Magic Links

Long, strong passwords can be clumsy to enter, especially on mobile devices (which may be powered by the same API as the web app!). Slack popularized an alternative: send the user a "magic link" that contains a long, unique identifier that functions as a one-time password to log the user in. That's no less secure than having a password reset link or form that sends a message the same way, and considerably more convenient. The server just needs to generate one-time passwords and save them, and then have an API endpoint for users to make requests to. If they make one with a one-time password that hasn't been used, it authorizes them (possibly setting a cookie or sending a session token) and redirects them to the appropriate page. https://www.waveguide.io/examples/entry/passwordless-login/