I love magic links – why aren’t more services using them?
Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
 
 
As someone who spends a lot of time writing about cybersecurity, I often find myself at risk of sounding like a broken record when it comes to the frailties of using passwords to sign into digital services.
By now people are probably all too aware that passwords are an imperfect security solution.
The dangers of poor password hygiene have been well documented for years now and despite this fact, and a number of alternative solutions being available (passkeys, biometrics, single sign-on (SSO), and so on) we remain hooked on authenticating the old-fashioned way, but why?
One alternative to passwords that I’ve been using for a handful of digital services in my personal and professional life for the last few years is the magic link – and I’m pretty convinced of its efficacy, efficiency, and security.
A magic link is a URL with an embedded token sent to the user’s email address and when clicked it automatically logs them into the service they are trying to access. Simple right? They really make passwords feel like antiquated technology.
Instead of forcing the weary user through the all too familiar rigmarole of creating and recording a strong password for each and every platform they use on their computer, the magic link just necessitates they manage one password: the one for their email account.
Of course, it goes without saying that your email account should have at least one extra layer of protection, such as multi-factor authentication (MFA), but if you can ensure this is secure then using it to quickly sign into other services is a breeze, and I’m stumped why passwordless authentication is not more common today.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Today, most professionals, regardless of their specific role, are required to use a litany of environments and platforms. Multiple social media networks, a content management suite, analytics tools, development environments, and the inevitable unified communications as a service (UCaaS) in their daily workflow, can all very quickly accumulate to become an overwhelming sea of tools and accounts you need to manage.
Because these sessions usually expire each day for security reasons, most professionals will have to repeat the process of signing in every morning. This is tedious and only becomes more frequent over time as new services are onboarded.
I’ve found the programs in my daily workflow that use magic links, such as Slack, make this process seamless and instant. I would suggest that many enterprises are losing productivity and sacrificing their security by not implementing magic links across more elements of their software portfolio.
Resigning popular password-based attacks to the past
As people are forced to constantly create and record an ever-expanding list of passwords, the fatigue becomes all too real. It’s inevitable the average professional will get complacent the longer this goes on and give up on creating a unique, strong password each and every time.
This is what cybercriminals are banking on when they conduct their brute force, password spraying, or credential stuffing attacks, and magic links could remove these weapons from their arsenal.
Reusing passwords is a bad habit that most people can’t seem to kick. Research from Bitwarden, who surveyed 2,400 individuals in the US, UK, Australia, France, Germany, and Japan, found that a quarter admitted to reusing passwords across at least 11 accounts; this would make them prime targets for credential stuffing attacks if just one of these accounts was compromised and uploaded to a dark web hacking forum.
Password spraying attacks are another common entry vector. Last year, we saw even the biggest companies fall prey to a seemingly simple error. In January 2024, it emerged that the Russian threat group Midnight Blizzard had accessed emails from Microsoft’s senior leadership team, after compromising a legacy account using a password spray attack.
This proves that even firms of the size and resources of Microsoft are not infallible and fall prey to using basic or already compromised passwords, so why should your business be any different?
Password managers are often raised as the panacea to this problem. While I use one in my day-to-day life, setting them up is far from seamless. Once established, they also need constant updates and reconfiguring to ensure they detect login fields, sync across devices, and more.
Magic links, in my opinion, would mitigate the aforementioned attack vectors, and remove all of the added stress, and often cost, of managing hundreds of passwords for every single service users need to access on a semi-regular basis.
And the security benefits of using magic links are not just exclusive to people who use these services from the front-end. If a service uses usernames and passwords to authenticate users, then a breach of the database containing these credentials could leave their customers’ accounts at risk, as well as any other services they’ve reused these passwords with.
Even if these passwords are hashed there are still ways attackers may be able to decode the original password using rainbow tables or similar techniques, so hashed or not you don’t want this data falling into the wrong hands. So why not get rid of it altogether?
Implementing magic links also requires minimal changes to an organization’s existing infrastructure and they can be stood up with fewer resources than other security layers like MFA or physical hardware-based tokens.
Magic links are no silver bullet – but they’re halfway there
There are, of course, some caveats here. The email that delivers your magic link must be instant for the system to work properly. If you’ve ever had to wait for a password reset email you know how frustrating this process can be. Ensuring the login email arrives in your inbox quickly is imperative, or the efficiency of the system is totally lost.
The elephant in the room is the fact that by using magic links, any attacker with access to your email account suddenly has access to every service you use magic links to sign in with.
I would argue this isn’t necessarily a weakness with just magic links, however. For email-based authentication like magic links to be successful you need to ensure you have adequate security protections on your email account – but this really should be the bare minimum.
RELATED WHITEPAPER
  
But even if you aren’t using magic links, the password reset option on most sign-in pages would mean most of your secure services are at risk if an attacker successfully takes over your inbox. As long as you are smart about keeping your email account secure and following a strong password policy, using magic links should be a very secure way to sign in.
Although I like the idea of going passwordless, it’s a ways off. In the short term, we can drastically reduce the cyber burden on workers through solutions such as magic links. Outside of core services that still require passwords and layers of MFA, there’s no reason to not embrace magic links on a massive scale.

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
- 
 Global IT spending set to exceed $6 trillion in 2026 Global IT spending set to exceed $6 trillion in 2026News Several key areas are expected to drive the bulk of investment next year 
- 
 Data engineers have never been more important, as businesses are starting to find out Data engineers have never been more important, as businesses are starting to find outNews An MIT survey for Snowflake shows the changing role of data engineers – and their rise in influence 
- 
 Thousands of exposed civil servant passwords are up for grabs online Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations 
- 
 Gen Z has a cyber hygiene problem Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations 
- 
 Passwords are a problem: why device-bound passkeys can be the future of secure authentication Passwords are a problem: why device-bound passkeys can be the future of secure authenticationIndustry insights AI-driven cyberthreats demand a passwordless future… 
- 
 LastPass just launched a tool to help security teams keep tabs on shadow IT risks LastPass just launched a tool to help security teams keep tabs on shadow IT risksNews Companies need to know what apps their employees are using, so LastPass made a browser extension to help 
- 
 The NCSC wants you to start using password managers and passkeys – here’s how to choose the best options The NCSC wants you to start using password managers and passkeys – here’s how to choose the best optionsNews New guidance from the NCSC recommends using passkeys and password managers – but how can you choose the best option? ITPro has you covered. 
- 
 Password management startup Passbolt secures $8 million to shake up credential security Password management startup Passbolt secures $8 million to shake up credential securityNews Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round. 
- 
 LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrency LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrencyNews The hackers behind the LastPass breach are on a rampage two years after their initial attack 
- 
 GitHub launches passkeys beta for passwordless authentication GitHub launches passkeys beta for passwordless authenticationNews Users can now opt-in to using passkeys, replacing their password and 2FA method