The term ‘passwordless’ is easy to wrap your head around (no passwords!) but is often used as an umbrella term that includes passkeys and magic links sent via email or text message.
That often leads to the question: “Are passkeys and magic links the same?”
The short answer is no. While they both serve as a replacement for passwords, the experience of using them, and how they work behind the scenes, is quite different.
Here, we’re going to explain what passkeys and magic links are, how they differ, and why more developers are working to include both options on their websites and apps.
What are passkeys?
Passkeys allow you to create online accounts and sign in to them without entering a password, copying a one-time code, or clicking on a special link sent to your inbox.
Instead, you just:
- Confirm your authenticator (in the context of passkeys, this could be your phone, tablet, or PC.)
- Authenticate with biometrics or your device password when prompted.
Behind the scenes, passkeys use public and private keys, otherwise known as public-key cryptography. The two keys act like interlocking puzzle pieces – they’re mathematically linked to one another, and you need both to successfully authenticate and sign in.
When you create an account using a passkey, the public key is stored by the website or app, while the private key is kept on your device, and never shared with anyone.
The next time you sign in, you’ll be asked to authenticate — prove you are you — with biometrics or your device password. In the background, your device will “sign” a “challenge” using your private key, which is then verified by the app or website using your public key. This all happens in an instant. From your perspective, you simply authenticate and immediately have access to your account.
If an attacker breached the website or app’s servers, the best they could hope to find is your public key, which is useless without your private key. An attacker would need to physically steal your device and unlock it to have any hope of accessing your passkeys.
What are magic links?
Magic links work a little differently.
When you sign in this way, you’re not asked to authenticate with biometrics or your device password. Instead, you’re sent an email or text message that contains a unique, one-time link. Open the email or text message, click the link, and you’ll immediately be logged in – no further authentication required.
Here’s how magic links work under the hood. When you create a new account, the website or app will ask for an email address or phone number, which is then stored on its server.
The system doesn’t generate a public and private key pair, which is what makes passkeys so secure and resistant to phishing attacks.
Magic links are also different from passwords because you don’t have to create or memorize anything.
The next time you want to sign in:
- You enter your email address or phone number.
- The app or website checks that your email address or phone number is a valid user account.
- The app or website generates a unique, one-time token. You can think of this like a private theater ticket that’s yet to be hole-punched by the person on the door.
- The server sends a message containing a magic link to your email address or phone number.
- You find the email or text message and open the magic link.
- The app or website verifies that the token you’re using matches the one generated by its server.
- You’re allowed to sign in, and the token becomes invalid. (Your ticket has now been hole-punched, and can’t be used by someone else to enter the theater.)
Voila! You now have access to your account.
Passkeys vs. magic links
Here are some of the key differences between passkeys and magic links:
You don’t need to open your email or SMS inbox to use a passkey. That’s because the private key is stored on your device. When you want to sign in, the service issues a “challenge” that your device signs with your private key. This exchange is handled in the background using a secure API called WebAuthn – it doesn’t rely on any emails or text.
By contrast, magic links require you to switch devices, apps, or browser tabs momentarily. Imagine you’re signing in to a new social network on your PC. The magic link will be sent via SMS or email, forcing you to grab your phone, or switch to the browser tab or app that contains your emails.
Passkeys are secure by design. There’s no such thing as a weak passkey. And an attacker can’t steal or exploit your passkeys unless they have physical access to your device – and a way to unlock it.
By contrast, magic links can be insecure.
First, let’s take magic links sent via email. A strong and unique password will protect your email account against dictionary attacks and credential stuffing. But if you choose a weak password, it’s possible for an attacker to figure it out and sign in to your email account. That would then give them access to magic links sent to that email address.
Magic links sent via SMS, meanwhile, are vulnerable to SIM swap attacks. Hackers will call their target’s mobile service provider and recount a fake but believable story like: “I lost my phone and need help transferring my number to a new SIM card.” The hacker then has access to the target’s number and, by extension, any text messages that come through.
Passkeys aren’t susceptible to this technique because the private key is tied to the device itself, and not your SIM card or phone number.
Passkeys don’t expire. Each account-specific passkey doesn’t change unless you decide to generate a new one. That means your device will use the same private key for verification every time you sign in to that particular site or app.
By contrast, magic links are temporary, and can’t be used more than once. If you’ve signed in with a magic link, you can’t use the same email or text message to sign in again. The token tied to each magic link also has a predefined expiration period. If you wait too long, the link won’t work anymore, and you’ll need to request a new one.
Passkeys work by storing a ‘secret’ indefinitely on the app or website’s server. However, only the public key is stored in this way – and it’s useless without the private key, which is stored securely on your device.
By contrast, magic links aren’t stored on a server for a long period of time. A new token is generated for every new login attempt, and then discarded once you’ve signed in, or after a predetermined expiration period.
Passkeys and magic links in tandem
It might sound counterintuitive, but passkeys and magic links can be offered in parallel to ensure you always have access to your favorite online accounts.
For example, imagine you create an account by generating a passkey on your phone. In this scenario, you don’t have a traditional username and password for this account.
What happens if you need to sign in to your account on your PC, but don’t have access to your phone, and aren’t using a solution that lets you sync your passkeys?
It’s an edge case, but one that website and app developers need to be ready for. If you find yourself in this situation, you’ll likely have the option to use a magic link instead. That way, you can continue to log in to your account until you have access to your passkeys again.
The future is passkeys
Passkeys and magic links both have their uses. But here at 1Password, we’re most excited about passkeys and their ability to be a modern alternative to passwords.
Passkeys offer a better balance of security and convenience than magic links. Passkeys are also easier to use than passwords, harder to steal or crack, and built on WebAuthn, a standard designed to make logging in faster and more secure.
We think passkeys are the future of authentication.
If you want to learn more about passkeys and how they’ll be supported in 1Password, check out our passkeys microsite, listen to our passwordless special on the Random but Memorable podcast, and subscribe to our new passwordless newsletter.