Passwords are dying. The cost of creating and maintaining passwords is becoming untenable. Which can be seen in the rise of users logging in with social products and developers outsourcing their pain to Auth0 and the likes. We decided to sidestep the password based authentication and went passwordless on our new product. Read on to see how you can go passwordless too.

The cost of passwords

Passwords create too much friction for users. It’s becoming difficult to come up with passwords that satisfy the ever growing password strength requirements - minimum 9 characters, 1 number, 1 upper case, 1 special character etc. And with the rise of data breaches where hackers steal and sell password data on the internet, passwords are only really effective when you don’t repeat them across different services. Which means you have to remember unique passwords or use a password manager.

Passwords are even more painful for developers to build and maintain. Imagine the work - 4 forms (signup, login, reset password, send forgot password link), storing passwords securely, managing email service providers for deliverability and spam scores. All this work just for the auth, which is not your core product and not what users come to you for.

Magic links, the solution to the password problem

An elegant solution to this mess is authenticating users using magic links sent on email. We all use email anyway as a core part of our online identity and authentication. So instead of logging in with email and password, you enter your email and get a login link sent to you. You might have seen Slack do this.

Slack popularised magic links for logging in
Slack popularised magic links for logging in

How we went passwordless with magic link

When we were building our new product, we didn’t want to spend time building full blown password auth, so we decided on using magic links. And although the work involved building a magic link system is less than traditional auth, it is still valuable developer time spent on non-core plumbing. After some research, we found Magic which provides magic links as a service. We loved the focus on security (the founders have built a security product in the past), the good design and the developer friendly docs.

The implementation involves a client SDK (for web and mobile) for showing the Magic overlay (screenshots below) and server code for managing sessions. We used the sample code provided to implement this.

The user experience of magic links

Login form

Incident timer - Sign up and Log in form
Sign up and Log in form

Email

Incident timer - Magic link email
Magic link email

You can try out the experience for yourself on our new product. It’s a free timer for developers to keep track of major software incidents, built by the team who also built the simple incident alerting product for developers.

Conclusion

After using magic links as a developer and as a user, I loved the experience. There are still some hiccups as with any new technology, but overall this looks like the future. And I am quite excited to watch it unfold!