Magic link sign-in, and why we use it

It is 8:40 on a Tuesday. You are the one person at Northwind Logistics who keeps the lights on for 40 other people, and you need to check a request you filed with us last week. You open the portal, and the sign-in page asks how you want to get in. Your work email lives on a provider we do not federate with, so the Google and Microsoft buttons are not going to recognize you. A year ago this is the moment you would have gone hunting for a password in a sticky note, a password manager, or the back of your memory. Today there is a third option: ask us to email you a link, click it, and you are in.

No password to remember. No reset loop at the worst possible time. Just a one-time link sent to the inbox you already trust. It feels almost too easy, which is exactly the reaction that makes a careful person pause. If there is no password, what is protecting the door? That pause is worth sitting with, because the answer says a lot about how we think security should work.

A magic link is a single-use sign-in link we email to a specific address. You ask for it on the sign-in page by choosing Email me a sign-in link and typing the email you want signed in. We send a one-time link to that address, you open the email, you click Sign in to Cloud Sentry, and you land back in the portal already authenticated. There is no password to set, store, or rotate.

The mechanism is not new or exotic. The same pattern shows up every time a service emails you a "reset your password" link or a "confirm your email" link. According to the National Institute of Standards and Technology digital identity guidelines (NIST SP 800-63B), a secret sent to an email address counts as an out-of-band authentication factor, which is the same family of mechanism behind a one-time code. A magic link simply promotes that mechanism from the emergency exit to the front door.

Most people who use the portal sign in with Google or Microsoft, because most of our customers run on Google Workspace or Microsoft 365 and we federate with both. The magic link is for the cases where that does not fit:

• Your work email is on a provider we do not federate with.
• Your IT policy blocks third-party app consent for new applications.
• You are on an address that your provider does not recognize as a corporate identity.

We could have told those users to go set up a password. We did not, and the reason ladders straight into how we run everything: a password is a thing you now have to manage, and management is where security quietly breaks. Passwords get reused across sites, written down, phished, and forgotten right when you need them. A single-use link that expires has none of those failure modes, because there is nothing sitting around to steal or to leak.

Passwordless is not magic, despite the name. There are honest trade-offs, and we would rather name them than let you discover them later.

• Your email is now the key. The link signs in whoever clicks it, so the security of your sign-in rests on the security of your inbox. If your mailbox is compromised, so is your portal access. This is true of password reset emails too; the magic link just makes it the everyday path.
• It depends on email delivery. If your mail server quarantines the message, the link does not arrive, and you wait. Sign-in is now coupled to something you do not fully control.
• There is a short wait. Open your inbox, find the message, click. That is a few seconds longer than a button you are already logged into.

Set against those: nothing to remember, nothing to rotate, nothing to phish out of you on a fake login page, and one less credential for a small team to manage. For an overloaded IT lead, fewer moving parts is the whole point.

We treat a magic-link sign-in as a verified identity once the link is clicked from the inbox we sent it to, which is why a few rules of the road matter. Treat the email the way you would treat a password reset link:

• Click it from your own inbox, not a shared mailbox someone else can read.
• Do not forward it. If a colleague needs in, they request their own link.
• Let stale links die on their own; an unused link expires without any action from you.

Two guardrails do the heavy lifting. The link is good for a single use, and it expires after 15 minutes. A short window keeps us honest; it shrinks the time any intercepted link could be useful to almost nothing. If a link expires or has already been used, you request a fresh one from the sign-in page. The full walkthrough lives in the portal help center under signing in with a magic link.

Back to the question from 8:40 on Tuesday. With no password in sight, the thing protecting your account is your inbox, plus a link that works once and dies in 15 minutes. That door has fewer hinges to fail. The reason we built it this way is the same reason we run the rest of your environment the way we do: security is a set of choices about what can go wrong and who has to manage it, not a feature you switch on. Take away the password, and you take away an entire category of things that break.

If the email never arrives, check your spam folder, and ask your IT admin to allow mail from `noreply@cloudsentry.com`; the Google and Microsoft buttons usually work as a fallback while you wait. When you next sign in, which would you rather defend: a password you have to keep, or a link that takes care of expiring itself?