Notebook with many e-mail icons virtually flying above it symbolizing magic link request sent via e-mail.

Passwordless Authentication using Magic or Login Link

What is Passwordless Authentication?

With the increasing number of cyber-attacks on the classical password-based authentication method, passwordless authentication is becoming more and more popular. The authentication method is changed from something you know (the password) to something the user has (e.g., smartphone) or something the user is (e.g., fingerprint). There is no longer a need to remember a password.

Classic password-based authentication methods are not only vulnerable to cyberattacks but are also cumbersome for users. Everybody has lots of online services and app-logins to administer and it is very hard to remember all the necessary passwords. As a result, many users use the same login credentials for all their services, which makes one compromised password a catastrophe as now all logins are breached at once.

The passwordless authentication using a Magic Link requests login access by sending a message to the individual user’s e-mail or SMS account and is confirmed by clicking an embedded link. Every time the users wants to access the system, the process is repeated. As the click of the link gives access to the application the link is called “Magic” link.

There are, of course, more passwordless authentication methods, such as the use of biometric factors. Engity offers those methods as well and we invite you to consider them as they may be very appropriate for certain use cases.

Sign-up & Registration, Login Spinner, Magic Link Challenge

Passwordless Authentication using Magic Links at Engity

We at Engity call passwordless authentication the “trendy method” as it has become increasingly popular over the last years. And for good reason!

Sign-up & registration process with Engity's Magic Link authentication solution

Easy and straightforward: User registration or sign-up within the Magic Link authentication process is simply started by entering the personal e-mail address.

Browser spinner display with security pin for login

After having entered the personal e-mail, user is asked to look for an e-mail in the personal e-mail account containing a Magic Link to log in. At the same time a security code is displayed in the active browser which must be selected later in the process.

Engity's MagicLink Challenge or Pin for a secure login

Final step of the Magic Link login process: After having clicked the Magic Link in the received authentication e-mail, user must select the formerly provided security code within the Magic Link challenge.

Screenshot of a Magic Link Challenge tab while logging in

Engity has evaluated different Magic Link processes and has introduced an advanced alternative to them. We believe that a Magic Link alone is not secure enough and thus no longer state-of-the-art in terms of security standards. Hence, it needs some enhancements such as a Magic Link Challenge or pin, which Engity has implemented.

The idea is that the user is allowed to be directly admitted to the protected portal or database if a Magic Link login request has been started on the same smartphone or computer the link was sent to in the first place. If the user is trying to log in and confirm the Magic Link on a different device (e.g., smartphone and notebook), an additional security measure is necessary as cyber criminals could otherwise send a Magic Link request and hope that the owner of the e-mail is confirming the login request in error. Additionally, the login process is only active as long as the underlying browser window is open, and the loading indicator or spinner has not been terminated by the user.

Finally, Engity has ensured that the latest learnings in user design were implemented to guarantee the best user experience with the Magic Link authentication method.

Learn more!

Other Passwordless Methods

Biometrics

Based on the inherence factor, the user’s face, fingerprint, or voice are used to verify and authenticate the user and give them access.

One-time Passwords

Also called one-time codes. Like the Magic Link process but without clicking a link the user must input a sent code or password at a login page. Engity uses this as part of Multi-Factor Authentication and Device Logins without Keyboards.

Multi-Factor Authentication

Not passwordless per se, but rather a combination of different authentication methods to enhance security especially in higher-risk environments.

Want to Move towards Passwordless Authentication?

Don’t want your users to have to remember passwords, and you want to offer them a simple login method? Consider using a passwordless authentication using Magic (Login) Links. We support you on how to best implement it.