What is a Magic Link and How Does it Work?

Magic links are often described as the next big thing in passwordless authentication, helping businesses create an alternative method for their users to access services online. Part of this is that standard login credentials, such as a username and password, no longer work; people are now used to instant access or information collection due to enhancements in AI and various automation tools. And it’s no secret that it’s easy to forget a password if you’re not using a password manager or haven’t logged into a particular account for a while. 

Security challenges are also part of the issue, since many passwords are still being recycled, increasing the risk of account takeovers, unauthorized purchases, and similar unwanted consequences that both customers and businesses have to deal with. Like a one-time password (OTP), a magic link can be sent to a user’s email, which makes it an appealing option for B2B setups where multiple SaaS tools are used. 

We discuss what a magic link is, its other common use case examples, and how they can boost conversion rates in more complex situations, such as KYC verification, down below. 

The Definition of Magic Links

Magic links are password-free authentication and verification methods, used in various industries, such as e-commerce or banking, as a way to both remotely onboard users during the account creation process, and provide access to log in to their account without entering standard credentials. The process is similar to a password reset, as the user receives a magic link to their email inbox (alternatively, it can be an app or an SMS message). 

Magic links are used widely in various industries because they:

• Create a better and smoother experience for the user without requiring them to manually input data. 
• Help reduce drop-offs and boost conversion rates due to their simplicity and familiar flow. 

What is Magic Link Authentication?

Magic link authentication is a token-based authentication method that generates a time-sensitive URL tied to a user’s session, which means the link can then be sent directly to the user’s registered email or phone. After clicking the link, users are redirected to confirm their identity by logging in to the platform. So, instead of entering a standard password, magic links eliminate the hassle regarding user experience,  along with traditional risks linked to password-based systems.

A magic link authentication process can look something like this:

1. The user visits a company’s website or app and enters their email.
2. A magic link is generated, typically with an expiration time. 
3. The user receives an email containing the magic link and clicks on it to proceed with the authentication. 
4. The user is redirected back to the website or app, gaining access to the services. 

Magic link authentication can be used during the user registration or later in the business relationship, for example, if the user becomes inactive and wants to re-access their account. 

This is a common practice in online marketplaces or any other online platforms where there are monetized transactions and the risk of fraud becomes bigger. Since magic links are easily implemented, this process is cost-effective for the business and still maintains a high standard for a good user experience. 

Where Can You Use Magic Links?

You can use magic links in various scenarios. Some of the most popular examples include:

1. Limited Access Delegation

A magic link can be used to grant access to a certain account, portal, or limited access to sensitive information without having to share login details. For example, if a person goes on vacation in a company, their task can be forwarded to another team member through a magic link, which gives them access to certain needed information. For security reasons, this sort of magic link should have an expiration time and set permissions that give temporary access. 

2. Device Authorization 

A magic link can be used to confirm a new device that logs into the network, which is common among various security-focused applications. Like a password reset, the link can be sent to the person’s email address, which then allows access to their account through a new device. Consequently, it gets easier to access the same account through multiple devices without entering credentials.

3. Retargeting Campaigns

Magic links are a great way to re-engage lost customers, especially in e-commerce when a shopper leaves items in their cart without checking out. To recover sales, most companies send follow-up emails with magic links that automatically forward the user to their saved cart and apply a promo code, depending on the situation. In any case, this method helps reduce friction and improve conversions, pushing the person to rethink their decision to buy the product. 

What is the Difference Between Authentication and Identity Verification?

Authentication is the process of a person proving they’re the rightful owner of a verified identity. In the meantime, identity verification is the process of confirming the person’s identity, either accepting or rejecting access when they provide information proving who they say they are. ID verification is considered to be a more complex process because it involves measures such as asking the person to provide their government-issued ID document. 

Here are some practical examples of both processes:

• Authentication. For example, it happens when a person is asked to log into their online bank account by entering their username and password or clicking a link sent to their email address (and then entering the same credentials). 
• Identity verification. For example, it occurs when a person needs to register onto a crypto platform and is asked to upload a photo of their ID document and go through a quick selfie verification process. Often, the verification is fully automated and can be done in a few minutes. 

So, this makes verification a more secure option than authentication because the person provides evidence that their already acclaimed identity is real, not forged or stolen. 

However, magic links go beyond standard authentication and can be adapted for various purposes across multiple industries. For example, e-commerce stores that sell age-restricted items or services need to implement a proper age verification process that complies with Know Your Customer (KYC) requirements. They can also use magic links to redirect users to confirm their restricted purchase on the platform by adding an extra step and asking them to upload a government-issued ID photo that proves their age. 

Related: Top 5 Identity Verification Measures

How is KYC Verification Related to a Magic Link?

KYC, or Know Your Customer verification, is a regulatory compliance requirement that mandates industries like fintech, e-commerce, crypto, and other regulated sectors to verify their customers during the account opening stage and later throughout the whole business relationship. Verifying means checking if the user’s presented personal information is genuine and not forged. This is important, as fraudsters tend to fake ID documents or use AI for deepfakes during the biometric part of the KYC verification process. 

Magic links are related to KYC because they work as a channel for identity verification where you:

• Want to manually redirect the user to complete the KYC process.
• Aim to improve the user experience and comply with KYC regulations.
• Don’t want to code and build your own ID verification process from scratch.
• Have the option to manage personal details and audit log linked to each verification link.

In this sense, KYC verification plays a major role in confirming a customer’s identity, making sure that identity stays accurate and verified over time. KYC is also a part of a bigger regulatory framework, which is Anti-Money Laundering (AML) compliance and is a first line of defense against fraud. When it comes to ongoing due diligence, after onboarding a customer, their activity and transactions need to be monitored for suspicious behavior. That’s required to maintain accurate risk profiles since even the most genuinely appearing customers can develop criminal tendencies or be used as money mules for money laundering. 

Common Methods for KYC Verification

There are three main types of KYC verification that can be used as a single verification component or a combination of a multi-layer ID verification process. This approach is common in regulated industries, such as banking. 

These include:

1. Document verification. This involves checking an ID document, such as a passport or a driver’s license. Personal data (name and date of birth) is usually extracted automatically from an uploaded document online using tools like pattern recognition or optical character recognition (OCR).
2. Biometric verification. This is the part where the user is asked to record a short video or snap a picture of their face so that the system can analyze their features, or facial biometrics, spotting alterations, such as filters, deepfakes, among other renderings and attempts to hide the true face.
3. Database verification. This involves cross-checking collected personal details, such as the user’s full name or address, against a trusted source, which is often an official government database as a way to find a match. This approach can vary based on the company’s industry, use case, and compliance needs and can be used for certain data points, such as a person’s Social Security Number (SSN). 

Most of the time, multiple KYC methods are used together. For example, database verification already involves collecting basic user data and then comparing it with trusted records. So, asking the user to upload a government-issued ID photo and then extract the details is an easy option and a more efficient way to use two layers of verification without adding too many unnecessary steps in the final ID verification flow. 

How Does iDenfy’s Magic Link Solution Work?

The Magic Link is a new built-in feature from iDenfy designed to support those who want to manually generate verification links through our identity verification dashboard.

You can choose how to verify your customers based on your industry, operating country, internal risk factors, and the specific compliance requirements that apply. iDenfy’s AI-powered software is fully automated and customizable. 

When a user clicks on the magic link, they’ll start the verification session, which you set up on your own directly through the dashboard in a few minutes. This is an alternative way to create links and share them with users through email, SMS, or other custom methods. It works like a temporary button that redirects them to their ID verification process without having to build the IDV process from scratch. 

Key facts to remember:

• You can choose the preferred KYC method before generating the link. 
• You can generate a single link for up to 500 identity verifications.

When a user clicks the link, a unique IDV session is created. Each verification is treated as a separate, individual session. The user is asked to verify their ID document or complete the full verification flow (document verification + biometric verification).

For more details or how to enable this feature, book a quick demo.