We have been using the email-based passwordless auth for several months, and it has worked extremely well. However recently some of our customers have switched to using Mimecast for email security. One of the features of the Mimecast service is that it tests all the links in an email for malware.
End result is that the Mimecast service is triggering the OTP link in the Auth0 email, before it reaches the customer’s inbox… and therefore guaranteeing an authentication error.
Has anyone else run into this? What work arounds have people found?
Thanks for the suggestion Tanver. Unfortunately that specific workaround is only to bypass the spam assessment, but it does provide a useful route of investigation.
After a day of work, we have found there isn’t an optimal solution for this issue that preserves the frictionless experience of email-magic links. Essentially, if your customers use Mimecast or similar URL inspection services, you will have to decide to ether:
Switch to using passwordless OTP codes
Ask your customer to work through whitelisting messages from your service
Both approaches increase login friction. We have decided to implement a variation of OTP codes. We plan to create 2 tenants - one using passwordless OTP codes & one using passwordless links. We will onboard our customers to both tenants, so they can choose which to use. However, we default to passwordless links as it has lower friction. We’re working on the detection method to spot this kind of issue & the UX to guide our customers to the most reliable solution for them. But ultimately it is a business decision to spend $0.03 more per customer per month to prevent them from needing to change their security appliances in order to fit our needs.