Comment by johnmaguire
1 year ago
Thanks - but this sounds like an email 2FA flow, not a magic link.
A magic link is a link a user clicks in their browser, that lands them on the appropriate service, where the one-time code is part of the URL. The service consumes the token and provides the user with a (first factor) authentication token.
In other words, the email doesn't display a code which they could go paste into the attacker's page. Though they may still need to perform a 2FA flow following the magic link flow (and this portion is still phishable!)
Your critique is definitely valid for most forms of 2FA (email, SMS, and TOTP.)
You are correct that this mitigates the security problems.
However, the method you're describing has fallen out of favor, in large part because mobile email apps often use a built-in browser that doesn't share cookies with the system browser. This creates several confusing UX problems. You also can't use a logged in device to log in a new device, unless you implement something like QR login which is also phishable.
Slack for example used to work the way you describe but now uses emailed codes for 1FA login.