Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

magic links, how do they work

Tags:

Some mobile apps, notably Slack, are using magic urls for authentication. I'm having some trouble finding resources on implementation, and most importantly, whether android has a similar method for this.

My understanding is that the server would issue an e-mail with this magic link (something along the lines of app://gf234h23f4j234342342), the link will then be passed on to a registered app, which could then use this information to contact the server to get information on the user. Is this correct? If so, gmail seems to have issues recognizing this as a url, how is this resolved?

like image 368
Cenoc Avatar asked Jul 11 '16 21:07

Cenoc


People also ask

Are Magic Links better than passwords?

Magic links are designed to make the login process easier and more secure. However, each of the reasons why magic links are attractive for passwordless authentication comes with significant security risks. The magic link email might be intercepted by an attacker if the user's email service is compromised.

How long should Magic Links last?

As a passwordless authentication method used for security, the Magic Link token sent to a user's email address should only allow access for a short time period, usually an hour. Organizations set the time period. Similar to a one-time-password, the Magic Link's access should be deactivated when the period expires.

How do MagicLinks make money?

Affiliate Linking Best Practices Enter affiliate linking – AKA, MagicLinks. Every time one of your fans clicks your MagicLink and makes a purchase, you get a commission based on the final value of the entire purchase. In the long run, this can yield a steady passive income.


1 Answers

One way of approaching this is to encode trusted data as a JSON web token (JWT) that's digitally signed. This is then passed to the server by the application, and the server verifies its authenticity.

As you've mentioned, Gmail and some other software doesn't recognise custom URL schemes like app://. To work around this, provide an HTTPS link to your server of a similar form (e.g. https://example.com/redirect/gf234h23f4j234342342), which then performs an HTTP redirect to the custom URL scheme using the information provided in the HTTPS URL. As an optimisation, you can also set up a universal URL on iOS 9+ in order to direct the HTTPS URL directly to your application without having to bounce through Safari.

This answer describes the Android approach in details.

like image 189
Jim Avatar answered Sep 28 '22 03:09

Jim