Device Registration is a security feature that helps protect end-users from sophisticated phishing techniques. When a returning user initiates a login from an unrecognized device or browser, they’ll receive an email or text message to review and confirm the login request.
You can learn more about Magic’s commitment to security in this blog post.
Device Registration applies to returning users logging in via Email OTP, Non-Redirect Magic Link, or SMS on an unrecognized device. Device Registration is not enforced at time of initial account creation.
If a returning user attempts to log in via email from an unrecognized device or browser, they will be shown a prompt to register their device. The user will receive a themed email containing information about the login request, with a button to approve the login.
Clicking the “Approve this login” button navigates users to a secure domain owned by Magic, which compares the user’s current device profile to the device profile used to initiate the login request.
If the profiles match, the user’s new device will be registered automatically. They can then return to the application and continue with their standard login process.
However, if the confirming device profile does not match the device profile used to initiate a login request, Magic will display a secondary confirmation with information about login request. Users can then choose to approve or reject the login. This will most commonly occur for end-users that initiate a login on one device (laptop) and check their email on a different device (phone).
When a returning user attempts to log in via SMS on an unrecognized device or browser, they’ll receive an SMS containing information about the device profile that initiated the login.
Users can then respond via SMS to either approve (
1) or deny (
2) the login request.
For security purposes, Magic’s Device Registration offering supports limited customization options. As with all widget UI, app name, logo, brand color, and theme will be applied to each step of the device registration flow.
Additionally, you may use
deviceCheckUI=false to customize the messaging shown to users when an unrecognized device is detected. See API Reference for more info.
Device Registration also supports Custom SMTP, allowing you to customize the domain and sender that the device registration email is sent from.
While we highly recommend enforcing device registration, this feature can be disabled on a per-app basis. To disable device registration, head to the Settings page in Magic’s developer dashboard.
For the best user experience, please make sure you’re using the minimum version of Magic’s SDK:
React Native Bare
React Native Expo