What is Magic Link Authentication?
A passwordless login method that sends a unique, time-limited link to your email address, granting access when clicked.
Magic links eliminate passwords entirely — you log in by clicking a link sent to your email.
How It Works
- User enters their email address
- Server generates a unique, time-limited token
- An email with a login link containing the token is sent
- User clicks the link and is authenticated
- The token expires after use or after a timeout
Security Properties
- No password to crack or phish: Security depends on email account security
- Time-limited: Links expire (typically 5-15 minutes)
- Single-use: Each link works only once
Trade-offs
- Security is only as strong as your email security
- Requires email access to log in (no offline access)
- Adds friction compared to passkeys
- Email delivery can be delayed
Best Practice
If a service uses magic links, make sure your email account has strong 2FA (hardware key or TOTP, not SMS).
Related Terms
Passkey
A passwordless authentication method using public-key cryptography, typically stored on your device and protected by biometrics or device PIN. Passkeys are phishing-resistant and designed to replace passwords entirely.
Single Sign-On
An authentication method allowing users to access multiple applications with one set of credentials. While convenient for users and administrators, SSO creates a single point of failure—compromise one account, compromise them all.
Have more questions?
Use our guided flow to get the right next privacy step for Magic Link Authentication.
Open Guided Flow