Magic Link Authentication Using Asgardeo
- Theviyanthan Krishnamohan
- Job Title - WSO2
Passwords are becoming obsolete, and the tech world is exploring various different technologies to allow users to log in without passwords. In a previous article, we discussed the perils of passwords and how FIDO2 can help us go passwordless. However, FIDO2 is no silver bullet as it comes with its fair share of caveats. Magic link is a viable alternative for all those who do not want to use FIDO2. This article discusses magic link in detail and demonstrates how we can use it with Asgardeo.
FIDO2 is not for everyone
Even though FIDO2 offers a robust alternative to passwords by allowing users to log in using security keys and biometrics, not all enterprises can afford to provide their employees with security keys or biometrics-enabled devices. This could dissuade such enterprises from going passwordless. Magic link offers an easy and effective solution to these enterprises by allowing them to log their users in using the age-old and ubiquitous technology of email.
The concept of magic link is really simple. A user first enters their username and receives an email with a link in their inbox. When the user clicks on this link, the application logs them in. However, there is no standard that governs magic link. So, the implementation of magic link may differ from application to application even though the concept remains the same. For instance, some implementations might allow you to initiate the login flow from one browser and log in by clicking on the link in another browser. Others may require you to use the same browser to initiate and complete the login flow.
In Asgardeo’s case, a user must use the same browser to initiate and complete the login flow. This is because the link is bound to a browser cookie. This is done to enhance security by ensuring malicious access to a user’s inbox does not allow an attacker to log in to Asgardeo.
Configuring magic link
Now that we have some information about magic link, let’s see how we can configure an application to use this in Asgardeo. First, let’s create a Single-Page Application (SPA) in Asgardeo. If you are new to Asgardeo, you can learn more about creating a SPA in this article. Once you have created a SPA, click on the “Sign-in Method” tab to configure the login flow.
To make life easier for you, we have offered pre-configured login templates under the “Build your own login flow” section. Select the “Add Magic Link login” template under “Passwordless Login” to add magic link login to your application.
Once you click on this template, Asgardeo will take you to the “Customize Sign-in Method” page. Here, you will be able to customize the login flow.
As you can see here, the template will have automatically added the “Identifier First” authenticator to the first step and the “Magic Link” authenticator to the second step. What this means is that a user will be prompted to enter their email address in the first step, and the second step will send an email to the user’s inbox with a link. Click on the “Update” button to save the flow.
Try out the magic link flow
Now, let’s try to log in to an application to see how this flow works. First, Asgardeo will ask you to enter the email address of an Asgardeo customer account.
Once you enter your email, Asgardeo will email you a link and redirect you to the notification page.
Please note that the link will be valid only for five minutes and you have to open the link in the same browser that you used to initiate the login flow.
Now, check your inbox to see if you have received the email. Sometimes, your email provider might mistakenly flag this email as spam mail. So, if you don’t receive the email, check your spam folder as well.
Once you open the email, you can find the “Sign In” button. Click on this button to log in to Asgardeo.
And just like that, you have configured magic link in Asgardeo and logged in using it. With magic link, we have not only eliminated the use of passwords, but we have also made sure that even enterprises that cannot afford to provide their users security keys and biometric-enabled devices can still use passwordless login.