September 24, 2021
Providing developers with the flexibility to build their own unique user experiences is fundamental to how we think about building products. Today, we’re launching a new product, Embeddable Magic Links, to give you the option to own even more of your login and user engagement experiences.
Over the past year, we’ve introduced numerous features that make it easier to onboard and authenticate users, including SMS, email, and WhatsApp one-time passcodes as well as email magic links and OAuth logins.
Embeddable Magic Links are a massive step forward in helping us achieve our mission of eliminating friction on the internet. This feature moves beyond the templated sign-up, login, and invitation magic link emails that we currently power for customers. Those existing templates allow us to abstract away a lot of complexity for customers when it comes to email deliverability, latency, and inbox placement. However, it also limits customers’ ability to craft new and inventive ways to take advantage of all magic links have to offer, including the ability to embed them into product experiences such as email and text communications with their users.
First, it’s helpful to align on what magic links are and what makes them special. At their core, magic links are high-entropy tokens that are appended to URLs to enable new authentication experiences. To use these tokens to power logged-in experiences, you generate a unique, temporary token for an individual user (e.g. email@example.com) whenever they’re trying to access their account. The ingenuity of magic links comes from the fact that they offer significant security while also enabling “magical” user interactions where the end-user doesn’t need to take additional actions beyond clicking a link (or button).
By embedding magic link authentication into existing user workflows, such as when a user casually navigates the messages within their email or SMS inbox, we have an opportunity to significantly improve the way we engage with users on the web.
The value of embeddable magic links is best illustrated by considering the user experience that their absence creates today — think about the many different emails your apps and accounts send you on a daily basis, including things like:
Today, if you click through the various examples like the above in your inbox, the vast majority of the time you’re likely to encounter a logged-out experience. You’ll be asked to sign in with a password you’ve likely forgotten, often forced to choose between abandoning completely or enduring a frustrating password reset process. This interaction similarly frustrates businesses because it leads to a high-intent user abandoning their funnel.
We don’t have to live like this anymore. Today, we’re underutilizing the fact that whenever you click on one of these emails or texts, you’re entering the application from an authenticated inbox (e.g. your email or phone). Embeddable magic links offer a way to associate a user clicking a call-to-action button with an existing account — with this context, you could either directly log the user into their account or simply use that information to determine the marketing persona of the user engaged within your application to power customized recommendations. Here’s how this flow works with Stytch:
Embeddable magic links become even more powerful when used in conjunction with other Stytch products because it allows you to right-size the amount of authentication security depending on the level of access you’re providing to the user that has clicked through the embedded magic link. (Check out the guide in our docs to see how you can augment this product with our other features)
In many cases, an embedded magic link alone should suffice for your use case. If the user is coming from a recognized device, you could provide them with full account access. Alternatively, regardless of where they’re coming from, you could instead choose to treat the user as a persona used for marketing purposes and customize general recommendations rather than directly grant account access.
While embeddable magic links are great tools, they’re not invincible. Scenarios where you’ll want to be more careful involve situations where a user clicks an embeddable magic link from an unrecognized device. In these cases, there’s additional risk you’ll want to consider when determining the adequate account protection. It’s possible the user has forwarded their unique embedded magic link to a friend (or an attacker trying to phish them). To safeguard against these instances, you can consider the following options:
You can check out the new product here. When you’re ready to start testing it out, you can reach out to us at firstname.lastname@example.org to enable the feature. We’re always willing to provide guidance and input on best practices for implementing embedded authentication like magic links.