hectoday
DocsCoursesChangelog GitHub
DocsCoursesChangelog GitHub

Access Required

Enter your access code to view courses.

Invalid code

← All courses Two-Factor and Passwordless Auth with @hectoday/http

Why Passwords Are Not Enough

  • The Problem with Passwords
  • Project Setup

TOTP (Time-Based One-Time Passwords)

  • How TOTP Works
  • Generating Secrets and QR Codes
  • Enabling 2FA on an Account
  • Verifying TOTP on Login
  • Time Windows and Clock Drift

Recovery

  • Recovery Codes
  • Disabling 2FA
  • Account Recovery When Everything Is Lost

Magic Links

  • How Magic Links Work
  • Building Magic Link Login
  • Security Considerations

WebAuthn and Passkeys

  • What Are Passkeys?
  • Registration Flow
  • Authentication Flow
  • Passkeys as Second Factor or Primary

Putting It All Together

  • Multi-Method Auth
  • Auth Method Checklist and Capstone

How Magic Links Work

Passwordless login via email

A magic link is a URL sent to the user’s email that logs them in when clicked. No password needed. The flow:

  1. User enters their email
  2. Server generates a token, sends a link: https://yourapp.com/auth/verify?token=abc123
  3. User clicks the link in their email
  4. Server validates the token and creates a session

This is essentially the password reset flow from the Securing Your API course, but instead of changing a password, it creates a session directly.

Why it works

Email access is the proof of identity. If you can read the email, you control the account. This is the same assumption that password reset makes — and every app with password reset already trusts email as an identity factor.

Magic links make this implicit trust explicit: instead of going through password reset to regain access, the user skips the password entirely.

How it relates to password reset

The implementation is nearly identical:

FeaturePassword ResetMagic Link
User submitsEmailEmail
Server generatesTime-limited, single-use tokenTime-limited, single-use token
Token is stored asSHA-256 hashSHA-256 hash
Link goes toReset password formSession creation
Token is consumedWhen password is changedWhen session is created

The only difference is what happens when the token is verified: password reset changes the password, magic link creates a session.

When magic links are appropriate

Good fit: Low-risk apps, content sites, collaboration tools, newsletters, internal tools. Any app where email access is a reasonable proxy for identity.

Poor fit: Banking, healthcare, government services, apps handling sensitive financial data. These need stronger guarantees than email access provides. Email accounts can be compromised, emails can be forwarded, and email is transmitted in cleartext between mail servers.

Hybrid approach: Use magic links as a convenient option alongside passwords. Users who want stronger security can use passwords + 2FA. Users who want convenience can use magic links.

Exercises

Exercise 1: Think about apps you use that offer magic link login. Slack is a common example. What is the UX like?

Exercise 2: If you already built password reset in the Securing Your API course, compare the code. How much of the token generation, hashing, and verification logic could be shared?

What is the security assumption behind magic link login?
← Account Recovery When Everything Is Lost Building Magic Link Login →

© 2026 hectoday. All rights reserved.