We’ve opted for a passwordless (or magic link) login mechanism at AskYourData. Rather than building yet another credential management system, we decided to test this alternative approach. Surprisingly, it was easy and fast to implement thanks to Upstash—a Redis-like database service we use for session management. This shift brought significant benefits for both us and our users.
Key Advantages:
- Enhanced Security: No credentials to manage or store, reducing the attack surface for potential breaches.
- Improved User Experience: Users avoid the hassle of creating and remembering yet another password.
Our Auth Flow in a Nutshell
- Users enter their email to request a magic link.
- If valid:
- A one-time, expiring token is created.
- An email with the login link is sent.
- On clicking the link:
- The token is validated.
- The session is established, and the login token is deleted.
The token is single-use, expires in 24 hours, and doesn’t stick around—making it highly ephemeral.
On our end, not managing usernames or passwords means less risk, even in scenarios like email leaks—no passwords to compromise.
What About Trade-Offs?
There are a couple:
- We’re relying on a third-party service for authentication (is that really a problem, though?).
- Users on public computers might find this flow less convenient.