Magic link to authenticate a user

@Braunson What's your own opinion ?

@vincent15000 Your path is the one I'd follow unless I needed additional features the one of the many magic packages provide. Be sure to write a test for it too!

@Braunson To have a more secure passwordless authentication, some authentication services identify the device or the location of the user when he logs in (and the user receives an email to notify that somebody he has logged in from a new device / location).

How is it possible to retrieve the device / location of a user ?

Only via some headers like the User-Agent or via an API to locate a user by his IP address ?

Or is there another way to do that ?

@vincent15000 Are you worried that the magic link will be shared outside the user it's emailed to? I think if you want to track sessions, take a look at Laravel Jetstreams Browser Sessions in the GitHub repository for how to do that. Then if you implement that, you can just have an event and listener for user login that emails that user if they are logging in from a new device/location?

If you wanted to be specific with device/location, you'll need to track the device, IPs and use a third party to determine the location of the IPs as some people have changing IPs depending on their ISP.

I'd stick with the Magic link to start and integrate Browser Sessions personally unless there's a business/compliance requirement for the extra features you've mentioned.

@Braunson The risk around magic links is that they can be (as every email content) intercepted by hackers.

If I include the device (device id, browser, ...) in the token, a hacker has more difficulty to use the link.

@vincent15000 Same thing could be said about 2FA via Email or Text, it can be intercepted. I'd still defer to my previous comment about manually tracking device/browser/IP in the DB to match the login as "familiar device/user" OR you can embed it in the signed link and check against that information once you decode the signed link.

@Braunson I thought the same.

@vincent15000 as I said before, if your email is not secure then you may as well go to the country and become a farmer.

At the end of the day, virtually ALL access controls and account recovery reduce to sending the user an email.

If you want to detect when the user connects from an unknown device then the best solution is to give their device a cookie. If they login from a device with no cookie present then you can provide some additional challenge like asking to confirm something they know that they previously shared with you.

@Snapey Thank you for your suggestion to use a cookie, I will try this way.

@Snapey How would you handle a cookie for their device ?