Recently I was surprised to discover that there are several bad ways to do magic links. The basic idea is: a user hits “login”, enters their email address, and receives an email that allows them to login without a password. What could possibly go wrong? I work in security, so I already knew a few best practices I would need to implement: The link should have a short expiration The link should only work once The link should include a secret code with a sufficient amount of entropy (I went with 64 bits; your paranoia may vary) The database should store a hash of the secret code, not the code itself Here’s two more that were not immediately obvious to me.