I seriously HATE magic links. My email inbox is barely better a social network's time suck. Lots of urgent, little important, wrecks any flow I had.
Forcing me into my inbox is highly likely to cause me to forget about the reason I was there (to get into your app). Or, at best, it slows me way down and nearly always breaks my flow.
Perhaps this is acceptable for the security boost (?) for the average user, but man, when I get forced into magic links I sometimes just abandon the app altogether.
Disclaimer:
1. I have/pay for a password manager, which helps with the forgotten password problem a lot. It also allows me to have extremely hard-to-crack passwords.
Totally agreed - a correctly used password manager is many, many times easier and faster to use than so-called magic links. It's not even a contest.
I'd even say magic link emails border on misuse of email; they're a fundamentally different form of communication from all other uses of email. It's not easy on neurodivergent brains to deal with that combination of pollution (magic links in my inbox) and distraction (actual emails in my face when I'm trying to log in and was not trying to check my email). Protonmail's client could really make my day if they found a way to reliably separate those 2 channels so I didn't have to even open my inbox to get login codes/links.
What I don't understand is why I've never been prompted to use a password manager by any site with a signup flow. It seems easier to normalize their use through messaging than keep acting like passwords are supposed to be something you consciously remember. Nobody should remember their passwords, except for maybe 2-3. But now we're moving toward a world where login just means more friction and less control instead...
That is a very good point! You'd have to be careful to craft the messaging so that it doesn't imply you can help troubleshoot the password manager.
But something simple could work. Already you usually have a note under a password field, "Must contain at least 8 characters and at least one special character" or something to that effect. It could also have some note about "We suggest a randomly generated password from your password manager."
I'm not building this out so I don't need every hole poked in the idea, just seems like it could work.
If someone is going to do this, 'At least one special character' etc. is not the way to do it. According to OWASP guidelines, a secure password must enforce a minimum length but not any other specific criteria, because they actually end up reducing password strength. Instead, the best option is to add a password strength indicator below the password entry field, to encourage the user to create a strong password. The help text can also mention using a password manager but it's difficult to do in a good way.
One of my pet peeves is when rules counteract the purpose they are supposed to serve, usually because of incompetence. Two years ago, I worked for a few months for a company where time reporting was accessed through a specific web page.
They required the password to be changed monthly, have at least 10 characters, at least one number and at least one special character. On top of that – they locked out password managers and pasting. "We need to make sure you are the one logging in and not a hacker that hacked your password manager" they explained when I asked.
Out of spite I went for "Password12!" the first month and "Password123!" the month after, at which point I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.
You can tell them to write their password on a piece of paper in their drawer. Seriously.
Many home users are pretty good about protecting important scraps of paper. The government gives us plenty to hold onto. Even if they’re a grandma that doesn’t understand all this password manager mumbo jumbo, they can deal with a notebook and be better off than using the same password on every site.
Magic links breaking my flow is my top issue as well. My inbox is distracting: don't send me there. One affordance I've seen was a site that detected I was using gmail and crafted a link like https://mail.google.com/mail/u/0/#search/example.com, which brought me directly to the email I needed, while hiding everything else. I think it did a MX lookup to guess my provider.
I wish magic links would go away, but if they need to stay, that approach was the least terrible.
I use magic links for my enterprise application. In my humble opinion I believe magic links are fine.
Almost everyone outside of some HN users use email regularly. They have it open on a second monitor and it is an important part of their workflow.
If their companies are not super tech savvy and not using SSO, the users probably at least have a company email address they’re logged into.
I don’t think it’s worth over optimizing for a small percentage of users. Worst case scenario you need to contact support.
99% of enterprise users will be fine with magic links, compared to dealing with people who use horribly weak passwords. Most of them seem to prefer them to passwords.
SSO is always best option if available but magic links are definitely second.
I seriously HATE magic links. My email inbox is barely better a social network's time suck. Lots of urgent, little important, wrecks any flow I had.
Forcing me into my inbox is highly likely to cause me to forget about the reason I was there (to get into your app). Or, at best, it slows me way down and nearly always breaks my flow.
Perhaps this is acceptable for the security boost (?) for the average user, but man, when I get forced into magic links I sometimes just abandon the app altogether.
Disclaimer: 1. I have/pay for a password manager, which helps with the forgotten password problem a lot. It also allows me to have extremely hard-to-crack passwords.