Sign In Sign Up
Cody

Passwordless *magic* link authentication

Does anyone have good experiences with the "magic link" style of authentication? I've been looking into Auth0 'authentication as a service' but I'm wondering also just implementing my own (I use django). Are there any security risks to simply generating a UUID that has an expiry date, sending an email with that UUID and a link, and logging in the appropriate account when they click the link?

0 Likes 2 Comments
Ian Fortier

Yeah, you can do that! I don't see any issues with UUID

0 Likes
Cody Author

Thanks for the feedback! I guess the security risk with any of these solutions is you're essentially handing control of security to the users inbox. I ended up using 'django-sesame' and it was super simple to setup

0 Likes
Mike Timofiiv

The things that you should make sure you can do is make your credential is revokable, and not something repeatable like a hash of an email or a user id or something crazy like that.

In your case, revoking the magiclink UUID would mean you going and deleting the UUID from your user's row in the db, so you have that covered.

And generating a fresh UUID (and during the login, checking to make sure its the right one) means you have the repeatable thing covered.

0 Likes
Cody Author

Thanks Mike, I did make sure the code was one time use, had a reasonable expiry, could manually remove it if needed. These seemed like the most common 'extra' security features.

0 Likes

Please sign in to leave a comment.