Blog/Guide

Magic Links Vs Verification Codes: Which To Send

Both prove the user controls an inbox. They are not the same experience, and they are not the same security model. Here is how to choose.

Passwordless auth almost always comes down to two shapes: send a link the user clicks, or send a six-digit code the user types. Passkeys are the primary recommendation in 2026, but email-based fallbacks still cover the long tail of unsupported devices and account recovery.

Magic Links

A signed, single-use URL emailed to the user. Clicking it lands them back in your app and creates a session.

  • Good for: desktop-only flows, apps where the user is already reading email in the same browser.
  • Bad for: mobile, where the link opens in the mail app's in-app browser instead of the app the user was in, breaking the session. Cross-device flows: user starts on laptop, gets the link on their phone.
  • Security caveats: link scanners in enterprise mail can burn the single-use token before the user clicks. Bind the link to the initiating session (a cookie or PKCE-style challenge) so a scanner following the URL cannot log in.

Verification Codes (OTP)

A short numeric code (typically six digits) emailed to the user who reads it and types it into the same page they came from.

  • Good for: mobile, cross-device, native apps, anything where switching contexts is friction.
  • Bad for: nothing, really. The main tradeoff is that codes need to arrive fast, or users retry.
  • Security caveats: rate-limit generation per account and per IP, expire codes within 10 minutes, and enforce a small maximum number of attempts before invalidating.

Magic Links Vs Codes At A Glance

Side-by-side
DimensionMagic linkVerification code
Mobile UXBreaks across mail-app browsersWorks everywhere
Cross-deviceFails when link opens on another deviceNatural: read on one, type on another
Enterprise scannersCan burn the single-use tokenUnaffected
Speed to inbox sensitivityMediumHigh: users retry within seconds
Implementation costSigned URL + session bindingShort-lived code + attempt limits
Recommended defaultDesktop-first flows onlyEverything else
Swipe to see all columns.

What NIST And CIAM Guidance Say

NIST SP 800-63-4 removed SMS OTP as an acceptable AAL2 factor. Email OTP and TOTP are the accepted fallbacks. Both magic links and email codes inherit the security of the underlying email account: an attacker with access to the inbox can complete either flow. That is why neither is a substitute for a passkey when the user has one, but both are reasonable recovery paths.

The Practical Recommendation

  1. Default to a six-digit code. It works everywhere and it does not break on mobile mail clients.
  2. Use magic links only where the flow is desktop-first and you can bind the link to the browser that started it.
  3. Whichever you pick, treat the delivery like a product surface. The API you send it through, the subject line, the sending domain, and the log fidelity all matter more than which format you chose.

Send transactional email that lands.

MailRoundup is a transactional-only pipe for receipts, confirmations, password resets, and alerts. One endpoint, honest logs, no marketing traffic in the way.