Please support magic links

[gc-ss]

People have too many passwords and a lot of people don't use a password manager.

Besides supporting Federated identity management, it would be very helpful to have support for magic links.

Example: https://www.youtube.com/watch?v=hMqxo68ZJlw

1. Would it be possible for zitadel to support this style of magic links?
2. Alternately a magic token or phrase can work too
3. If this sounds like a good idea, how quickly can we add support for this style of magic links :)

[livio-a]

Hi @gc-ss

I totally agree on the problem of managing passwords. Actually people without password managers tend to have only a few passwords, which they use nn a lot of websites. This is even a bigger problem.

That's why we are advocate passwordless based on FIDO2 / CTAP2. So people don't have to remember (a potentially weak) password, but can rely on a cryptographically secure mechanism.

Personally, I'd first encourage users to go passwordless using FIDO2. Nearly everyone or at least the majority of people already have a FIDO2 enabled device (any Apple device having TouchID / FaceID, Android devices, Windows Hello, ...). And there are USB keys as well like SoloKeys, Yubikey, ...

But magic links could serve as a second option for a passwordless flow. We would just have to discuss the use cases. It might be a case where people are not allowed to use their (personal) phone at work and don't have a FIDO key.
Who is able to generate a link? Is downgrading possible? By that i mean: If a users registered for FIDO2 passwordless (or FIDO1 / U2F as second factor), creating and using a magic link would weaken the security of this account.

[gc-ss]

But magic links could serve as a second option for a passwordless flow. We would just have to discuss the use cases. It might be a case where people are not allowed to use their (personal) phone at work and don't have a FIDO key

Right - you know more about this market than I do but from my small sample size - very few end users have a FIDO key - unless zitadel supports software OTP like Google/MS Auth - does it?

Who is able to generate a link?

zitadel does based on the option set by the admin for the user. See: https://www.youtube.com/watch?v=hMqxo68ZJlw

If a users registered for FIDO2 passwordless (or FIDO1 / U2F as second factor), creating and using a magic link would weaken the security of this account

True. If user has a registered FIDO key, we could encourage the user not to use the link option through a message or toaster notification. Later when we have more time, we can write more advanced logic.

[fforootd]

Just a sidenote

Right - you know more about this market than I do but from my small sample size - very few end users have a FIDO key - unless zitadel supports software OTP like Google/MS Auth - does it?

Well, Windows Hello, Apple and Android Support this as well.

[Foxtrek64]

I worry about magic links due to my experience with Discord's magic links.

For those unfamiliar, Discord has a system where if you're logged in on your phone and you wish to log in on desktop, you can scan a QR code which is simply a magic link . Their implementation bypasses MFA and is generally very insecure.

The worst part about it is that it's very easy to spoof. Recently, there has been a scam involving these QR codes pretending to be some sort of captcha:

Scanning this QR code sends your logon token to the malicious user, allowing them to turn your account into a bot account. For those who are technical, this scheme fortunately has some very similar attributes to phishing scams, so they should be relatively easy to spot. However, there are a lot of people who simply follow directions without thinking, and like a phishing scam, this is their primary audience.

Personally, I'd first encourage users to go passwordless using FIDO2. Nearly everyone or at least the majority of people already have a FIDO2 enabled device (any Apple device having TouchID / FaceID, Android devices, Windows Hello, ...). And there are USB keys as well like SoloKeys, Yubikey, ...

I would suggest that this a sufficient solution.
For those who do not have a FIDO2 device, one could follow Microsoft's model and, assuming a user has logged in to a specific system in the past (say a website and they have the correct cookie), then auth could be typing a username and responding to a push notification or entering the TOTP code. This would not be a magic link, but it would give you the passwordless authentication method you are looking for.

[gc-ss]

This would not be a magic link, but it would give you the passwordless authentication method you are looking for.

Your concern is well understood. Security depends on the usecase.

If my site shows cat pictures to paying members, and I don't want them to worry about passwords, a magic link that gets emailed to them is good enough.

I agree that a magic link isn't the most secure solution for people who simply follow directions without thinking, but if my usecase is to allow people who simply follow directions without thinking an easy way to login without thinking much, magic links are a great solution.

Since zitadel is an authz solution, supporting magic links is a core feature.

Users of zitadel decide if magic links are a good use for their own usecase. I wouldn't expect a bank to use magic links to allow access to funds transfer but perhaps the same bank can use magic links to send people who have forgotten their bank password to customer support.

[jugrajsingh]

Is there a way we can implement this passwordless login using a pre-authenticated email link.

Without prompting the user to register the device using a security key or Android phone

[fforootd]

Actually that's already implemented and there are two options for this:

• Send an email with a link to pair and onboard a FIDO2 compatible device.
• Request a QR code to pair and onboard a FIDO2 compatible device.

Management API

• AddPasswordlessRegistration
• SendPasswordlessRegistration

User Self-Service

[jugrajsingh]

I have tried this feature but I am referring to a simple authentication mechanism that does not require a FIDO2 compatible device as many people generally don't use mechanism

Mechanism I am looking for Ace to buy pasta requirement of linking or pairing on board FIDO2 compatible device and just authenticate the browser directly maybe a OTP or pre authenticated link.

[fforootd]

Ok, so you think "classic" magic links 😁

[mffap]

Based on feedback from community members, I think soft-onboarding users with Magic Links could be a valuable use case.

Example for soft-onboarding:
App that let's B2B customers invite end-users to RSVP for their event. The customer uploads a list of users to invite. Users receive a personalized (magic) link to RSVP. They are also offered to create an account (social login, usr/pwd, passkeys...) and get access to the platform eg, to manage their profile or bookings.

[honzapatCZ]

I'd say magic links should be alternative to password recovery. Ie do not bypass 2fa.
I personally do no remember password for booking.com, so when logging in you typpe username -> next -> type password/send magic link -> send magic link -> email with link(super long link tho) -> logged in

[mffap]

May I ask why passkeys would not work for you in that case? Do you think magic links would be easier to understand?

[honzapatCZ]

Well magic links are a lot simpler and also passkeys are not available everywhere.

1. My PC cant be used directly for passkeys, I dont have FIDO and having to reach for a phone is nconveniece
2. Just checked, even my android tablet is incompatible

[mffap]

Sure, compatibility is an issue then. Thanks for clarifying!

[francois-travais]

I'm working on a tool for people for whom technology is not really easy (elderly people for exemple) and the FIDO2 solution is way too complex for them. In my case I prefer magic links, event if I know the down sides from a security point of view. Anyway they do not have access to sensitive information, I prefer for them the smoothest experience rather than rock-solid security.

Some of our users are resetting their password for every login attempt...