"Also, magic links need to be designed so that I can login on my PC, and click the link on my phone, and be logged in on the PC."
I feel that way too - I hate it when I'm trying to log in on desktop and the email shows up as a push notification on my phone.
The problem is what happens if someone enters someone else's email address and that person unwittingly clicks on the "approve" link in the email they receive. That only has to happen once for an account to be compromised.
So now you need "enter the 4 digit code we emailed you" or similar, which feels a whole lot less magical than clicking on a magic link.
Presumably there are well documented patterns for addressing this now? I've not spent enough time implementing magic links to have figured that out.
> someone enters someone else's email address and that person unwittingly clicks on the "approve" link
Eh? In a sane magic link system, clicking the magic link grants the clicker access to the account. Right then and there, in the browser that opened the link.
I would argue that a magic link system has to only allow the click-through to grant access on the machine that initiated the login flow.
If I enter my email in SomeSite, they send a magic link to my email address, and then Mallory intercepts that email and gains access to my SomeSite account just by opening the link (i.e. the link acts as a bearer token), that's completely broken.
That's a bit weird for me: I sat down at my laptop and attempted to sign into a site on my laptop, and at the end of the sign-in flow I'm not signed in on my laptop, I'm signed in on my phone.
I feel that way too - I hate it when I'm trying to log in on desktop and the email shows up as a push notification on my phone.
The problem is what happens if someone enters someone else's email address and that person unwittingly clicks on the "approve" link in the email they receive. That only has to happen once for an account to be compromised.
So now you need "enter the 4 digit code we emailed you" or similar, which feels a whole lot less magical than clicking on a magic link.
Presumably there are well documented patterns for addressing this now? I've not spent enough time implementing magic links to have figured that out.