Magic Link Pitfalls
Magic Link PitfallsMar 22, 2026Recently I was surprised to discover that there are several bad ways to do magic links.The basic idea is: a user hits “login”, enters their email address, and receives an email that allows them to login without a password. What could possibly go wrong?I work in security, so I already knew a few best practices I would need to implement:The link should have a short expirationThe link should only work onceThe link should include a secret code with a sufficient amount of entropy (I went with 64 bits; your paranoia may vary)The database should store a hash of the secret code, not the code itselfHere’s two more that were not immediately obvious to me.Require a clickMy first attempt at a magic link logged the user in immediately as soon as they clicked it….
