Magic Links Vs Verification Codes: Which To Send
Both prove the user controls an inbox. They are not the same experience, and they are not the same security model. Here is how to choose.
Passwordless auth almost always comes down to two shapes: send a link the user clicks, or send a six-digit code the user types. Passkeys are the primary recommendation in 2026, but email-based fallbacks still cover the long tail of unsupported devices and account recovery.
Magic Links
A signed, single-use URL emailed to the user. Clicking it lands them back in your app and creates a session.
- Good for: desktop-only flows, apps where the user is already reading email in the same browser.
- Bad for: mobile, where the link opens in the mail app's in-app browser instead of the app the user was in, breaking the session. Cross-device flows: user starts on laptop, gets the link on their phone.
- Security caveats: link scanners in enterprise mail can burn the single-use token before the user clicks. Bind the link to the initiating session (a cookie or PKCE-style challenge) so a scanner following the URL cannot log in.
Verification Codes (OTP)
A short numeric code (typically six digits) emailed to the user who reads it and types it into the same page they came from.
- Good for: mobile, cross-device, native apps, anything where switching contexts is friction.
- Bad for: nothing, really. The main tradeoff is that codes need to arrive fast, or users retry.
- Security caveats: rate-limit generation per account and per IP, expire codes within 10 minutes, and enforce a small maximum number of attempts before invalidating.
Magic Links Vs Codes At A Glance
| Dimension | Magic link | Verification code |
|---|---|---|
| Mobile UX | Breaks across mail-app browsers | Works everywhere |
| Cross-device | Fails when link opens on another device | Natural: read on one, type on another |
| Enterprise scanners | Can burn the single-use token | Unaffected |
| Speed to inbox sensitivity | Medium | High: users retry within seconds |
| Implementation cost | Signed URL + session binding | Short-lived code + attempt limits |
| Recommended default | Desktop-first flows only | Everything else |
What NIST And CIAM Guidance Say
NIST SP 800-63-4 removed SMS OTP as an acceptable AAL2 factor. Email OTP and TOTP are the accepted fallbacks. Both magic links and email codes inherit the security of the underlying email account: an attacker with access to the inbox can complete either flow. That is why neither is a substitute for a passkey when the user has one, but both are reasonable recovery paths.
The Practical Recommendation
- Default to a six-digit code. It works everywhere and it does not break on mobile mail clients.
- Use magic links only where the flow is desktop-first and you can bind the link to the browser that started it.
- Whichever you pick, treat the delivery like a product surface. The API you send it through, the subject line, the sending domain, and the log fidelity all matter more than which format you chose.
Send transactional email that lands.
MailRoundup is a transactional-only pipe for receipts, confirmations, password resets, and alerts. One endpoint, honest logs, no marketing traffic in the way.
Keep going.
- March 25, 2026
Designing Password Reset Emails That Actually Get Used
Read guide → - February 18, 2026
Gmail And Yahoo Sender Requirements: What Changed In 2024
Read guide → - February 11, 2026
SPF, DKIM, And DMARC Explained For Developers
Read guide →