Protected Magic Links

Stytch's email magic links product has built-in protections that ensure seamless delivery of magic links in corporate environments without compromising on security.

Each magic link that is sent to the user is one-time-use. Once the user clicks on the magic link and logs in, the embedded token that uniquely identifies the authentication request is “consumed” and cannot be used for subsequent logins. This is critical for security as it significantly reduces the chances of unauthorized access. Once the user has completed the authentication flow the token cannot be stolen or replayed by an attacker to gain access.

However, in corporate environments, where email security scanners are very prevalent, this security measure can sometimes make Email Magic Links unusable.

Email security scanners are tools that scan incoming emails for malicious content, such as suspicious links or attachments, in an effort to protect the user from phishing attacks or malware. Most security scanners will inspect and click on any links present in emails, in order to identify suspicious redirects, attempts to execute malicious scripts or download malware, or signs of a phishing attempt.

When the link in question is actually an email magic link, the scanner will end up consuming the token before the email actually makes its way into the user’s inbox, preventing them from being able to use the link to login.

In order to not compromise on the security of our EML product, while accounting for the prevalence of email security scanners, particularly in corporate inboxes, Stytch leverages our device intelligence product to handle “clicks” differently depending on if it is a real human user, or an email security scanner.

When we identify that the magic link has been clicked by an email security scanner, we do not treat the click as an authentication attempt – meaning the token is not consumed, and a session is not granted. The security scanner is able to inspect the link and identify that it is not malicious, without interfering with the one-time-use restriction. Once the scan is complete and the email is passed through to the user’s inbox, they are able to click on the link and successfully log in.

This protection comes out of the box for all Stytch customers, but if you are interested in learning more about other use cases of Stytch’s device intelligence product (such as bot-protection on your login page, or identifying and blocking fraudulent real users) you can contact sales here.