Magic Link

A magic link signs a user in by sending a single-use, short-lived URL to a channel they control, usually email. Clicking the link proves the user can access that inbox and starts an authenticated session, so there is no password to remember or enter.

The appeal is low friction and simple recovery, since the same mechanism that logs the user in also re-establishes access if they are locked out. The weaknesses follow from the channel: anyone with access to the inbox can use the link, delivery can be slow, and links can be phished if a user is tricked into requesting and forwarding one.

For CIAM, magic links remove the password but inherit the security of email. They suit lower-risk products and are often offered alongside passkeys, which provide stronger, phishing-resistant sign-in for accounts that need it.