Authentication

Enchanted Link

If you don't need cross-device login capabilities, but would like the one-click login experience this authentication method provides, check out Magic Link instead.

Enchanted Link is a cross-device authentication method allowing users to log in on one device (e.g., a desktop app) by verifying a unique link sent to their email and matching a number displayed during the login process. These links are exclusively sent via email.

Enchanted Links enable users to initiate login on one device (the originating device) and complete it by clicking a link on another device. The login is validated only when the correct number from the email is matched with the number displayed during the request. The session starts exclusively on the originating device.

Limitations and Security Considerations

Phishing Risks

Since the session does not follow the link, an attacker with access to the user’s email could potentially log in by selecting the correct number. This makes Enchanted Links more susceptible to phishing than traditional magic links.

Purpose of Numbers

The number-matching process is not designed to counter email compromise but to prompt users to pause and critically evaluate unexpected login requests, reducing susceptibility to phishing.

Enchanted Links remain valid even if an incorrect number is selected, minimizing user frustration. This does not introduce additional risk, as the method assumes that email compromise cannot be entirely mitigated by link expiration alone.

  • Enchanted Link:

    • Use Case: Optimized for cross-device logins.
    • Security: More vulnerable to phishing since the session stays on the originating device.
    • User Experience: Promotes awareness through number-matching, reducing accidental misuse.

  • Magic Link:

    • Use Case: Ideal for single-device logins.
    • Security: Less prone to phishing since the session starts on the device where the link is clicked.
    • User Experience: Simpler but less suited for cross-device scenarios.

Enchanted Links strike a balance between user convenience and security, especially in scenarios requiring cross-device authentication, while integrating mechanisms to reduce phishing risks.

This guide will walk you through integrating Enchanted Link based authentication into your Descope Flows.

Flow Actions

When using Enchanted Link, you have the standard actions for most authentication methods available.

  • Sign Up / Enchanted Link - Signs the user up, but will not work if user already exists
  • Sign Up or In / Enchanted Link - Signs the user in, and if user doesn't exist it will automatically sign them up
  • Sign In / Enchanted Link - Signs the user in, but if the user doesn't exist it will fail.
  • Update User / Enchanted Link - Will merge OAuth identity to an existing user

To learn more about Actions in general, you can refer to our guide on them.

Most of these actions are pretty simple, and you can drop them in your application like any other Action.

This is an example of using the Sign Up or In action in a flow:

sign-up-or-in-flow-action

Flow Screens

When implementing Enchanted Link authentication, a polling screen with a horizontal scrolling sidebar will be displayed to the user. To enable Enchanted Link functionality, simply connect the authentication actions to a screen containing an email input field.

enchanted-link-polling

You can determine where the user started the flow using the context key userAgent, which can be utilized in other conditions or screens.

Error Handling

Error handling is handled like any other action. You can refer to our Flow Error Handling guide for more details.

Was this helpful?

Settings

Customize your Magic Link authentication settings with Descope.

Client SDKs

Add enchanted link authentication to your application using Descope Client SDKs. Read the detailed implementation guide with sample code.

On this page