Today we’re announcing the release of Passlinks as a new feature of our Authentication API.
Passlinks are an increasingly popular method for user authentication that does not require a password. A Passlink is a login link, sometimes also called “magic link”, that can be used to authenticate a user by sending a link that creates a session. In other words, with a Passlink, the typical “forgot password” flow that sends you an email to restore access to your account is utilized for regular logins.
The immediate benefit of using Passlinks instead of passwords is the ability to free users from the password hassle. You don’t have to come up with a new password when registering at a service. Just type in your email address, click on a Passlink, and you’re in. Every time you have to login, it’s exactly the same: Enter your email address, click on the login Passlink, and you’re in.
The typical use cases for Passlinks are login, verification, and invitation. But Passlinks are also a very powerful marketing tool. When used in email campaigns, customers can access and buy special offers directly from the email, without having to login first. This can improve conversion rates drastically.
As Passlink security is directly dependent on the security of one’s email account, it may be desired to add another independent authentication factor. This can either be just an option for the user, or it may be required by the website, i.e. in case of a regulated scenario where 2-factor authentication (2FA) needs to be set up for all users.
For both scenarios, we suggest combining Passlinks with FIDO2® WebAuthn. This results in strongly protected accounts with the option to leverage Security Keys and biometric authentication on supported devices. After the user has clicked on a Passlink, the site or app could request a Security Key and, ideally, offer to enroll biometric WebAuthn to speed up following logins.
Of course it is also possible to combine other 2FA methods like TOTP with Passlinks (we have something for that in the pipeline as well).
Adding Passlink functionality to our Authentication API allows an even broader application of passwordless authentication across our customer’s websites and apps. So far, we have focused on creating the world’s most developer-friendly WebAuthn API that enables next-level, crypto-backed biometric authentication. WebAuthn adoption has accelerated tremendously, with sites like Google, Microsoft, Twitter, Github, and Coinbase leading the way, and many others are beginning to follow.
But passwordless authentication with WebAuthn is just starting to become mainstream. Not all devices support WebAuthn yet (though most do), and we often meet users and (somewhat surprisingly) developers who have never heard of it. Passlink authentication, on the other hand, was popularized by apps like Slack, and the concept of receiving an email to access one’s account is easy for everyone to understand and doesn’t require any special end user device capabilities.
Following the same “initialize/finalize” pattern as we did with our WebAuthn API, Hanko’s new Passlink API takes care of everything to generate and send out the Passlinks, authenticating the user, and redirecting back to the website or app, while giving it full control over all relevant steps in the process.
As always: Made in Germany, hosted in the EU (if you want it to), and fully GDPR-compliant.
For now, email is the primary transport for the Passlinks, but we plan to add support for SMS and other messengers soon. The Passlink email template engine supports multiple languages and the templates can be customized in the Hanko Console. Embeddable Passlinks that you can use in your own communication channels can be requested directly from our API as well. More advanced features for improved bounce processing, fraud detection, rate limiting, and IP reputation management are already in development and will ship soon.
We created a quick start implementation guide for passwordless authentication with Passlinks and invite you to test our API today. We offer a free tier through the Hanko Console where you can get your API keys without a credit card.