When it comes to signing-in, “Magic Links” are magic in name only: comparing sign-in strategies

Key points:

• The ability for users to seamlessly sign-in to a service, app or website is the UX goal, though not at the cost of security.
• Relying on an email-based service as your primary sign-in strategy comes with some clear downsides and risks. Using email for signing-in should be the exception, not the norm.
• Passkeys are the golden standard, though we aren’t quite there yet.
  ‍

When it comes to sign-in strategy, there shouldn’t be one size fits all.

Though an increasing number of services are exclusively adopting magic links to avoid passwords, their storage, and risk headaches.

Many people love magic links (at least conceptually), though many detractors can’t understand how they can self-inflict such a terrible user experience.

Conclusion: Although magic links can have an important role, they’re slow and lead to UX breakage. Having them as your only means of sign-in is generally inadvisable and the data backs it,
‍

The ‘Seconds to Sign-In’ Study

A US software company, Clerk - developers of user management tools - have used their customer data to show both the speed and share of different sign-in strategies:

For the test, Clerk looked at 2.5 million sign-ins:

• The speed to sign-in was measured as the time between (email submitted or Google button clicked) and (first factor verified).
• Incompletions were filtered out of the results.
• Other sign-in strategies such as ‘Passkey’ were not measured.

‍

The results are conclusive:

• Where users signed-in directly on the website or app - Sign-in with Google and Password - the time to sign-in is a fraction of the two email-based sign-in methods.
• The average sign-in time with magic link is just shy of a minute. That would ordinarily be conversion crushing and that successful magic link sign-ins represented only 1.6% of the total test, indicates that perhaps conversion was crushed.

In that vein, we can't get a handle on whether 65% of all sign-in attempts were Sign-in with Google. Or whether magic links are simply not a popular way to sign-in.

Though objectively, if I had to choose a sign-in method, I know where my money would be.

Before reaching a few other conclusions, I’ll quickly break down these different sign-in strategies and their pros and cons.
‍

1. Sign-in with Google

Sign-in with Google is a fairly ubiquitous for anyone with a Google account: that is, pretty much all of us.

Sign-in with Google is a Google service that allows you to sign in to third-party websites, apps, and services with your Google account. Apple and Microsoft have similar services, all of which fall under the banner of Single Sign-On (SSO).

Pros

• Fast and convenient: It makes website registration and access easier, which is good for conversion and retention.
• It is considered safe, especially with two-factor authentication (2FA), and Googles clever technologies to detect suspicious behaviour.
• It is safer than individual usernames and passwords.
• Mitigates password fatigue.
• Only one password to change if your Google account is compromised.
  ‍

Cons

• Even more data for Google and potentially the third-party sites they then share your data with.
• If your Google account is compromised, so is your sign-in with Google until you fix it.
• Potentially harder to remove your digital footprints as you login here, there and everywhere with Sign-in with Google.
  ‍

2. Password

No introduction is needed here other than ‘username and password’.

For many years, usernames and passwords were the only way to register and access a website or app.

However, the very nature of their vulnerability (e.g. data breach, keylogging) has led to various strategies to make the username and password less vulnerable. (And to move away from usernames and passwords altogether.)

Some of these strategies have included:

• Making passwords meet minimum requirements.

• Requiring 2FA as part of the login process.
• Secure password managers with alerts for when logins have been compromised.
• Anonymised logins (such as is offered by ‘Sign-in with Apple’) where a strong password and private relay email address are created per service you log into.

However, the reality is that the username/password sign-in is dying, and over the next five years or so, more secure sign-in technologies are predicted to dominate.

Pros

• You own the relationship with the service or app.
  ‍

Cons

• Unacceptably vulnerable to compromise and theft.
  ‍

• Not as user-friendly as other sign-in strategies.
• It can be hard to remember all those usernames and passwords.
• Passwords can be shared.
• Passwords can be guessed.
  ‍

3. Email OTP

Email One-time Passwords (OTP) are where the website or service emails you a one-time password/passcode.

This mitigates the need for a password and verifies that you are the owner of the registered email address or, at the very least, have access to it.

It’s not impenetrable, though it’s better than the username and password sign-in strategy.

Its fundamental drawback is its reliance on email.

Email is mail and therefore inherently slow when compared to other services. Email should be used for important, though not urgent messages, such as an OTP.

Of course, there are other ways to send an OTP:

• By sending the OTP by text message.
• Calling the user’s mobile and ask them to type in a series of digits they see in the incoming phone number.

But the Clerk study focused on Email OTP, so we’re sticking to that:

Pros

• Reasonably secure.
• Great for once-off or periodic access.
  ‍

Cons

• A complete misuse of email as a tool.
• Inbox litter.
• It is inefficient for super users if it is the only form of authentication.
• Requires the user to leave their browser and access their email.
  ‍

4. “Magic Link”

We’ve had magic links for a while now, though their usage has always been small compared to other sign-in strategies. Though it’s growing.

Similar to Email OTP, a magic link is a once-off, time-limited link sent to an inbox: when clicked, access is provided.

Email verified, and there is no requirement for a password.

Having worked on a subscription platform skewed toward older, less accessible users, I’ve seen the upside of magic links. As long as the user’s email can be accessed, magic links are familiar and convenient.

In fairness to magic links, they can also be useful for other specific functions, such as first-time login, password reset, and delegating guest access.

However, the primary downside of magic links - as with Email OTP - is again, email.

Users are forced to leave their browser or app, access their email, and wait for the email to arrive.

This is certainly not convenient as a primary sign-in method.

Pros

• Reasonably secure (as long as email is not compromised).
• Great for specific functions.
• Reasonably accessible.
  ‍

Cons

• A complete misuse of email as a tool.
• This leads to more redundant emails in your inbox.
• It is inefficient for super users if it is the only form of authentication.
• It requires the user to leave their browser and access their email, which, in certain circumstances, is not easy or at all.
  ‍

And… 5. Passkeys

Passkeys didn’t make the Clerk study, though it’s essential to mention Passkeys because that is our passwordless future.

Passkeys allow you to authenticate yourself using a known device like your phone or laptop.

Passkeys not only verify that you are you, but the private keys used for authentication never leave your device, so you can’t be phished.

The website or service you are accessing has a public key, which is otherwise useless and cannot be used to access your credentials and account.

And your device holds the private key, protected by your device and only accessible where precisely verified:

• Biometrics such as facial recognition.
• PIN code or swipe pattern.
• A physical security key.

Passkeys are less utilised than initially predicted, though its uptake will grow as more websites offer Passkey validation.

The challenge is that passwords are engrained for most users, and in fairness, most users are unaware of what passkeys are or how they work.

Though it is just a matter of time.

Pros

• The gold standard of security.
• No requirements for 2FA.
• No more passwords, usernames or emails.
  ‍

Cons

• Passkeys are locked to a device, though you can have multiple devices with different keys.
• Passkeys cannot be exported (e.g. Apple Passwords → 1Password), though this is by design.
• It’s not as fast as some other sign-in strategies.
  ‍

Sign-in conclusions

From the Clerk study, observation and experience, we can draw some conclusions on your possible sign-in strategy:

• Time is money, and any sign-in strategy exclusively relying on email cannot be recommended. The numbers are clear: Signing in with Google is almost 15x faster than a magic link.
• Moreover, requiring users to exit the sign-in flow and access their email (if they can access it) means breaking the flow, with the risk that users ultimately cannot or do not sign in.
• Interestingly, the Clerk study theorised that the sign-in completion time improvement (14 seconds) between Email OTP and magic links was due to magic links forcing users to change tabs. In contrast, Email OTPs could be seen in notifications. 14 seconds is a big deal, and if one-time access is essential to your product, Email OTP is the best strategy.
• For specific functions or to help customer service login users, magic links have a role.
• Otherwise, magic links just aren’t that magic.
• Sign-in with Google (or whoever) is your best default answer for authenticating users. If you can enable passkeys, do that too.
• Usernames and passwords have to go.
  ‍

‍

‍