"Link protect" software breaks passwordless auth

Hi there, we use passwordless-email auth. One of our customers has some awful “Mimecast” security software, it runs all emailed links through a proxy. This breaks passwordless login for them; I think because the link-protection software tries to generate a preview and thus consumes the token, and then the user’s browser visits the link but it’s already been visited.

Does anyone have any suggestions to work around this? Is there a way to allow emailed links to be used twice?

Quite a difficult case. Let me do some research and get back to you once I find something!

Hey there again!

Unfortunately I wasn’t able to find anything useful and it’s not possible to use emailed links twice

Hey @konrad.sopala, we’re running in the same situation (we’re unsure if it’s also Mimecast or if it’s the Outlook link preview or something similar).

The users receives an email which the get’s crawled / checked / previewed (we noticed a high amount of microsoft IP addresses causing that error) which leads to the token being consumed and the user being unable to login and getting their account blocked if they try requesting a few more login links.

So, some of our users are not able to login anymore, cause of that problem.

Let me try to report it internally to one of the engineering teams and see what they can share on that front!

1 Like

I’d like to +1 this issue, as we run into the same thing, discussed here.

Many of our corporate users (who disproportionately use Outlook) are unable to login using passwordless links, because by the time they click the link, it’s expired due to either URL sanitizing or Outlook’s Link Preview. If they use their personal Gmail accounts instead, they are able to log in.

I’m not entirely sure what can be done about this without reducing security, but if the tokens were at least time-limited (10 minutes?) instead of single-use, that would likely resolve our issue and keep us from having to implement an alternative login method. And perhaps Microsoft secretly has an attribute you can add to link tags to disable Link Preview on that link? (Wouldn’t help with server-side sanitizing.)

@konrad.sopala, I’m hoping for good news from the engineering team! :grin: