Real-Time Authentication via Embeddable Magic Links


By embedding magic link authentication into existing user workflows there’s an opportunity to significantly improve the way organizations engage with users on the web.

If there was ever an experience that should be “real time” (or at least one click) on the internet, it’s the process of authenticating and engaging with any modern online application. In most instances, however, that is still far from the case. Although progress has been made in recent years, online passwords and other multi-step processes used for authentication remain constant when it comes to the internet experience. They cause needless friction, leading to frustrated users, lower conversion rates, and stunted company growth.

Developers and companies have worked toward solving the authentication issue since the 1990s. As the internet went mainstream, passwords were the dominant means of identity verification. Users opened more accounts in the 2000s, and password managers that encrypt and store online login information were introduced. These have enjoyed only limited success. A recent poll showed that most users don’t take advantage of existing password managers. As a result, 37 percent of users forget a password at least once a week, increasing the likelihood they’ll abandon a commercial account or leave a purchase incomplete.

In the 2020s, as we begin to embrace passwordless authentication, several resourceful companies are making it easy for any organization’s developers to build and integrate a successful, stress-free, passwordless user experience in hours rather than months. Even with these advancements, password overload is an escalating issue. One study found that between 2019 and 2020 alone—with people spending more time online due to the COVID-19 pandemic—the number of passwords per user jumped 25 percent, from an average of 70-80 to 100.

The upshot: with a ballooning number of passwords, people forget their passwords now more than ever—and faster than you think. According to another recent study, over 20 percent of users report forgetting a newly created password within two weeks. That number climbs to over 70 percent after just a few months. Companies can build a password reset flow, but this leads to the inevitable loop of forgetting the new password, re-using the same passwords, or creating passwords that are easy to guess. The best option is to avoid the problem by going passwordless altogether. What most people don’t know is that in addition to increasing conversion and revenue, going passwordless is also more secure.

See also: How Digital Trust Can Overcome Fraud’s Impact on the CX

The benefits of going passwordless

End users are not trained to recognize and mitigate all the risks of re-using a password across different accounts. Let’s say someone uses the same password for Headspace that he or she uses for a bank account. If Headspace experiences a breach, then the bank account is at significant risk. That’s a major security issue. In addition, due to the password security requirements (capital letter, special character, etc.), users are likely to create a “unique” password but then use it over and over for convenience. A passwordless workflow significantly decreases these risks. 

Going passwordless also enables a more seamless user flow, resulting in improved business outcomes. On average, about 10 percent of active users will pass through the password reset flow each month. Of those, 75 percent will drop out part way through the multi-step process, causing the company to lose customers even before initiating a transaction flow. If companies can eliminate this needless friction, it can result in better user engagement and top-line growth.

In addition, by prioritizing passwordless options such as OAuth logins (sign in with Google/Apple/Facebook/etc.), applications can expect higher conversions and dramatically reduced customer acquisition costs. By going passwordless, companies can both retain existing, high-intent customers and reduce growth-acquisition marketing costs. This is happening thanks to new tools and technologies — passwords are finally being replaced with more secure and convenient authentication flows like email magic links, SMS passcodes, OAuth logins, push notifications, and biometrics. 

From logged-out to logged-in

Despite these advancements, there is an opportunity to make the user authentication and engagement experience even more “real-time” with embedded, invisible authentication. Embeddable magic links (EMLs) offer one promising way to do this and build on the concept of conventional magic links. Essentially, magic links are high-entropy tokens that are appended to URLs to enable new authentication experiences. To use these tokens to power logged-in experiences, developers generate a unique, temporary token for an individual user (e.g., [email protected]) whenever he or she is trying to access an account. The ingenuity of magic links comes from the fact that they offer significant security while also enabling “magical” user interactions where the end-user doesn’t need to take additional actions beyond clicking a link (or button).

Magic links reduce friction, but the authentication process can be streamlined further by embedding them into various customer communication flows. This is because one of the big shortcomings with authentication today is that our pre-authenticated core accounts (e.g., our mobile phone, browser, and email/SMS inboxes) don’t really talk to other services we interact with on a daily basis, which leads to myriad logged-out experiences. We’re authenticated whenever we interact with our core accounts, but they don’t perform any handshakes with other services that we access through them. For example, if users open a link from their email or SMS inbox, they’ll encounter a logged-out experience the vast majority of the time.

This results in the frustrating experience of having to re-authenticate. Users will be asked to sign in with a password they have likely forgotten, often forced to choose between abandoning completely or enduring a frustrating password reset process. This interaction similarly frustrates businesses because it leads to high-intent users abandoning their funnel.

EMLs help change all that by taking advantage of the fact that whenever users click on emails or texts, they are entering the application from an authenticated inbox (e.g., their email or phone). Embeddable magic links offer a way to associate a user clicking a call-to-action button with an existing account. With this context, developers could either directly log the user into their account or simply use that information to determine the marketing persona of the user engaged within your application to power customized recommendations about their products.

Another arrow in the authentication quiver

With EMLs, developers can embed authentication into their typical workflows. Common emails such as “view your statement,” “reclaim your abandoned cart,” and “enjoy $10 off” can all lead directly into logged-in experiences with EMLs. By embedding magic link authentication into existing user workflows, such as when a user casually navigates the messages within their email or SMS inbox, there’s an opportunity to significantly improve the way organizations engage with users on the web.

EMLs will be a boon for numerous industries in becoming more secure and increasing conversions, including fintech, eCommerce, gaming, marketplaces, and SaaS. Regardless of the industry, EMLs won’t replace other forms of authentication and onboarding but instead will augment them. New, modern strategies enable developers to choose the most appropriate authentication pathways for their use case and user base. With each option, there are tradeoffs regarding the user experience, security, ease of implementation, and accessibility. With a wider array of options, companies can now more easily strike the ideal balance between protection and frictionless, “real-time” ease of use—and, in many cases, create a secure, engaging connection with users in a single click.

Reed McGinley-Stempel

About Reed McGinley-Stempel

Reed McGinley-Stempel is the co-founder and CEO of Stytch, a company focused on retiring the password. Stytch is the first company that's built a platform for passwordless authentication so that any application or website can embed passwordless sign-up and login flows. He and his Co-founder, Julianna Lamb, are building the product they wished they had when they were working on authentication at their previous employers, Plaid and Very Good Security. Together, they build easy-to-integrate and flexible APIs so that developers can focus on building their core products while Stytch does the heavy lifting when it comes to authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *