Do you develop your own user management system? what do you think of magic-links? (no-passwords, access via password) ***^_^***

I think magic links have their place and can be a good way to authenticate users in certain situations.
For example I've been working on a service to do with unsubscribing to emails and I feel magic links work well here as a user will already have their inbox at the ready.
But as others have mentioned they are not always perfect when trying to login on a public computer etc.

There is obviously some good security connotations in terms of both not having to store users passwords and users not using weak passwords.
This does not mean magic links are more secure be default. When implementing magic links people often overlook the security aspects which can make them rather insecure and open to brute force attack. You need to make sure that the magic link is long enough, only valid for a certain period of time and can only be used once to name a few.

For anyone using Django that want to look at authenticating with magic links, check out django-magiclink (open source). It does most of the work for you, you just need to create the HTML for the login pages really.

Also on a separate note, when allow users to input email addresses consider setting all emails to lowercase. Email addresses are case insensitive and you don't want a user not being able to login because when they first signed up they used [email protected] and are now trying to login with [email protected]

Hi Fredi -- I'm building my MVP with magic links and have used them previously for an event website. That said my current product is not meant to be mobile friendly (unless you really want to do a DevOps interview with a terminal on your phone! Lol)

But with my security hat on I'm a fan of magic links -- despite the fact you're basically emailing the user a password -- it's all about trade-offs. I know how bad people are with passwords and I don't want to be responsible for protecting what is likely their bank or email password in many cases. Yes, I'm using bcrypt to hash the passwords but it is still terrifying.

If the mobile issues mentioned above don't scare you off of magic links -- just remember to null out the magic code once you've logged the user in (once only login) and expire it regardless after some period. It can also be nice to grab the path the user was attempting to go to and attach it into the magic link, and redirect on your activation page (I'm adding this right now).

Good luck!

I've implemented user auth what feels like a dozen times now. I've used magic links several times. While it's a flow that works well on desktop as well as when you have a native app on mobile, it can break pretty badly on iOS via Safari.

Here's why: when someone clicks on a link in their email app (Gmail or Mail App), iOS creates a separate popup browser context. Whatever session cookies you save won't be present when they try to view the page in Safari; instead, they're confined to the email viewer's web view.

Anyway, it's just something to keep in mind. I used to be a huge fan of magic link login, but having to manually copy and paste links into my browser in Safari (and not being able to just click them) has put me off the idea. :(

As a developer who has thousands of online accounts, I can appreciate one that doesn't require me to save my password in a vault somewhere. Slack uses magic links very well.

I find the option to send to my email or sms to be the best approach so far w/ magic links. This way, if I don't have my phone or my "usual" device nearby, I can simply login to my email client and get the magic link from any device. The con of this is when it doesn't work. Sometimes email clients are finicky and block or place the email in spam which can be frustrating to find. Having a password login alternative is almost always a safe bet. The pro is when it does work... magic links are wonderful for the end user and reduce the friction and frustration of remembering a password for a service.

Side note, would be happy to test / be a beta tester for such an API or service.

User management is such a nightmare, isn't it? Even if you use something like Firebase Users, there's just so much to do around Auth etc. I think magic links can be a great option, in addition to other login types. That being said, we're going to be operating exclusively off of magic links on consentry.org for the time being, simply due to our time constraints with rollout. Would love it if you had a tool to make that easier!