1 comments

  • MicahParks14 小时前
    I just updated my open-source Golang email magic link authentication project to include One-Time Password (OTP) support.

    https://github.com/MicahParks/magiclinksdev

    This has brought the API specification to v2:

    https://swaggerui.magiclinks.dev/

    Magic link authentication is my favorite, but it has its challenges. There are two notable ones, a technical one and a user-related one.

    The technical challenge with magic links has more to do with emails. Many email security products like to follow links in emails to analyze them for malware or phishing. Since magic links are one-time use, this consumes the magic link. For this project, I ended up using reCAPTCHA v3 to test the web browser before performing the redirect. If the user's browser doesn't run JavaScript, there is a button to submit an HTML form that performs a redirect. Adding reCAPTCHA v3 means I needed to add the Google terms of service and privacy policy to the user workflow when that's enabled, which isn't ideal. However, I still think that's a long-term solution that doesn't involve my own anti-bot (security product) code. That said, I would still prefer a backend-only solution to this problem. An HTTP 3XX redirect is favored over a JavaScript redirect.

    https://github.com/MicahParks/magiclinksdev/issues/2

    The user-related challenge is that a user wants to log in on Device A, but they only check their email on Device B. This is especially true for older users, like my parents, who exclusively check email on an iPad. In this case, OTPs are a great alternative email-based solution. Although, in my experience, users have been known to find the OTP friction undesirable as well... Can't win em all.

    Check out the project, if you want. Let me know your thoughts. I love to talk about authentication.