Engaging users with embedded authentication

Providing developers with the flexibility to build their own unique user experiences is fundamental to how we think about building products. Today, we’re launching a new product, Embeddable Magic Links, to give you the option to own even more of your login and user engagement experiences.

Over the past year, we’ve introduced numerous features that make it easier to onboard and authenticate users, including SMS, email, and WhatsApp one-time passcodes as well as email magic links and OAuth logins.

Embeddable Magic Links are a massive step forward in helping us achieve our mission of eliminating friction on the internet. This feature moves beyond the templated sign-up, login, and invitation magic link emails that we currently power for customers. Those existing templates allow us to abstract away a lot of complexity for customers when it comes to email deliverability, latency, and inbox placement. However, it also limits customers’ ability to craft new and inventive ways to take advantage of all magic links have to offer, including the ability to embed them into product experiences such as email and text communications with their users.

What are magic links and what’s the value in making them embeddable?

First, it’s helpful to align on what magic links are and what makes them special. At their core, magic links are high-entropy tokens that are appended to URLs to enable new authentication experiences. To use these tokens to power logged-in experiences, you generate a unique, temporary token for an individual user (e.g. exampleuser1@gmail.com) whenever they’re trying to access their account. The ingenuity of magic links comes from the fact that they offer significant security while also enabling “magical” user interactions where the end-user doesn’t need to take additional actions beyond clicking a link (or button). 

By embedding magic link authentication into existing user workflows, such as when a user casually navigates the messages within their email or SMS inbox, we have an opportunity to significantly improve the way we engage with users on the web.

The value of embeddable magic links is best illustrated by considering the user experience that their absence creates today — think about the many different emails your apps and accounts send you on a daily basis, including things like:

  • A promotional email from your favorite clothing brand offering 10% off
  • An email with a link to view your bank or credit card statement 
  • An email from an e-commerce store about your recently abandoned cart
  • A reminder from a grocery delivery app to repeat your weekly purchase

Today, if you click through the various examples like the above in your inbox, the vast majority of the time you’re likely to encounter a logged-out experience. You’ll be asked to sign in with a password you’ve likely forgotten, often forced to choose between abandoning completely or enduring a frustrating password reset process. This interaction similarly frustrates businesses because it leads to a high-intent user abandoning their funnel.

We don’t have to live like this anymore. Today, we’re underutilizing the fact that whenever you click on one of these emails or texts, you’re entering the application from an authenticated inbox (e.g. your email or phone). Embeddable magic links offer a way to associate a user clicking a call-to-action button with an existing account — with this context, you could either directly log the user into their account or simply use that information to determine the marketing persona of the user engaged within your application to power customized recommendations. Here’s how this flow works with Stytch:

Stitching it all together

Embeddable magic links become even more powerful when used in conjunction with other Stytch products because it allows you to right-size the amount of authentication security depending on the level of access you’re providing to the user that has clicked through the embedded magic link. (Check out the guide in our docs to see how you can augment this product with our other features)

In many cases, an embedded magic link alone should suffice for your use case. If the user is coming from a recognized device, you could provide them with full account access. Alternatively, regardless of where they’re coming from, you could instead choose to treat the user as a persona used for marketing purposes and customize general recommendations rather than directly grant account access.

While embeddable magic links are great tools, they’re not invincible. Scenarios where you’ll want to be more careful involve situations where a user clicks an embeddable magic link from an unrecognized device. In these cases, there’s additional risk you’ll want to consider when determining the adequate account protection. It’s possible the user has forwarded their unique embedded magic link to a friend (or an attacker trying to phish them). To safeguard against these instances, you can consider the following options:

  • Ask the user to complete another low-friction authentication method such as a SMS one-time passcode (on mobile, this is especially low-friction due to iOS and Android auto-fill capabilities)
  • You can take a route-based approach to authentication where you distinguish insensitive read-access from more sensitive write-access capabilities. You could withhold two-factor authentication until the user attempts to take a more privileged action.
    • For example, with Stytch’s sessions product, you can set a session when the user clicks the embedded magic link and then escalate them later in the session whenever you want to upgrade their session (for example, if the user tries to change their saved shipping address when checking out or view sensitive information).

How to use it

You can check out the new product here. When you’re ready to start testing it out, you can reach out to us at support@stytch.com to enable the feature. We’re always willing to provide guidance and input on best practices for implementing embedded authentication like magic links.