←back to thread

Ask HN: Magic links are bad UX and make people's lives worse. Change my mind

51 points figassis | 3 comments | 14 Apr 25 12:32 UTC | HN request time: 0.444s | source

Click login, get sent an email link that you have to first wait to be delivered (sometimes takes a full minute, sometimes you have to resend the link).

Sometimes the link goes to spam, sometimes you have to search for it like a needle in a haystack of other notifications.

Sometimes you are not logged into your email on that device, or it's a small screen that makes it a pain.

Maybe it's my mother, and she now has to go find where she wrote down her email password because she still can't figure out that 1Password thing I setup for her. Also, she does not have 1Password on this computer (maybe it's a public library).

All this pain because a developer did not want to bother with authentication.

Many, many products are like this nowadays, but the worst offenders are developer tools and OSS projects, and looks like the justification is just that, they just wanted to scratch their itch of a specific feature, why bother with auth when there is google.

Am I crazy?

1. systoll ◴[14 Apr 25 21:14 UTC] No.43686403[source]
Magic links take the 'I forgot my password' workflow, and:

1. Stop labelling it with a confession.

2. Stop forcing the user to reset their password when they demonstrably don't have their password manager ready to store it. [Whether that be 1Password, or just autofill in google chrome]

As the only auth method, it isn’t great. As an option? I wish it were universal. Anything other than those or passkeys creates more issues in your mum's case. And passkeys are new.

(That said – If we’re distinguishing between magic links and email OTPs, there’s really no good reason not to have both in the same email, and the latter is better for the public library use case.)

replies(2): >>43686893 #>>43689333 #
2. karmakaze ◴[14 Apr 25 22:17 UTC] No.43686893[source]
Exactly this isn't an either/or--allow both password and magic link login.
3. wruza ◴[15 Apr 25 05:43 UTC] No.43689333[source]
If one doesn't want to regenerate passwords, don't log people out. The only reason this "workflow" works is that email sessions work for years, sometimes decades, without nagging users to re-login.

Sites, do yourself a favor and store active sessions indefinitely and the only password-dealing scenario you'll ever see will be (1) at sign up, once per user, (2) when users clear cookies, which the login-problematic types rarely do for obvious reasons.

95% of my family password support is the sites that log them out on their own.

Edit: grammar/pronouns