Ask HN: Magic links are bad UX and make people's lives worse. Change my mind

not wanting to use google (or any third party) is a reasonable reason for me

MFA generally sucks for user experience.. I took some convincing but Passkey seems to be the best comprimise.

It's the worst login system, especially when passkeys are easily available now.

> Maybe it's my mother, and she now has to go find where she wrote down her email password because she still can't figure out that 1Password thing I setup for her. Also, she does not have 1Password on this computer (maybe it's a public library).

This is exactly the reason people use magic links - passwords are painful.

I generally don't mind having one or the other, so either password or magic link. What I can't stand is having both in the same login flow:

- Enter your email

- Get sent a magic link

- Open magic link

- Continue and enter your password

- Enter your 2FA as well

- Smash computer

i think, its more then convenient to click on a link and being logged in. No account creation, no risk of leaking hashes/pwds/info. I don't have to remember what password is used where (minimizing the risk of one big password for all sites), no monolithic mammoth-authentication-systems with a single/multiple point-of-failures, no auth-gate-keepers.

The problems with passwords you mention, are valid. But, the same situation will happen for authentication - your mom can't remember her email account's pwd, but then you want her to remember facebook, google and all the other services' pwds?? Just think about where is the difference of "remember email pwd" and "remember 1Password pwd" ?? absolutely no difference.

So, while I understand your points, I'm thinking, magic links are the easiest and failure proof and user friendly way, to verify the user.

Another point is: Onboarding is very fast. The new user doesn't even need to bother with input of pwds, verfication, etc ...

for me:

please no account creation in the old style. Give me magic links. Implement a 2nd factor to check, if necessary - but just let them passwords dieeeeee

I absolutely love magic links. But I also love email, as a technology. I find it so reliable and robust, I genuinely think more things should be built on email.

As with all things, you need to know your audience. If you are making a product for people over 60, probably a simple username/password would work best.

Bad implementations of username/password degrade to magic links.

Passwords aren’t painful if you have good tools for them such as password generator/managers, what is painful is all of the sites that break them by making you change your password periodically or requiring particularly obtuse sets of characters or prohibiting certain characters like ‘ or \ (if you have to confess that kind of malpractice just fire your IT already)

It's simply not secure. Whover controls my email now controls everything.

So I avoid any service where this is an option.

Microsoft needs to be investigated for aiding and abetting the defrauding of the elderly and the feeble minded by leaving password management to third party hacks instead of creating an integrated always-available solution like Apple’s keychain.

Isn't that the case anyway? If someone else has control of your email account they could reset your password

How do you feel about one time login code sent via email?

Does not get prefetched, does not require a click (if at the library, you can check your email on mobile and simply type the number), no need to remember anything, does not get marked as a malicious link by anti-fraud software.

This happens when customer support spends too much time on password resets. As soon as someone in CS says "we need to hire another person, too many password resets" you get magic links. Bad number go down, good number go up.

It's really easy for us nerds to write off how confusing, cumbersome, and frustrating passwords are for most people.

It doesn't need to be either or. "Forgot your password" could link to the magic link flow.

I disagree. It's easier to get the non-technical in my life to remember one password than many. And most of them can't even manage that. I too have failed many times with 1password. It's literally one password and they can't remember it. It makes me understand why I keep seeing new email addresses: the moment their phone dies, they are out of luck because they don't remember their email passwords. At least magic link is one less password for them to forget.

Thanks for the comments. This is a strange feeling. I rarely feel so at odds with the general opinion.

My experience is, passwords are a 1 second affair: open website, tap credential highlighted by password manager, trigger face/touch id or whatever exists on android/windows, done.

Email experience: open website, click login, get some link, go to another app, wait for it to pull emails, look for email, open email, click link, opens in browser, maybe not the same browser where you opened the app, so go back and copy link, realize copying links from email buttons is not easy on mobile, finally login.

If this is where you guys want this to go, it sucks. How can we improve it? Maybe we need to implement some wait to do what apple does when you get a 2FA code via sms? It just shows it to you in app instead of having you open messages app?

Given the absolute security tire fire that was Recall, I would absolutely not trust any password management solution blessed by Microsoft.

- Great way to confirm if email address is valid

- People tend to use bad passwords

- People tend to forget passwords (you need to write whole password recovery, etc)

- You always have your smartphone with email close to you

- It's way easier than 2FA with Authenticator and cheaper than SMS

- You limit password sharing for your service

we have passkeys… unfortunately it doesn’t seem like the narrative really took hold in the mainstream.

I’ve been building an app with passkey auth as the default and people are surprised that such an experience exists.

Someone posted about this the other day and pointed out an even more annoying problem than the ones you list:

It forces you to look at all your unread emails - and you invariably get distracted by some OTHER email that seems important, when you were trying to log into a website to achieve some totally different important thing.

This is a great list of reasons it’s better for the provider of the service.

But it isn’t better for the user of the service.

Magic links take the 'I forgot my password' workflow, and:

1. Stop labelling it with a confession.

2. Stop forcing the user to reset their password when they demonstrably don't have their password manager ready to store it. [Whether that be 1Password, or just autofill in google chrome]

As the only auth method, it isn’t great. As an option? I wish it were universal. Anything other than those or passkeys creates more issues in your mum's case. And passkeys are new.

(That said – If we’re distinguishing between magic links and email OTPs, there’s really no good reason not to have both in the same email, and the latter is better for the public library use case.)

Magic links and 2FA are terrible. "muh security" bah. I have Bitwarden, let me 1 click paste in my behemoth login and password. I don't want to 2FA either. Your crusty saas does not warrant 2FA!!!

Exactly this isn't an either/or--allow both password and magic link login.

You're not, foreshadowing my Claude subscription with email only login... I want a password everyday.

If one doesn't want to regenerate passwords, don't log people out. The only reason this "workflow" works is that email sessions work for years, sometimes decades, without nagging users to re-login.

Sites, do yourself a favor and store active sessions indefinitely and the only password-dealing scenario you'll ever see will be (1) at sign up, once per user, (2) when users clear cookies, which the login-problematic types rarely do for obvious reasons.

95% of my family password support is the sites that log them out on their own.

Edit: grammar/pronouns

Personally I'm frustrated how most companies followed the lead of the likes of Google, and effectively tied security of your account on their website to that of your email.

If you control the email address signed up with, you have "god" access to the account (can perform password resets, etc). They essentially outsourced security to your email provider.

But some of us would prefer to keep more separation between their email accounts and other services. Eg. If my email's hacked, I don't want that to pwn my other stuff.

2FA helps but often there are ways around it if you control the email account.

It helps put bots at bay.

My take,

Low security should use passwords. None of that fancy &@73gdb-Whb stuff. Just a regular word. Suitable for Netflix and meditation apps that want a basic login to prove that you paid.

Medium security should use magic links and a simple password that you don't need to write. If you lose your email, the password prevents hackers from taking over your app. If you lose your password, hackers can't take over your device. Suited for something like social media or MMOs, which are targeted very often.

High security might need proper 2FA with auth app, password rotation, stuff like that. Probably shouldn't be necessary unless there's constant active attempts to hack. Everyone gets attacked, especially in the era of AI, but I'm saying at least 10 attacks a day.

You can also layer on extra levels of security, but IMO that's about the level you should expect from users.

Can you explain what stack you use to build it? Do all of them support it easily?

I agree. It takes the user out of their intended action (using your product) and puts them somewhere distracting (their email).

I've also seen it confuse users who aren't used to it.

It's great from a tech/security perspective but I wouldn't put it into my own product for those reasons. I definitely would not make it the only login mechanism.

My problem is the number of steps and hoops to do something that used to be very fast. I feel like this is the opposite of what us engineers are supposed to offer our users. I get it is very secure, but I don't think this is a good compromise. Login should not be a chore. I should be minimally aware of it and still safe. That's my ideal experience.

I think they’re better for most users without a password manager. I don’t see how your mother example would have a better experience with another password to remember.

What is driving me nuts is websites that send the email/sms first without asking, only for me to log in with my saved password anyway (PayPal, doordash). Now i have to click 2 extra buttons to log in and another 2 buttons to delete the stupid email, every single time i use PayPal now. Joy.

And when they can't log into the email to get their magic link because they don't know the password?

We're just moving the problem

I think for a decent chunk of people using computers at public libraries, having a phone on them and logged into their email may be a stretch

How about when the email client pops up its own browser, intercepting the link, so that when you open it in the system browser, the link is burnt and you have to do it again?

Or when the email service is overloaded and the magic link takes more than 30 minutes to arrive and by the time you open it, it has expired?

Different people have different experiences.

You and I use a password manager.

Many don’t. They reuse the same password or create a password and forget it. Both are worse scenarios than a magic link or a one time code.

I agree that it is bad UX. Other methods of authentication such as TOTP and SMS are not really very good either, I think.

X.509 client certificates would be better (especially since the connection already uses TLS, and yet they do not take full advantage of it and instead require TLS for things that do not need it). It doesn't require email, doesn't require cookies, doesn't require JavaScripts, doesn't require a web browser, doesn't require Unicode (although it can be used if wanted and commonly is), protects against MITM, allows single-sign-on (even without an authentication server, or if the server is down), and the private key can be passworded (without the server needing to know your password; this is handled entirely on the client side). Furthermore, you can store whatever data you want to in the certificate.

I’m using Keycloak as my auth server. Took a bit to figure out the configuration necessary.

Tbh I don’t feel like most providers (including Keycloak) are offering strong, turn-key solutions for this.

The closest I saw to streamlined passkey support that you can host yourself is from Hanko.io - that provider didn’t work for my use case but something to consider.