Technique G218:Email link authentication
About this Technique
This technique relates to:
- 3.3.8: Accessible Authentication (Minimum) (Sufficient)
- 3.3.9: Accessible Authentication (Enhanced) (Sufficient)
This technique applies to technologies that support authentication.
Description
The objective of this technique is to provide an easy way for users to authenticate without needing a password. This technique involves providing an authentication mechanism where the user can enter their email address, and they are sent an email with a link to click. When the user clicks the link in the email, they are directed back to the website and automatically logged in.
Note
The security of the email link mechanism is not the focus of this technique, but it generally involves sending a time limited token as part of the email.
Examples
Example 1: Author provides an email mechanism to login with a link
A social media website has a username and password based login mechanism. As part of the forgotten password feature, there is a separate link to login with an email. When the user enters their email and submits the form, the site sends an email to the user. Clicking the link in the email opens the website and the user is logged in.
Related Resources
No endorsement implied.
Tests
Procedure
For websites which allow users to login by emailing a link to the email address associated with the account:
- Enter a valid email address (with an account on the website) and use the email-link feature.
- Check that the email is received.
- Check that selecting the link opens the website.
- Check that the user account is logged in.
- Check that no object recognition test is used as part of the authentication process.
Expected Results
- #2, #3 and #4 are true.
- For the AAA Accessible Authentication (Enhanced), #5 is also true.