Passwordless login breaks for many users on corporate e-mail domains

We get lots of reports from users, who are using corporate e-mail domains, failing to sign up and login with the passwordless login mechanism on our application. They receive our login e-mail, but when they click the link, they’re not able to complete the process. It’s like the token had expired immediately.

If I look into the logs, I see several instances of “Failed Login (wrong password)” (but also “Success Exchange” and “Success Login”) so I’m not sure what is happening. A friend tells me that some corporate e-mail services attempt to pre-visit links to make sure they’re not malicious, which uses up the token by the time it reaches the user. Is that something that’s happening here?

In nearly all cases, the user is able to sign in with a personal e-mail address (like their gmail account), so it certainly seems that might be the culprit. How can I know for sure? Are there other culprits to investigate? And if corporate e-mails don’t play nice with Auth0, what’s the best way to address this?

Thanks!

Hi @louh,

Welcome to the Community!

This may be an issue with the email client opening the link. I have seen that mentioned before, although I can’t find a solution for it here.

Is it possible to switch to single use codes instead of magic links?

Hi Dan,

Thanks for the speedy response. I will try to research whether it’s possible email clients interfere with magic links.

We don’t have a single-use code UI, although that’s something we can explore.

Would it be possible to send both single-use codes AND magic links through the same e-mail? Or is it always one or the other?

The endpoint triggers either a code or a link, so this wouldn’t be a readily available option.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.