In Depth: Magic Emails

There are two main types of magic emails we’re going to cover today: one-time passcodes (OTP) and magic links. Both are designed to verify current access to a specific email address, and as such they are in many cases interchangeable. Although magic links have a much higher entropy than OTPs (I’ll explain this below), there are many use cases where an OTP makes more sense and there are protections you can put in place to protect your OTPs from attack.

One-Time Passcode (OTP)

I’m sure you’ve experienced OTPs before - they are a common method used in the Multi-Factor Authentication (MFA / 2FA) systems we use daily for our various online accounts.

You’ll be familiar with SMS-based OTPs and App-based OTPs (Time-based One-Time Passcodes), both of which typically produce a 6-8 digit number you need to enter into a box. Email-based OTPs are functionally the same as SMS-based, just with a different method. They also share the same risks and fear mongering - we’ll cover this a bit later.

The way an email-based OTP works is relatively simple (on the surface):