Email Link Update (March 2023)
Email Link Update (March 2023)
#Changes to the existing email magic link sign-in flow
Magic’s top priority is ensuring secure authentication for your end users in your app. Magic recently implemented and added a layer of security for all login flows with email magic link. Specifically, the change ensures that the IP address associated with the device that a user enters their email address on matches the IP address associated with the device that clicks the magic link. If the IP address does not match, the following error is shown to the user when they click on the magic link.
In addition, for desktop web users, magic links will now authenticate the session clicked from a user’s email. This means that the session or browser tab where the user first enters their email address will no longer sign the user in. This will help ensure that users remain secure in an evolving threat environment, while still delivering a smooth sign-in experience. For customers using the web SDK, there are no code changes required.
#Web SDK changes
For desktop web users, magic links will soon authenticate the session clicked from a user’s email. This means that the session or browser tab where the user first enters their email address will no longer sign the user in. In addition, a security code will be shown to users to further strengthen the security of their login unless a redirect URL is implemented. See below for details around the user experience. We highly recommend developers using the web sdk to add redirect URLs to their application and register them in the developer portal. This change will be going into effect in 30 days on April 20th 2023.
#Mobile SDK one-time passcode migration
For customers using magic links on mobile SDK, we will roll out additional measures beyond the above for added security. Upon clicking the magic link, users will be required to enter a code prior to logging in. This code will be made available to them upon entering their email in your app. This change will go live in 30 days. Below is a summary of the workflow:
User clicks sign-in from your app
A code is shown to the user and is copied
User navigates to the magic link email and opens the link
User is prompted with a screen to enter the code. User pastes the code and is now signed into your application
On June 20th 2023, all customers with mobile applications will be migrated to Email OTP (one-time passcodes). Before then, we advise customers to switch over to OTP. Please refer to the documentation below on how to implement OTP on mobile.
How to add OTP email login on iOS
How to add OTP email login on Android
How to add OTP email login on Flutter