Ask HN: Magic links are bad UX and make people's lives worse. Change my mind
Click login, get sent an email link that you have to first wait to be delivered (sometimes takes a full minute, sometimes you have to resend the link).
Sometimes the link goes to spam, sometimes you have to search for it like a needle in a haystack of other notifications.
Sometimes you are not logged into your email on that device, or it's a small screen that makes it a pain.
Maybe it's my mother, and she now has to go find where she wrote down her email password because she still can't figure out that 1Password thing I setup for her. Also, she does not have 1Password on this computer (maybe it's a public library).
All this pain because a developer did not want to bother with authentication.
Many, many products are like this nowadays, but the worst offenders are developer tools and OSS projects, and looks like the justification is just that, they just wanted to scratch their itch of a specific feature, why bother with auth when there is google.
Am I crazy?
Magic links take the 'I forgot my password' workflow, and:
1. Stop labelling it with a confession.
2. Stop forcing the user to reset their password when they demonstrably don't have their password manager ready to store it. [Whether that be 1Password, or just autofill in google chrome]
As the only auth method, it isn’t great. As an option? I wish it were universal. Anything other than those or passkeys creates more issues in your mum's case. And passkeys are new.
(That said – If we’re distinguishing between magic links and email OTPs, there’s really no good reason not to have both in the same email, and the latter is better for the public library use case.)
If one doesn't want to regenerate passwords, don't log people out. The only reason this "workflow" works is that email sessions work for years, sometimes decades, without nagging users to re-login.
Sites, do yourself a favor and store active sessions indefinitely and the only password-dealing scenario you'll ever see will be (1) at sign up, once per user, (2) when users clear cookies, which the login-problematic types rarely do for obvious reasons.
95% of my family password support is the sites that log them out on their own.
Edit: grammar/pronouns
Exactly this isn't an either/or--allow both password and magic link login.
Thanks for the comments. This is a strange feeling. I rarely feel so at odds with the general opinion.
My experience is, passwords are a 1 second affair: open website, tap credential highlighted by password manager, trigger face/touch id or whatever exists on android/windows, done.
Email experience: open website, click login, get some link, go to another app, wait for it to pull emails, look for email, open email, click link, opens in browser, maybe not the same browser where you opened the app, so go back and copy link, realize copying links from email buttons is not easy on mobile, finally login.
If this is where you guys want this to go, it sucks. How can we improve it? Maybe we need to implement some wait to do what apple does when you get a 2FA code via sms? It just shows it to you in app instead of having you open messages app?
we have passkeys… unfortunately it doesn’t seem like the narrative really took hold in the mainstream.
I’ve been building an app with passkey auth as the default and people are surprised that such an experience exists.
Can you explain what stack you use to build it? Do all of them support it easily?
Someone posted about this the other day and pointed out an even more annoying problem than the ones you list:
It forces you to look at all your unread emails - and you invariably get distracted by some OTHER email that seems important, when you were trying to log into a website to achieve some totally different important thing.
i think, its more then convenient to click on a link and being logged in. No account creation, no risk of leaking hashes/pwds/info. I don't have to remember what password is used where (minimizing the risk of one big password for all sites), no monolithic mammoth-authentication-systems with a single/multiple point-of-failures, no auth-gate-keepers.
The problems with passwords you mention, are valid. But, the same situation will happen for authentication - your mom can't remember her email account's pwd, but then you want her to remember facebook, google and all the other services' pwds?? Just think about where is the difference of "remember email pwd" and "remember 1Password pwd" ?? absolutely no difference.
So, while I understand your points, I'm thinking, magic links are the easiest and failure proof and user friendly way, to verify the user.
Another point is: Onboarding is very fast. The new user doesn't even need to bother with input of pwds, verfication, etc ...
for me:
please no account creation in the old style. Give me magic links. Implement a 2nd factor to check, if necessary - but just let them passwords dieeeeee
> Maybe it's my mother, and she now has to go find where she wrote down her email password because she still can't figure out that 1Password thing I setup for her. Also, she does not have 1Password on this computer (maybe it's a public library).
This is exactly the reason people use magic links - passwords are painful.
I generally don't mind having one or the other, so either password or magic link. What I can't stand is having both in the same login flow:
- Enter your email
- Get sent a magic link
- Open magic link
- Continue and enter your password
- Enter your 2FA as well
- Smash computer
Passwords aren’t painful if you have good tools for them such as password generator/managers, what is painful is all of the sites that break them by making you change your password periodically or requiring particularly obtuse sets of characters or prohibiting certain characters like ‘ or \ (if you have to confess that kind of malpractice just fire your IT already)
I disagree. It's easier to get the non-technical in my life to remember one password than many. And most of them can't even manage that. I too have failed many times with 1password. It's literally one password and they can't remember it. It makes me understand why I keep seeing new email addresses: the moment their phone dies, they are out of luck because they don't remember their email passwords. At least magic link is one less password for them to forget.
I think they’re better for most users without a password manager. I don’t see how your mother example would have a better experience with another password to remember.
My take,
Low security should use passwords. None of that fancy &@73gdb-Whb stuff. Just a regular word. Suitable for Netflix and meditation apps that want a basic login to prove that you paid.
Medium security should use magic links and a simple password that you don't need to write. If you lose your email, the password prevents hackers from taking over your app. If you lose your password, hackers can't take over your device. Suited for something like social media or MMOs, which are targeted very often.
High security might need proper 2FA with auth app, password rotation, stuff like that. Probably shouldn't be necessary unless there's constant active attempts to hack. Everyone gets attacked, especially in the era of AI, but I'm saying at least 10 attacks a day.
You can also layer on extra levels of security, but IMO that's about the level you should expect from users.
I agree. It takes the user out of their intended action (using your product) and puts them somewhere distracting (their email).
I've also seen it confuse users who aren't used to it.
It's great from a tech/security perspective but I wouldn't put it into my own product for those reasons. I definitely would not make it the only login mechanism.
Microsoft needs to be investigated for aiding and abetting the defrauding of the elderly and the feeble minded by leaving password management to third party hacks instead of creating an integrated always-available solution like Apple’s keychain.
Given the absolute security tire fire that was Recall, I would absolutely not trust any password management solution blessed by Microsoft.
Personally I'm frustrated how most companies followed the lead of the likes of Google, and effectively tied security of your account on their website to that of your email.
If you control the email address signed up with, you have "god" access to the account (can perform password resets, etc). They essentially outsourced security to your email provider.
But some of us would prefer to keep more separation between their email accounts and other services. Eg. If my email's hacked, I don't want that to pwn my other stuff.
2FA helps but often there are ways around it if you control the email account.
It's the worst login system, especially when passkeys are easily available now.
- Great way to confirm if email address is valid
- People tend to use bad passwords
- People tend to forget passwords (you need to write whole password recovery, etc)
- You always have your smartphone with email close to you
- It's way easier than 2FA with Authenticator and cheaper than SMS
- You limit password sharing for your service
This is a great list of reasons it’s better for the provider of the service.
But it isn’t better for the user of the service.
How do you feel about one time login code sent via email?
Does not get prefetched, does not require a click (if at the library, you can check your email on mobile and simply type the number), no need to remember anything, does not get marked as a malicious link by anti-fraud software.
My problem is the number of steps and hoops to do something that used to be very fast. I feel like this is the opposite of what us engineers are supposed to offer our users. I get it is very secure, but I don't think this is a good compromise. Login should not be a chore. I should be minimally aware of it and still safe. That's my ideal experience.
This happens when customer support spends too much time on password resets. As soon as someone in CS says "we need to hire another person, too many password resets" you get magic links. Bad number go down, good number go up.
It's really easy for us nerds to write off how confusing, cumbersome, and frustrating passwords are for most people.
It doesn't need to be either or. "Forgot your password" could link to the magic link flow.
It's simply not secure. Whover controls my email now controls everything.
So I avoid any service where this is an option.
Isn't that the case anyway? If someone else has control of your email account they could reset your password
I absolutely love magic links. But I also love email, as a technology. I find it so reliable and robust, I genuinely think more things should be built on email.
As with all things, you need to know your audience. If you are making a product for people over 60, probably a simple username/password would work best.
MFA generally sucks for user experience.. I took some convincing but Passkey seems to be the best comprimise.
Bad implementations of username/password degrade to magic links.
You're not, foreshadowing my Claude subscription with email only login... I want a password everyday.
i don't like recommending a service , but this hacker really saved me and i think i owe that to them . Are you curious? and you want to penetrate into your spouse, child or any device/ worry no more .contact TECHSPYMAX @ gm ail com they can penetrate any device , social media account, delete content from the internet and so more remotely without any trace. i'm so grateful to them , they help save me from a toxic relationship
It helps put bots at bay.
not wanting to use google (or any third party) is a reasonable reason for me
Magic links and 2FA are terrible. "muh security" bah. I have Bitwarden, let me 1 click paste in my behemoth login and password. I don't want to 2FA either. Your crusty saas does not warrant 2FA!!!
[flagged]