I really dislike these "magic links" as a login procedure as you always have to switch between apps instead of just filling login / 2FA with your password manager. SMS is even worse as it's also insecure.
As an additional option, I can see the benefit for people who live in their Gmail app and don't have a password manager.
This is a lame complaint but I hate it just because it will by default open the website in a browser session belonging to the email app when you click the magic link. That extra step of finding the menu and telling it to open the signed-in page in the real chrome instance just grinds my UX gears.
The other potential issue is the age of the users.
Magic emails might work for general users, but for an 80yo who struggles using a mouse. Teaching them to click on links in emails is probably not the best practise.
Their age also makes them greater targets for social engineering, and asking for an SMS code probably sounds pretty harmless. I’m not sure how secure the original poster’s site needs to be, but I think this would be sketchy.
As with a lot of Apple features...it's great when it works but 10% of the time it doesn't and then it's infuriating.
Often my iMessages arrive on my phone 30 seconds before they arrive on my Mac, so it's quicker to look at the phone notifications and type it in manually than it is to wait for them to arrive and auto-fill to get triggered.
I'm a fan of passkeys because I don't have to store sensitive info. It's just a public key and I don't need identifiable info from the user. That's a super nice option for some niche low stakes software.
Unfortunately that breaks down when someone doesn't set multiple keys as backup and gets locked out. Then you're right back to password/backup code or some kind of recovery to email or phone. Chances are people just store their backup codes as plain text too. They also break down across desktop/mobile, e.g. register on desktop then try to log in on mobile. Not everyone has a good sync solution here, especially the non technical.
Honestly all the solutions have trade offs in UX/security/privacy and dependency on third party services. The best solution is going to be highly dependent on the business.
The sync situation is a bit of a mess but it's getting better. Personally I use 1password and everything is synced everywhere effortlessly. But if you are a windows user without a password manager then you are probably best off just using your phone and the QR code scan flow.
The UX issues of Passkeys can and are being fixed. The issues with passwords are unfixable.
> The UX issues of Passkeys can and are being fixed.
I don't see any solutions to the recovery problem that doesn't introduce another login mechanism. But as a primary method the UX is pretty good for the technically literate.
They essentially work automatically without having to understand them. They get synced with your apple and google account or password manager to every device. For a work pc or something you haven't signed in with, Windows and MacOS will show a QR code you scan with your phone and it all just works.
For an old person who basically just uses an iphone and ipad, you can't screw it up and you can't be scammed.
As an additional option, I can see the benefit for people who live in their Gmail app and don't have a password manager.