Passwords.app and Magic Links
There are many sites — and the trend seems to be accelerating — that do not use passwords (or passkeys) for signing in. Instead, they only support signing in via expiring “magic links” sent by email (or, sometimes, via text messages). To sign in with such a site, you enter your email address, hit a button, and the site emails you a fresh link that you need to follow to sign in. I despise this design pattern, because it’s inherently slower than signing in using an email/password combination that was saved to my passwords app and autofilled by my web browser.
[…]
To make matters worse, when you create a new account using a “magic link”, nothing gets saved to Apple Passwords. I don’t have many email addresses in active use, but I do have several. Sometimes I don’t remember which one I used for my account on a certain site.
[…]
One workaround I’ve used for a few sites with which I keep running into this situation (Status, I’m looking in your direction) is to manually create an entry in Apple Passwords for the site with the email address I used to subscribe, and a made-up single-character password. Apple Passwords won’t let you save an entry without something in the password field, and a single-character password is a visual clue to my future self why I did this.
I have also run into this friction where the Passwords app insists I not leave the field blank but there’s nothing that really makes sense to put there.
I’d always assumed that sites used magic links because people don’t remember their passwords, and it’s easier to click a link than to go through the password reset process each time. But Gruber notes that magic links are also an effective way to combat account sharing.
Previously:
Update (2025-12-22): Ezekiel Elin:
You actually can create password entries without passwords because there’s a bug in the app where the (command)+S keyboard shortcut works even when the UI button to save is disabled
17 Comments RSS · Twitter · Mastodon
I’m not too deep into account-sharing, but what would prevent me from setting up lets-all-share-netflix@gmail.com and use it for the accounts I intend to share?
@Fabian I've done something exactly like this myself.
I would say this "magic link" trend has little to do with account sharing and is mostly motivated by just not wanting to deal with the liability of storing passwords.
This behavior also comes from the sad fact that for many, many users, “forgot password” is their login link. The average user is so bad about passwords that many don’t even try. And honestly that’s probably for the best in many cases, because they are just going to reuse the same simple password and email combination for every service anyway. They’re lucky if the password to their email account isn’t the exact same password anyway.
@Fabian That would work, but many people wouldn’t think to do that that.
@Bart Yes, I think it’s a common pattern to use account recovery as a defacto magic link, but it’s more cumbersome and sometimes forces the user to choose a new password each time, so then they have even more trouble remembering it.
At Margins we use text messages and magic links for phone/email logins respectively. I don't believe anyone has complained. Support is built into our backend (unlike Passkeys, whose roll out has been slow) so it took almost zero effort to implement, and for the median user its probably a beneficial because it doesn't tempt them into password reuse. You don't really log in and out of apps that frequently anyway, and you can store their last logins on keychain so users don't even have to remember that. Basically tons of upside and not much downside for both developer & user.
Magic Links and “confirm the code we sent in email” are the worst.
Use passkeys (preferable by a mile), or allow TOTP codes (if passwords aren’t enough), so I can have a smooth login experience instead of a high-friction multi-app dance.
@nick Please don’t. Magic links are so annoying when the e-mail takes a long time to arrive or doesn’t arrive or I’m on a slow connection and there are lots of e-mails to load.
Also, with no password that must be supplied in addition to the e-mail token, aren’t magic links a security risk because the e-mail may pass between some servers in cleartext and there’s no second factor that’s needed to log in?
I honestly don't understand the hate for magic links, or their slightly better-supported cousin, the one-time code by SMS or email. Slower than passwords, themselves worse than passkeys? Sure. End of the world when codes can be autofilled from any app and email arrives fast? I don't get why it's a problem, and it undoubtedly closes a loophole when the alternative is account creation or further remembered passwords, especially for a low-importance account. I think the only gripe is that you sometimes end up confirming the link from a different browser or IP from which the flow was started, but that's rare, and the security advantage of checking is probably worth it.
So what's the trouble, exactly?
"I don't believe anyone has complained."
Login links are so common that I doubt most people expect anything to change from a complaint. We just deal with them.
"you sometimes end up confirming the link from a different browser or IP from which the flow was started"
I particularly hate it when the login page asks for a PIN that was supposedly sent to my email, but the email only contains a login link. This is particularly fun if the login is started from something that isn't technically a browser.
I can see the upside of login links. It means services don't have to deal with passwords, which solves a huge problem. I can also see how it's a better option for what's probably still the majority of many popular services' users: people who have one password that they use on every site.
But for me, I'd prefer it if you would just let me use my password manager and 2FA app.
@Sebby It’s certainly worth it to me for the site to check the IP and browser, but it’s not clear to me how many sites actually do this. I have definitely seen some that don’t, in which case it’s much lower security than a plain password. I’m using multiple browsers and profiles and private sessions within them, and it can be a pain to get the link opened in the right one. But I guess the main issue is how often the e-mail just doesn’t arrive promptly.
I don't get the hate, I personally like magic links a lot. No need to fuss with password managers, just a quick switch to my mail and there I go. It's also faster that dealing with TOTP and alikes, and don't get me started with passkeys and their troublesome ways of migrations. Give me magic links any day, never had an issue with it.
@Macchi I find magic links much slower than TOTP because the latter will auto-fill without having to leave the browser.
@Sebby, not everyone has push email, and so using these log-in links is way slower. They also open a new browser tab, leading to congestion of the tab bar.
In order, now I prefer passkeys, username/password on one screen (rather than two separate steps). Magic links should be backups. Though now I get why they’d use magic links and 2FA emails to prevent account sharing.
@Michael Yeah, with or without checking, the security relies fundamentally on the slim chances of email being intercepted. That can never be watertight, but there are cases where it's preferable to user-supplied passwords. But I agree that the session check is minimum competence, and passwords+TOTP/passkeys should always be an option (some minimum length and complexity should deter the worst reused passwords, so long as they're password-manager friendly).
@Plume Yes indeed, I think magic links are irritating when you're signing in to an embedded webview or whatever, no doubt about that.
@Someone Else Agree, everyone should have push email. iOS will now, happily, autofill security codes from any notification, so you could bake your own with Pushover/Prowl if you wanted. But yes, Apple's unwillingness to make push email available to any mail server using Apple's Mail app on iOS is belligerent and stupid.
@Sebby, you’re placing the blame on the wrong party.
It’s Google that doesn’t follow push email standards (or specifically, Google doesn’t license Exchange from Microsoft anymore (for free accounts, anyway). They used to in the early iPhone days. )
Maybe Apple shares the blame — don’t know really…. but Google stopped Exchange push email for free a Gmail accounts back in 2013. https://www.engadget.com/2013-03-26-gmail-push-notification-no-longer-works-with-mail-on-new-ios-dev.html
@Someone else My understanding is that iOS Mail doesn’t support IMAP IDLE. Some companies get privileged access to Apple’s private push-notification-based service, while others put user credentials in their cloud at the expense of privacy.
