Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

vincent15000's avatar

Authentication with a magic link : secure or not secure ?

Hello,

I just read this article.

https://ownid.com/blog/the-rise-and-fall-of-magic-links/

But I'm not entirely ok with it.

The article says that if the magic link email is intercepted by an attacker or the email account is compromised, it's unsecure.

But the problem is the same with a password. For example when a user has forgotten his password and needs to reset it, the reset link email can be intercepted by an attacker or if the email is compromised, an attacker can directly use the email to receive a reset link for the password and then login to the application.

What is your opinion about this article ?

Thanks for your answer.

V

0 likes
3 replies
Snapey's avatar

yes, your summary is accurate, which is why we have 2Fa

on a low risk site's FAQ, I wrote

Can I login with a password?

We have eliminated passwords on this site for several important reasons.

People forget passwords and then have to go through the process of resetting their password, which is not much different to just asking to be let in as we do now.

People use the same password for multiple sites. This means that if another site is compromised your password might work on this site also.

If SpeakerNet site is compromised and your password obtained, we don’t want to be responsible for you having also used it for your banking.

We can’t imagine a scenario where you would want to give someone else your username and password so that they can access the site on your behalf.

1 like
vincent15000's avatar

@Snapey You have written this on a law risk site's FAQ.

So you seem to think that a password is all the way required if it's a high risk site ?

Snapey's avatar
Snapey
2 years ago
Best Answer
Level 122

@vincent15000 For 'low risk' sites then either option is the same level of security. There is nothing to choose between them to be honest. If your email account is compromised then you are screwed either way.

High risk sites should use 2-factor authentication or single sign-on (not using email channel)

1 like

Please or to participate in this conversation.