.

Magic links, however, don’t need you to remember anything at all. Just type in your email address, get a link emailed to you, click on it, and voilà: you’re in. It’s a frictionless, almost magical login process—but it isn’t without some drawbacks.

Let us take you on a tour of what magic links are and what you need to know to implement an email-powered login flow for your users.

What are magic links?  #

Magic links are a type of passwordless login that allow users to log into an account by clicking a link that’s emailed to them, rather than typing in their username and password.

Magic links can also be used as a part of a multi-factor authentication (MFA) strategy and can assist users who are having trouble entering their password correctly.

How do magic links work? #

Contrary to what the name implies, magic links aren’t, in fact, magic. They’re just code. But they do make signing in fast and easy (and maybe even delightful) for your users.

In a magic link workflow, the site or app asks users for an email address, not a password. Then, the application generates a link with an embedded token and sends it via email. The user then opens the email, clicks the link, and is granted access to the given app or service.

Magic links work in a very similar way to what happens when a user clicks the “Forgot password?” button. Instead of verifying that a user has access to an email address to reset their password, magic links do the same verification process in order to grant one-time account access. One-time password (OTP) workflows are similar as well.

Magic link pros and cons #

Magic links have a number of advantages related to user experience, account security, and technical backend improvements. At the same time, magic links aren’t flawless. There are some points you should be aware of before implementing them.

The biggest benefits of using magic links: #

1. Easy user experience (UX) and authentication
Magic links are generally a faster and easier way for users to sign in. They also save them from password maintenance tasks like creating, safely storing, and updating passwords on a regular basis.

2. You don’t need to maintain the infrastructure for safe password storage 
If you’re working with a password-based authentication flow, it’s your responsibility to encrypt, store, and protect your users’ passwords. Setting up and maintaining the infrastructure to safely handle this sensitive data takes time and effort. If you’re opting for a magic link flow, you can invest these resources elsewhere.

3. Zero password breaches 
When there are no passwords, there are no password breaches. This has major consequences, given that 81% of corporate data breaches can be blamed on bad and compromised passwords.

4. Fewer customer support requests
Magic links require far less effort for support and development teams: a whopping 50% of all support tickets are password-related, usually forgotten passwords, so magic links can help tackle the issue.

5. Fast, simple onboarding
Magic links allow users to skip password creation at sign-up, which gets them into your onboarding flow more quickly. They can also simplify a complicated sign-up process by rolling sign-up and account login into one seamless action. You’ll need to collect other data later in the customer journey, of course, but if getting customer conversions or sign-ups is your highest priority, magic links may do the trick.

6. Not reliant on specific hardware
Many passwordless approaches require users to have a specific hardware solution, such as a mobile device capable of receiving SMS messages or a dongle or key fob. Magic links don’t need a second piece of hardware, lowering the barrier to entry.

Understanding the magic link cons: #

1. Email deliverability dependent
Magic links rely heavily on the email provider you use to send them: missing emails will prevent users from logging in, and slow emails might lead to user abandonment or distraction. So choose your email delivery service wisely. We’ll cover this in more detail below.

2. Can end up in spam
In addition to issues with timely deliverability, there’s also the risk of magic links emails ending up in the spam folder. If your users are constantly losing messages to the spam folder, magic links can actually be counterproductive and end up adding friction. 

3. Password security is tied to email
From a security standpoint, magic links are only as secure as a user’s email address. If someone gets access to a user’s inbox, they hold the keys to logging into accounts that run on magic links.

4. Limited administrator visibility
Outside of tightly controlled corporate networks, administrators have zero visibility into email accounts that receive a company’s magic links. In other words, admins can’t control what recipients do with those links.

Helpful tips for optimizing your magic link emails #

You’re looking to implement magic link authentication for your product? Here are a few handy tips so you can create a great user experience while mitigating risks:

1. Provide one-time use links #

One way to keep magic links safe and effective is to allow them to be used only once. Setting your magic links as one-time-use links will prevent sharing, both authorized and unauthorized. This is a smart move in a variety of settings, but especially when using magic links to let users access sensitive or proprietary information.

2. Enforce multi-factor authentication (MFA) #

We talked about how magic links have some inherent vulnerabilities because they rely on the security of the user’s primary email address. If that address is compromised, hackers can easily swipe single-factor magic links and gain unauthorized access to the related services and tools.

Multi-factor authentication (MFA) greatly reduces these risks by requiring additional proof that a user is who they say they are (beyond email access). It creates an extra layer of security so that user logins stay secure. Even if the bad actors gain access to the magic link, that link is useless unless they also have access to a user’s second form of authentication (which could be a text message, a fingerprint, or a variety of other methods).

If you’re not sure where to start with MFA, the WebAuthn framework is a standards-based option worth considering.

3. Set expiration dates for links #

Another way to reduce the risks associated with magic links is by setting expiration dates, meaning that links can remain valid for a window of time of your choosing (1 hour is a common choice) and then deactivate automatically.

Typically, if a user clicks an expired magic link, they’ll land on a page that will let them generate a new one (or request that an administrator re-share access, for internal systems like OneDrive). In this way, expiration dates are relatively frictionless, yet prevent long-term access if a link gets stolen or shared.

4. Have a relevant, readable subject line and “From” name #

When someone takes the action to send themselves a magic link, they usually head straight over to their email inbox to look for it. If your magic links are sent via a fast delivery service, your email will already be sitting there, right at the top of their inbox.

Still, you don’t want to make users guess what that email’s about or who it’s from. You want it to be as clear as possible, and your subject line and “From” name are two of the best tools for making this happen.

Learn more about providing the right meta information for your transactional emails.

5. Keep your emails simple #

Magic link emails have only one goal: getting recipients logged into the service or platform that generated the link. So, when you set up the copy for your magic link email template, make sure you don’t distract recipients with too much information or competing calls to action.

Just like your password reset emails, you’ll want to keep things simple. This isn’t the place to advertise or upsell. Get right to the point (and the point is the magic link).

The one exception here is that it can be handy to include a note about how to contact support if things aren’t working like the user expects. Just keep this message brief and put it below the magic link.

6. Prevent message threading #

Some email clients, including Gmail, have started bundling similar emails into threads. If your magic links get pulled into threads, your users can quickly get confused. They may end up clicking the first magic link (which is now deactivated or expired) rather than the one you just sent.

Google’s instructions for avoiding message threading include two options:

• Use different subjects for each email—for example, you could dynamically pull a timestamp for the magic link request into the subject line.
• Use unique reference header values in each email

Finding the right email service for sending magic links #

When you decide to build your own magic link process for authentication, your sending email volume might rise significantly, and email deliverability and timeliness will become even more important—so it’s a good time to take a fresh look at your email service provider for transactional email.

As you compare providers for sending magic links, consider these factors:

1. Speed #

It’s crucial that magic links get delivered quickly. As account holders, we’ve all sat around waiting far too long for a password reset email to arrive, and it’s not a good look for the company we’re trying to do business with!

Magic links are the same. Users expect them to show up within seconds because they can’t keep moving forward until they do. So, look for an email provider that prioritizes email delivery speed.

Here at Postmark, we aim to deliver crucial transactional emails in under 10 seconds. 🚀 We also publicly share current time-to-inbox data on our status page. 

2. Reliability #

Along the same lines, you need an email service that has reliable uptime and a strong track record of email deliverability. If your magic links simply don’t show up or get flagged as spam, customers will grow frustrated.

Your provider should also help you maintain a good sender reputation so your emails won’t get blocked. For example, Postmark will help you determine whether a dedicated or shared IP address will offer the best deliverability for your company.

3. Support for the protocols, standards, and libraries you need #

Before you commit to a provider, check out their documentation to see if they’re supporting your favorite languages or frameworks to make integrating email into your app fast and easy.

You also want to make sure your email service includes support for the authentication protocols and standards you need, like SPF. Postmark, for example, makes implementing SPF easy and provides handy tools for monitoring DMARC compliance. Make sure you have access to the ones you need before making a switch.

How to integrate a magic link flow into your app #

Of course, if you’re looking to build your very own magic link process, the email is just one piece of the puzzle. There are a few more things you need to take care of:

• Generate and save the unique token associated with the user.
• Generate a link using that token—and then include the link in an email that gets sent to your user.
• Your app will need to be able to receive the query at the magic link endpoint and authenticate the user.

Here’s a more detailed walkthrough, including code examples from the folks at Workos.

Depending on the framework you’re using to build your app, some of the heavy lifting might have been already done for you.

Rails, for example, provides some of the key pieces you need to make a magic link workflow work out of the box:

• Signed GlobalIDs are hashes that reference an object in Rails—like a user ID—that only your app can tie back to the user. There’s your token!
• Expiration times are easy to handle in Rails, too: Signed global IDs already come with an expiration date. By default, that’s set to one month—you might want to adjust that when using them for magic link authentication.

Love the idea of implementing a magic link authentication process but don’t want to build it yourself? #

...we have a solution for you!

Our friends at Magic created a plug-and-play SDK that handles a variety of passwordless login methods including not just email magic links but also SMS, MFA, WebAuthn, and more. It’s just a few lines of code to get started, for free!

You can use Magic to seamlessly integrate with frameworks like Svelte, Next.js, and low-code platforms like Webflow and WordPress. Plus, if you’re looking to build a decentralized app that interacts with the fastest-growing blockchains like Ethereum, Solana, and 18+ others, Magic’s got you covered with multichain support.

Try Magic for free →

...and guess what email delivery service is integrated behind the scenes to deliver those magic link emails at blazing speed? 😉

Create an easy, passwordless login experience with magic links 🪄 #

Magic links can be a powerful way to streamline the authentication process for your app or product. They’re certainly one of the easiest and most frictionless ways to shift away from a traditional password-based system, even if they aren’t perfect for every situation.

When you go passwordless using magic links, email delivery matters more. Customers don’t mind if your promotional emails get delayed by a few minutes. But make them wait around for a magic link and you risk losing a sale—possibly even a customer.

Postmark has your back, offering speedy, dependable email delivery that’s measured in seconds, not minutes. See how Postmark can improve your email deliverability, helping you get those magic links (and anything else) to your user’s inboxes faster.