Enchanted Link
You can customize your Enchanted Link authentication flow in the Descope console (Settings > Authentication Methods > Enchanted Link).
If you don't need cross-device login capabilities, but would like the one-click login experience this authentication method provides, check out Magic Link instead.
Enchanted Link is a cross-device authentication method allowing users to log in on one device (e.g., a desktop app) by verifying a unique link sent to their email and matching a number displayed during the login process. These links are exclusively sent via email.
How Enchanted Links Work
Enchanted Links enable users to initiate login on one device (the originating device) and complete it by clicking a link on another device. The login is validated only when the correct number from the email is matched with the number displayed during the request. The session starts exclusively on the originating device.
Limitations and Security Considerations
Phishing Risks
Since the session does not follow the link, an attacker with access to the user’s email could potentially log in by selecting the correct number. This makes Enchanted Links more susceptible to phishing than traditional magic links.
Purpose of Numbers
The number-matching process is not designed to counter email compromise but to prompt users to pause and critically evaluate unexpected login requests, reducing susceptibility to phishing.
Persistent Link Validity
Enchanted Links remain valid even if an incorrect number is selected, minimizing user frustration. This does not introduce additional risk, as the method assumes that email compromise cannot be entirely mitigated by link expiration alone.
Comparing Enchanted Link to Magic Link
-
Enchanted Link:
- Use Case: Optimized for cross-device logins.
- Security: More vulnerable to phishing since the session stays on the originating device.
- User Experience: Promotes awareness through number-matching, reducing accidental misuse.
-
Magic Link:
- Use Case: Ideal for single-device logins.
- Security: Less prone to phishing since the session starts on the device where the link is clicked.
- User Experience: Simpler but less suited for cross-device scenarios.
Enchanted Links strike a balance between user convenience and security, especially in scenarios requiring cross-device authentication, while integrating mechanisms to reduce phishing risks.
Settings Summary
All Settings
Variables are displayed below and in the console as {{variable_name}}.
| Setting | Variable | Details |
|---|---|---|
| Redirect URL | {{redirectUrl}} | default URL for the route you implement to verify enchanted link tokens |
| Expiration time | {{expirationTime}} | length of time after which link or code expires |
| Number of retries and Attempts timeframe (seconds) | Limit the number of communication attempts (email, text, or voice) a recipient can receive within the defined timeframe. If the limit is exceeded, no further messages will be sent until the timeframe resets. | |
| Connector | Who will be listed as the sender of the enchanted link. The default is Descope. | |
| Template | If you are using a customized connector, you can change the template of the email which your user will receive. The default is System. | |
| Enable method in API and SDK | This toggle switch enables or disables the authentication method from being available for use within API and SDK |
Additional Details
This section describes additional details about the configuration options available.
Redirect URL
The redirect URL is the location to send the user upon successful authentication. The redirect URL will be overridden when specified in the SDK or API call.
Expiration Time
For increased security, we recommend an expiration time of 3-5 minutes. A shorter expiration time limits how long a malicious actor has to attempt an attack (such as a dictionary or brute force attack) on the code or link.
Connectors
Email Connector
Descope supports sending email OTP messages using your email messaging provider, such as AWS SES, SendGrid, or a generic SMTP service. You can configure a email messaging connector by going to the connectors page within the Descope console and searching for the supported email messaging connectors. Then, on the OTP authentication method page, you can select the configured connector and customize the template if you would like.