Evan Todd wrote "Magic Link Pitfalls," an article going over some of the errors he's seen in sites that mail a passthrough link to log in to users. The idea is simple: to "log in" you say "send me a link," a link gets generated and sent, the user goes clicky-clicky, they're logged in. No passwords, nothing to forget or reset, no credentials to detect along the stream.
Some of the basic principles for it are really well known: short expiration, single-use, entropy, don't expose the token in a database. But Todd wrote up some pitfalls that didn't seem obvious:
- Prefetches. Some email clients will prerender content for links ("this is the content in the email! Aren't I helpful?") - but that means that if the magic link logs in the user, that prefetch potentially ... just logged in the user. There are ways around it - like "don't just log in the user, demand action on their part," among others, but it's still a concern.
- The wrong browser gets used. Clicking a link in an email client might have different destinations: on a mobile client, for example, you might get a different browser than the default browser; one hopes, of course, but the user experience here is potentially surprising; in user experience concerns, "potentially surprising" is correctly interpreted as "bad."
This site uses OTP and has support for OIDC, although OIDC isn't turned on yet. No magic links here!
Well done article: it's short, clear, and practical for anyone implementing a login system.