Sign in to your Anvil apps with a Magic Link

Did you know it’s possible to let your users sign in to your Anvil app without a password? Passwordless authentication is gaining traction among a lot of the web, and you may already be familiar with Magic Links from services like Slack or Tumblr.

Slack allows you to sign in with just an email and a Magic Link.

Slack allows you to sign in with just an email and a Magic Link.

In this blog post, we’ll talk about how Magic Link sign-in works, why you might use it over traditional password-based authentication, and how to enable it for your Anvil apps.

How does Magic Link sign-in work?

If you’ve ever reset your password by email, you’ll be familiar with the flow of authenticating with a Magic Link:

  • The users enters their email address, which identifies them to your service
  • Your service sends them an email with a link containing a secure token
  • The users clicks that link and is taken to an active, authenticated session in your service.
Authenticating using a Magic Link in an Anvil app

Authenticating using a Magic Link in an Anvil app

Why use it?

No need for you to store passwords

Modern problems require modern solutions.

Modern problems require modern solutions.

Compromised credentials are consistently among the top causes of security breaches - according to the 2021 Verizon Data Breach Investigation Report, 61% of all data breaches involved stolen credentials. User passwords can be vulnerable to phishing and brute-force attack, the risks of which are compounded by factors like password re-use and commonly chosen passwords.

In particular, not having passwords means that your users can’t be tricked into giving them away to hackers, which is what ‘phishing’ refers to; a common scam is the ‘You’ve won an gift card for this service! Please go to our website and put in your credentials to redeem it’ tactic - and of course, the website they’re directed to is not the legitimate website at all, but rather one that looks enough like the real thing to pass muster for a few minutes.

Doing away with passwords allows you to bypass these risks completely; it’s hard for your user to be tricked by a phisher into entering their password somewhere they shouldn’t if they haven’t got one!

No need for users to remember passwords

It’s hard to remember a lot of different passwords. This tempts users to remember only a few passwords, and use them in multiple places. Now, that presents a problem: if someone phishes or breaches one service, they’ll have access to all your accounts! Password managers help you remember a strong, unique password for each site, but they can be cumbersome to use, and most people don’t have one.

Using Magic Links to authenticate instead lets you completely avoid this friction; no password, no problem.

No need for specific equipment

One of these gets you to the goods much faster than the other.

One of these gets you to the goods much faster than the other.

One popular way to prevent phishing is to require hardware two-factor authentication, where as well as a password (the first factor) you require a cryptographic signature generated by a hardware token (the second factor). That hardware token might be something like a Yubikey, or another provider whose tokens conform to the FIDO2 standard.

When your user authenticates, the token knows which website they’re visiting, and only produces the right signature if the user is on your genuine website - and therefore, if your user is actually visiting a phishing site pretending to be yours, the hardware token won’t generate anything that’ll be useful to the attacker. Problem: these hardware tokens are expensive, fiddly, and cumbersome. A Magic Link is none of these things.

Moreover, with hardware tokens, you might need to provide one to every user (if they don’t already own one) - even apart from the expense, what a hassle! With Magic Links, all they need is somewhere they can both receive emails and access your service - so, anything with a browser, given that we’re talking about web apps.

This means that in order for a new user to register with your service, you don’t need to ship them a specialised piece of hardware before they can access it, reducing costs for you and increasing access for them.

… but still a need for good security practices

No system is perfectly secure.

No system is perfectly secure.

Of course, this entire authentication flow depends on sending a credential to your user in plaintext, over email. If anyone else gets to that credential before they do, it’ll be compromised; for example, if the user leaves their email inbox open and unattended, or forwards the email to someone else without clicking the link. Anvil’s Magic Links automatically expire after 10 minutes of their generation to mitigate this risk.

Since they rely on the security of your users’ email accounts, Magic Links are vulnerable to anything that compromises that security. For example, an unsecured mail server could allow an attacker to inspect traffic as it’s being sent, and read the plain-text authentication token we’re sending. Mail servers that send traffic that is encrypted (good!) still don’t always require certificates on that traffic (vulnerable!) and this leaves them open to man-in-the-middle attacks, whereby an attacker could read (and edit!) your email without being detected. Of course, this wouldn’t be an easy trick to pull off; try it with any of the major email service providers (GMail, Microsoft Outlook, et cetera) and you’ll find yourself in hot water in short order!

Of course, if something has compromised your email inbox, you have a lot of problems to worry about, not just the apps that use Magic Link authentication. Most importantly, any password-based system which uses email to reset passwords also sends plain-text tokens over email. That means that email-based attack is a risk that almost every authentication system has decided is worth accepting, and so Magic Link users can sleep soundly at night knowing that they’re no more vulnerable than others.

Enable Magic Link Sign-in for your Anvil apps

Anvil apps come with user management already built-in, and you have a multitude of options for authenticating your users.

Enabling login with Magic Links for your Anvil app is as easy as checking the relevant box in the Users Service configuration page.

Enabling an Anvil app to use Magic Link sign-in in the Users Service configuration page.

Enabling an Anvil app to use Magic Link sign-in in the Users Service configuration page.

Then, when you prompt users to log in with anvil.users.login_with_form(), the form will have the option to authenticate via email link! And, just like other emails from the Users Service, you can customise the email that gets sent containing the Magic Link.

More about Anvil

If you’re new here, welcome! Anvil is a platform for building full-stack web apps with nothing but Python. No need to wrestle with JS, HTML, CSS, Python, SQL and all their frameworks – just build it all in Python.

Learn More