Magic Links vs Passkeys: What’s the Difference?

While both magic links and passkeys are methods of passwordless authentication, they’re not exactly the same. Some of the key differences between magic links and passkeys are how they work, their security, where a website server stores them and whether or not they expire after being used to log in to an account. 

Continue reading to learn more about what makes magic links and passkeys different and similar to one another. 

What Are Magic Links?

Magic links are a type of passwordless login where the user is sent a link through email or text message after entering their username or email address into a login portal. The link that’s sent to the user is known as a magic link. When the user clicks on this magic link, they’re automatically signed in to their account without entering a password. Magic links are also commonly used as a Multi-Factor Authentication (MFA) method. 

For an individual to be able to log in to an account using a magic link, the website or application has to support their use.

What Are Passkeys?

Passkeys are a newer type of passwordless login that enables users to authenticate their identity the same way they unlock their devices, such as their fingerprint, face recognition or entering a PIN. Passkeys are made up of a public key and a private key, both of which are needed to authenticate a user’s identity before they can access their account. The public key is stored in the company’s servers while the private key is stored locally on the user’s device. When a user logs in to their account using a passkey, they’ll be prompted to use their biometrics or enter their device’s PIN without ever having to manually type in a password. 

To start using passkeys, the website or app you want to use them for has to support them.

Key Differences Between Magic Links and Passkeys

Here are some of the key differences between magic links and passkeys. 

How they work

Magic links and passkeys work very differently. When using a magic link to sign in to an account, the user is sent a link through email or text. Once the user has clicked this link, they’ll be signed in to their account. Signing in with a magic link often requires the user to switch tabs, apps or devices momentarily. With passkeys, users aren’t sent anything through email or text message. Instead, they use biometrics or their device’s PIN to sign in to their account immediately. 

Security

In terms of security, passkeys are strong by default. Passkeys cannot be as easily compromised as magic links because they’re built on the WebAuthn standard which uses public key cryptography to authenticate a user’s identity. To access an account that has passkeys enabled, the user will always need to have the “authenticator” with them to sign in. The authenticator is what the individual uses to create their passkey, which can be a phone, tablet, computer or password manager. 

Magic links, on the other hand, can be insecure. If an individual’s email account is not secured with a strong password and MFA, a cybercriminal would be able to easily compromise the account and access a magic link to sign in to the user’s other account. Magic links that are sent through text message are also vulnerable to being compromised through SIM swapping attacks. SIM swapping happens when a cybercriminal convinces your mobile carrier to activate a new SIM card. If a cybercriminal can successfully convince your mobile carrier to activate a new SIM card, they will be able to receive all of your incoming text messages and phone calls – which means they’ll be able to log in to your accounts using magic links and password resets that are sent to your phone number. 

Storage

When a passkey is created for a website or app, the public key part of the passkey is always stored in the company’s server. It’s important to understand that even though the server stores the public key, that part is useless without the accompanying private key which is stored locally on the user’s device. When it comes to magic links, the magic link’s token only lives on the company’s servers for a short amount of time. Once that time is up, a new token will need to be generated for a new login attempt. 

Expiration

When a passkey is created for an account, that passkey never expires until you decide to delete it yourself. The same private and public keys will always be used to sign in to your account. This differs from magic links which are only temporary and expire after a set amount of time. When a user is sent a magic link, that magic link expires once the user opens it. Some magic links will even expire after a set amount of time if you wait too long to open them – meaning you’ll have to request a new one. 

Magic Link and Passkey Similarities

While magic links and passkeys have differences, they are also similar in a few ways. 

Both are types of passwordless authentication

Passwordless authentication is a method of verifying someone’s identity without the use of a password in order to sign in to an account. Both magic links and passkeys are types of passwordless authentication that enable users to sign in to their online accounts and applications without ever having to type in a password manually. 

Both can be used as MFA methods

While both magic links and passkeys can be used as sign-in methods, they can also be used as methods of multi-factor authentication. However, this heavily depends on if the website or app supports the use of magic links and passkeys. For example, some websites may only support the use of passkeys as an MFA method, whereas other websites may support the use of passkeys as both a sign-in and MFA method. 

Both enhance a user’s login experience

Because both magic links and passkeys remove the need for individuals to create and remember passwords, they make the user’s login experience a whole lot easier. They also remove the need for users to have to reset their passwords because they’ve forgotten them – removing the risk of users creating passwords that are weak because they’re easier for them to remember.

Passwordless Authentication With Magic Links and Passkeys

Magic links and passkeys can both be used as ways to sign in to your accounts without having to enter a password. However, it’s important to understand that magic links can be insecure at times, so if you have the option to enable passkeys as a sign-in method, it’ll not only make your login experience seamless, but also make your account a lot more secure. To see which websites and applications currently support the use of passkeys as a sign-in method, check out our Passkeys Directory.

Not all websites and apps support the use of passkeys just yet, so you’ll still need to create strong passwords for some of your online accounts. A password manager like Keeper® can help you create strong passwords and aid you in managing both your passwords and passkeys.