Magic links are similar to a one-time password (OTP) for authentication, and they go through the same flow as a “Forgot Password” workflow. At a high level: A user provides 10KC with an email address and then clicks the "Send Link" button. This sends an email to their inbox with a unique link. The user clicks on the link — and, voilà, they’re logged in.

Q: Can users forward their email invitations containing the magic link to another user?

A: Yes. If a user forwards the email containing a magic link, the user who receives the forwarded email can click the Magic Link and login as the user. The Magic Link expires quickly after being created to prevent situations where an email is accidentally forwards and a user is incorrectly logged in.

Q: Can a user click the Magic Link multiple times and login successfully?

A: No. The Magic Link is "One Time Use" and cannot login a user multiple times.

Q: Can a tenant admin disable Magic Links as an authentication methods completely?

A: Yes. A tenant admin can disable users from authenticating via Magic Links.

Toggle in the Admin Panel > Security & Login > Enable email login (via magic link) > OffToggle in the Admin Panel > Security & Login > Enable email login (via magic link) > Off

Q: Does the Magic Link ever expire?

A: Yes. The Magic Link expires within 1Hr after it is generated. After the Magic Link expires, it will no longer allow a user to login by clicking it.

Q: Is a Magic Link secure?

A: Yes. Often the most sensitive piece of data stored in a system is the password the user chooses. Users consistently reuse passwords for sensitive systems like banks accounts. 10KC does not store any password and therefore has no risk related to password breaches. For more information on how Magic Links work, take a look here.