Knogin
[Developers]

Magic Links: Passwordless Authentication

A new analyst joining a government security team on their first day should not be blocked from the platform because they forgot a temporary password that was emailed to them separately. Magic links solve the onboarding f

Back to All Modules
Category: ModulesLast Updated: Feb 5, 2026
modulescomplianceblockchain

Overview#

A new analyst joining a government security team on their first day should not be blocked from the platform because they forgot a temporary password that was emailed to them separately. Magic links solve the onboarding friction point cleanly: the user enters their email address, receives a single-use link, clicks it, and is authenticated. No password to remember, no MFA app to set up before first login.

Behind that simplicity is a properly hardened token architecture. Tokens are cryptographically signed and single-use. They expire on a short, configurable timer. Rate limits prevent abuse at both the per-IP and per-email levels. Redirect URLs are validated against a strict whitelist to close off open redirect vectors. Device fingerprinting captures contextual signals for audit purposes.

Open Standards#

  • RFC 5321 / RFC 5322 (SMTP / Internet Message Format): Magic link emails are dispatched as standards-compliant SMTP messages with RFC 5322-formatted headers (From, To, Subject, Date), ensuring interoperability with any standards-compliant mail transfer agent and delivery service.
  • RFC 3986 (Uniform Resource Identifier, Generic Syntax): One-time login URLs are constructed and validated according to RFC 3986, with the token embedded as a query parameter and the redirect target parsed and scheme/host-validated against the approved domain whitelist.
  • HMAC (RFC 2104) with SHA-256: One-time tokens are generated as HMAC-SHA-256 digests of a random nonce and server-side secret, producing a keyed token that is tamper-evident without exposing the secret to the recipient.
  • FIPS 180-4 (SHA-256): Token hashes stored in the database are SHA-256 digests of the raw token value, so a database compromise does not reveal redeemable tokens; constant-time comparison on lookup closes timing-based enumeration vectors.
  • OAuth 2.0 (RFC 6749) and OpenID Connect Core 1.0: After successful magic-link verification the platform issues a standard OAuth 2.0 session (access token, optional refresh token) so downstream services that rely on Bearer authentication or OIDC identity assertions receive a credential in a recognised format.
  • JSON Web Token (RFC 7519): Platform sessions derived from a successful magic-link redemption are expressed as JWTs, carrying standard claims (sub, iss, exp, iat, jti) and signed with the platform's RS256 or ES256 key, enabling stateless verification by any JWT-aware resource server.
  • OWASP ASVS 5.0 V3.5 (Out-of-band Verifiers): Token generation, delivery, expiry, single-use enforcement, and rate-limit controls are implemented in compliance with ASVS V3.5 requirements for out-of-band one-time authentication, covering entropy minimums, maximum validity windows, and immediate invalidation on use.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Key Features#

Email-Based Passwordless Login#

Secure, one-time login links delivered to users' email addresses. Professional HTML email templates with clear call-to-action, security notices, and plain-text fallbacks. Users are authenticated without entering credentials.

One-Time Link Security#

Tokens are single-use and time-limited. They expire after one successful use or a configurable timeout, whichever comes first. Automatic cleanup of expired tokens maintains data minimisation compliance.

Redirect URL Support#

Optional post-authentication redirect URLs navigate users to their intended destination. All redirect targets are validated against a pre-approved domain whitelist to prevent open redirect attacks. Deep link support preserves query parameters across the authentication flow.

Automated Token Cleanup#

Expired and used tokens are removed promptly. Used tokens are retained for a configurable period to support audit compliance before automatic deletion.

Attack Prevention#

Token enumeration is prevented through hashing. Timing attacks are mitigated with constant-time comparisons. Per-IP and per-email rate limits block abuse patterns without affecting legitimate users.

Use Cases#

  • Frictionless User Onboarding: New users authenticate without creating passwords, reducing abandonment and support tickets on day one
  • Protected Resource Access: Users accessing protected pages after a session timeout receive a magic link that returns them to their intended destination after re-authentication
  • Mobile Authentication: Magic links work across devices without requiring password managers, particularly useful for field staff operating on shared or temporary devices

Integration#

Available through authentication API endpoints covering request and verification operations. Supports redirect URL preservation, device fingerprinting for audit context, and comprehensive audit logging to PostgreSQL. Integrates with transactional email services for reliable delivery tracking and bounce handling.

Ready to Build?

Get started with our APIs or contact our integration team for support.