Magic Link security


I am wondering how secure is the email magic link solution. It is said in the doucmentation that :
With magic link transactions, both the initial request and its response must take place in the same browser or the transaction will fail .

  • Does it mean that if i click on the link in the same type of browser on an other computer (Chrome on both sides), the link will actually not allow me to be authentificate ?
  • If so, how does this work ? Are the request ip and receiver ip compared ?

This could be a good alternative to the SMS OTP

Thank you

1 Like

Hi @Singtah,

Welcome back to the community.

No, this should not work. Passwordless magic link uses a state parameter to keep track of the transaction. The request from the email opening must come from the same browser.

If you switched the browser it would not have a correct state and would throw an invalid state error.

Hope this helps,

1 Like

hi @dan.woda,

Thank you for your answer.
Ok that sounds good! Do you have any documentations on the different parameters that are held in the state ?

I am trying to figure out whether the Magic Link is a Knowledge or a Possession factor. It’s not a simple question but you might already have an answer :slight_smile:

Thank you for your help.


Email isn’t typically going to work as a second factor in addition to a password if that is what you are thinking.

Since passwords are reset via email, password and email magic link would boil down to a single factor. For example, a bad actor with access to a user’s email account could reset the password via email and click the magic link, all in one go. They would not need more than the user’s email account, which may be protected via a single weak or compromised password anyways.

Check out this line from our email mfa docs:

Note that Email is not true multi-factor authentication (MFA) as it does not represent a different factor than the password. It does not represent ‘something I have’ or ‘something I am’, but rather just another ‘something I know’ (the email password). It is also weaker than other factors, in that it’s only as secure as the email itself (e.g. is it encrypted end-to-end?).

If you are looking for security, authenticator apps are a good solution.

If you talk a little bit more about your setup and concerns we can try and work through a solution that works for you.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.