The Magic Knight Captains are a group of powerful mages in the anime and manga series "Black Clover." These individuals are known for their exceptional magical abilities and leadership skills. There are a total of nine Magic Knight Captains, each leading a different squad within the Clover Kingdom's Magic Knights. Firstly, we have Julius Novachrono, the captain of the Magic Knight's headquarters, the Golden Dawn. Julius possesses a unique time-manipulating magic that allows him to control time. He is known for his wisdom and strategic planning.

Magic link security

Another account to lose, when google bans you, because your kid liked something on youtube on a family account.

Magic links can be very helpful when needing to authorise people from an external system without API access, and they recently saved our asses from having to process over 10.000 refunds manually. Let me explain:

I work as a web dev for my local students union, and we recently had to develop a system to process refunds for basically every student there (9€ ticket related).

However, our university wanted nothing to do with that process, so we couldn’t use existing student login infrastructure to verify refund claims and limit them to one per student.

Luckily, each student gets a @stud.leuphana.de mail address. So all we had to do was send them a login link – if you weren’t a student or entered an invalid address you simply never received that, so you couldn’t apply.

The system worked great and with few issues, thanks to magic links!

Another example of this is consumer apps that insist that you should login with your phone number and make you click an extra button to change to the email login option.

One major use case that comes up more frequently is onboarding an untrusted device with a trusted one. WhatsApp seems to have mastered this class of problem using the QR code. Typing in codes and clicking emailed links is nice until you feel your phone's camera instantly log you in on your laptop by scanning its screen. The obvious downside is that this is a chicken-egg situation and you have to already have one chicken (or egg) to make it work.

If you’re concerned about the security aspect of this, keep in mind that most web applications have this feature, but instead of calling it a magic link and for signing in, it’s called “forgot password.” It generates a short-lived code and emails the user a link that lets them access their account.

There are, of course, challenges with this being the only (or default) way to sign in, but the security concerns with it (e.g. weak email password) probably aren’t new!

It depends. I used magic links for a system where the user would log in every 6-12 months. It didn't make sense to force them to make a password.

1. I click the password field.

2. I click "use autogenerated password"

The magic link experience is comparatively awful:

1. My email address never auto-fills so I need to click the field and select the completion suggestion. This is even worse if I am using a per-site email address.

3. Go to my email.

4. Most often wait a few seconds.

5. Click the link. (add extra steps if I want to open in a private window or container tabs, or tons of pain for a different device)

6. Delete the email.

7. Find the new tab.

8. Maybe drag it to the right location in the tab bar or the right window.

And that is assuming that my email providers likes your email and it doesn't get greylisted, put in spam or even outright rejected.

If you'd take a passwordless login with FIDO2 (now promoted "Passkeys" by Apple and Google) it would mainly require to use FaceID / Windows Hello / Fingerprint / PIN . or whatever your devices deem necessary. Could be used on any and cross-device.

This may be a good future. But it seems like this isn't available to most people on most browsers yes. Especially if you want to sync across ecosystems.

I like how tangible passwords are. Even with a password manager I can write them on a piece of paper, store then in a vault and enter them into a new computer. My grandmother understands this process.

The key-based systems are basically magic. Magic that works great as long as you are inside the defined parameters on supported devices. I think it will be years after the "first baked release" before we see relatively user friendly manual backup and restore. Something this is second nature in most password managers.

I'm glad that your grandmother uses a password manager. We actually had a lot of feedback from teens and children and the concept of MFA/2FA seems to be hard to understand for less technical people. We were surprised by the actual understanding after some user research.

Yes, availability on all browsers and devices is not yet up to 100%. I hope to see a fast adoption, but agree that it could actually take some time. I use Passkeys on a daily basis for the last ~1.5 years wherever possible and won't go back anytime soon :)

Chrome supports a webauthn solution built-in if you don't have windows/platform authentication support. I think Firefox does too, and probably even Safari on really old machines. If you are targeting semi-modern browsers and devices made in the last 5-10 years, you should be fine.

Yes. To my knowledge WebAuthN works great on Chrome, Safari, Firefox (most times) on MacOS/iOS and Windows devices. Linux is still an issue unfortunately as it seems.

> Why not? Most browsers are slowing pushing password managers on users and the experience is lovely.

Most browsers in 1996 had "save this password" functionality. it's not a new thing.

I think it has gotten more aggressive with popups to use a generated password appearing any time you focus a password field.

This is a perfect HN user response. You are a power user; "This is even worse if I am using a per-site email address" - no one does this. The majority of people are normal.

Need some more straw for your strawman there? I can't take this comment seriously when you misrepresent both approaches so badly.

There are legitimate downsides to magic links but this isn't realistic. Do you not have to enter email on register? Where is the email confirm step for password signup? Finding the tab you just opened and dragging it. really? All of that happens on first signup as well. And the comment you are replying to is talking about a 1-2 times a year process, is a magic link really so difficult to use twice a year?

Yes, I have omitted this from both workflows.

> Where is the email confirm step for password signup?

Good point, most websites will want to confirm the email address. I didn't include that.

> Finding the tab you just opened and dragging it. really?

Yes, I like to keep my tabs organized. I'm not even a tree-sytle-tabs user but at least want to get the right window. The point is that magic links disrupt my in-browser workflow with switching between apps and opening links in new tabs.

> is a magic link really so difficult to use twice a year?

No, but it is still more difficult than a password multiple times a year. Neither of these have a yearly cost so it doesn't really matter how often you do them. I wouldn't use "only twice a year" to justify that people can come to our office in person to authenticate over a magic link.

> Yes, I have omitted this from both workflows.

You specifically complained about having to enter your email on the magic link flow:

> 1. My email address never auto-fills so I need to click the field and select the completion suggestion. This is even worse if I am using a per-site email address.

> > is a magic link really so difficult to use twice a year?

> No, but it is still more difficult than a password multiple times a year. Neither of these have a yearly cost so it doesn't really matter how often you do them. I wouldn't use "only twice a year" to justify that people can come to our office in person to authenticate over a magic link.

Yearly costs to who? The user? I guess there isn't really a cost to them other than storing/keeping the password but there is absolutely a cost to the developer and I'm not talking about the cost of storing a hashed/salted password in the DB itself. There is a cost to build and maintain a password-based system. It means implementing and maintaining a number of things like your salt, password complexity requirements, password reset flow, and more like you going to use something like HaveIBeenPwned's hash list to make sure people aren't using known passwords?

Passwords are not zero-cost and have ongoing concerns. I'm not saying magic links are always or even often the best choice, just that they do have a perfectly valid use-case.

> but there is absolutely a cost to the developer and I'm not talking about the cost of storing a hashed/salted password in the DB itself. There is a cost to build and maintain a password-based system.

Seriously . if today's developers are unable or unwilling to learn about basic hashing/salting and database storage/value comparison, and consider such concepts 'costly' . we may have passed the zenith of technological advancement, and are in a 'downfall of the Roman Empire' phase. Have some pride in your work.

> It means implementing and maintaining a number of things like your salt, password complexity requirements, password reset flow, and more like you going to use something like HaveIBeenPwned's hash list to make sure people aren't using known passwords?

Do you reinvent the wheel whenever you need to drive somewhere? these things mostly are already baked into most frameworks, and if they are not, most developers build something like this once, and reuse.

> [Magic Links] they do have a perfectly valid use-case.

Annoying customers and forcing them out of your business into the willing hands of your competition?

It's amazing how you, knowing nothing about my stack/use-case can speak with such authority. Going as far as to assume that we must be in a "'downfall of the Roman Empire' phase" because I see value in magic links and because I don't want to implement password support, again, in a product you know nothing about.

I have a very good reason for picking magic links, also the codebase for my project does not ruse a framework (there exist no good ones in the space I'm in) but instead of being curious you decided to be condescending. Cool.

> My email address never auto-fills so I need to click the field and select the completion suggestion. This is even worse if I am using a per-site email address.

My email always autofills for regular login forms. Maybe this is a bug in my browser but either way it is an inconvenience that I face.

> implementing and maintaining a number of things like your salt, password complexity requirements, password reset flow

If you are using any halfway popular language there is a library that does all of this for you. In fact it is probably easier to use a pre-packaged library than for magic links, but I'm sure those libraries could appear if magic links become more popular.

Magic links are half factor auth. They're probably good enough for apps that no one actually cares about though.

Email reset isn't any different than a magic link. Adding an additional password option for login only lowers the security.

A lot of people brought up scanners that auto-click links. How do these scanners deal with verification email links or unsubscribe links in general?

I mean unsubscribe links are commonly two-stage (you have to click a button on the target website), but now always. Never saw a similar two-stage verification link though.

The article doesn't seem to cover a potential issue- updating an email address associated with an account (2FA aside).

If you've somehow lost access to email, a typical pattern is that you can login to your account, update the username and receive a validation email at the new address to confirm its validity.

Existed earliest in 2010? No way. Earlier. I remember in the 90s forgot your password link from e-mail signed you in, after which you could change the password.

the problem with using this technique alone is it’s basically 1FA all over again. hacked email means everything is hacked. excluding the need to remember a password, how are magic links an improvement?

Anyone have advice for creating easy-to-use-yet-secure login solutions for users who are less tech-literate?

My company is an ISP, and most of our customers are not very "good" at using technology. Any yet, they do sometimes want to log into our dashboard for one reason or another, and it tends to be a lot of trouble.

We've found that:

- Many people do not have an email. Some people don't have a phone number. Many people have only one or the other, but not both.

- People typo their emails. a LOT. I initially had some very simple validation for email addresses, until I started getting droves of emails that were one character off. I'm at this very moment working on a feature to alert users if they type "gmail.co", "gmail.con" or "gnail.com", which are all very common (and two of which are completely valid domain names by the way!).

- Some people get confused by "creating a new account" or dealing with multiple accounts in general. They'll say "my email login didn't work." Well, to me it's obvious that they have a different password for different accounts, but to them it's not.

- Building on that, they are not great at password resets. The "send a password reset to email" thing is confusing to them, because from their perspective their email is the account. Am I resetting my email password?? They don't like it so they don't want to do it.

- Since we are an ISP providing customers with WiFi, there is also confusion between the WiFi password and the dashboard password. I've had people successfully reset their dashboard password, expecting it to also set their WiFi password.

- Literacy can also be less than ideal. I once reset a customer's WiFi password over the phone, and the new password contained an exclamation point. She didn't know what an exclamation point was. I got her to do SHIFT-1 eventually, but it took a while. (I found out later that nobody else sees an exclamation point as an "upside-down i", which is what I've always seen it as. The proper way to describe it to someone who doesn't know is "line with a dot underneath".) Now my password generator only uses A-Za-z0-9 (but not 0 or O).

So, I have been learning the hard way that not every person in the world is an avid Hacker News reader who knows what accounts and password hashes are and how everything works. And yet, these people deserve to be empowered by technology just like the rest of us.

The thing is, many of these folks are able to use software just fine, it's just that they have trouble getting logged in. It really is the logging in that trips everything up.

So I've been thinking lately that I want to fix this for my company, but I'm unsure what to try.

I had the thought of trying Webauthn, but that seems unusable for me as per this comment I wrote a few weeks ago[0]. If I could solve the problem in that comment, I think a lot of my customers would use "Login with TouchID", "Login with FaceID", etc.

Anyway, my point is that no, I do not think magic links are outdated. We use a lot of magic links. Need to update your credit card? We'll text you a link. Want to reschedule your install? We'll text you a link. This is the best way we've found to actually get our software into the users' hands.

For customers they seem like a super convenient thing, I was just implementing them in my app. Yes magic links have problems and it's probably making me lean more towards the "emailing a code" option now, some of those problems outlined aren't easy to ignore.

The app I'm working on, users would login probably once or twice a year. I just can't imagine they want to deal with passwords, especially because my app is very niche, they'd use it once a year for one thing only. What I can imagine them having to do is constantly use the "forgot my password" feature anyway.

For conversion easy logins are really important.Anyone have any better ideas than magic links, passwords or one time codes in email?

I quit using services that have magic links as their only authorisation method - and so does my 65 year old, very non-nerdy mother (she complains about 'having to wait for a damn email' all the time)

> Anyone have any better ideas than magic links, passwords or one time codes in email?

Passwords. Password managers are not a new concept, they have been around for decades by now, have deep browser integration (either because they often are part of the browser, or in the case of Apple, the OS), and are easily understood by users.

- Email deliverability is a serious issue - some well-known providers (Apple and Microsoft) can delay email up to five minutes because they're scanning it, and that's assuming that it didn't went to spam. Compared to 2FA login, that's an eternity.

- Also, speaking of scanning emails, some do "click" them to check that it's not a harmful page (Microsoft, Google Workspace if admin enabled it, Barracuda which is common on enterprise), rendering the link invalid.

- Not everyone keeps their email logged in (or uses a different app/client to keep them logged in), which results in worse experience.

- Most mobile email clients (Mail on Apple, Gmail, Outlook) by default launch a different window, meaning you're logging into the mail client and not the browser.

I'm in the same boat. People login 1 time a year (it's for an event) and using magic links means I don't have to deal with password management, forgot/reset password flows, and more. It also means signing up is as easy as entering your email (the web/app prompts you for the other required info on first login).

Out of thousands of people who used the system I only had 1-2 people who had issues. One was using their work email (why do people do this?) and I think it was being filtered and the other was using Yahoo but for some reason the emails were slow to deliver, 2-3 minutes (far from the only Yahoo user, only one that had issues).

I mean, the magic link could be an addition to the "forgot password" screen, then? As in "reset password or login via magic link"?

The Future of Authentication is Passwordless With Magic links

By opting to add the magic link feature to your mobile apps or email accounts, you are likely trying to make your mobile app or site user-friendly, contributing to a strong security strategy. Here are some reasons for which you can opt passwordless magic links.

While logging on to your social media account or a bank account online, there are several credentials you tend to feed in before being able to access your account. The process is a tad bit lengthy, and there are even chances of you mismatching or forgetting the passwords for a particular account. But with the help of passwordless magic links, these issues are easily resolved.

What is a Passwordless Magic Link

A passwordless magic link allows you to log in directly with the help of a link that is received through an email. This process is similar to when you receive a one-time-password (OTP) though you might have to physically enter the OTP once you are redirected to the page or application. In the case of passwordless magic links, all you have to do is click on the link sent through an email, allowing you to log in directly.

How Magic Links Work

Passwordless magic links follow three steps that enable the user a hassle-free login. The three steps are as follows.

• When a consumer is about to log in/ sign in, they go to the sign-in screen and enter their email address.
• If the email address entered is a registered type, they will receive the magic link through the email provided.
• To complete the sign-in process, they have to click on the link received through the entered email.

Optionally, they might be sent a live link during registration, which can be made use of eventually for authentication.

It is similar to the password reset flow process, where you receive a secret link that allows you to sidestep the password and create a new one.

The app designers have to follow a process and take out the password and any other approach to resetting protocols. Doing so ensures that you receive a one-time-use passwordless magic link at the time of your login.

The app designers or developers can program the link depending on whether the link should be valid for a particular time or for as long as the session is valid. After clicking on the link, the consumer’s information is verified, and a cookie is set up; this ensures that they stay logged in for the entire process of the session.

Even though passwordless magic links display hundreds of password resets, consumers need not remember the password to access the account. Magic links are a user-friendly feature that ensures an inviting user experience without any hardware requirement.

How Can Organizations Use Magic Links

By opting to add the magic link feature to your mobile apps or email accounts, you are likely trying to make your mobile app or site user-friendly, contributing to a strong security strategy. Here are some reasons for which you can opt passwordless magic links.

• Ideal for infrequent login demands: Passwordless magic link is provided at the beginning of each user session, verifying the user through a single-use basis. This type of magic link login implementation is well suited with mobile apps or the login process of an email account that require single or infrequent authentication, enabling easy access.
• Prevent password-based attacks: Data breaches, hacking, and phishing are ever increasing in today's times. There is a major loss of necessary credentials, and magic link login security ensures the safety of the same by warding off security risks implicating passwords.

Benefits of Using Magic Links

There are plenty of benefits of using a passwordless magic link. They are as follows -

• Easy authentication, deployment, and use: When the user clicks the magic link, though the flow is similar to that of password reset, magic link login implementation includes some minor changes in the code at no extra cost.
• Seamless onboarding: Earlier, logging into applications used to be more tedious than the present times as you would get a message through email or SMS. Only when the user clicks the required redirecting option would they be able to log in. The most feasible is the magic link alternative, where you need to enter your email address, and by clicking the link, you would be able to register for the app.
• Increase app adoption: Any user would prefer a trouble-free login process. For instance, as soon as the user clicks the magic link, the process is completed. Since magic link login implementation reduces the troubles faced during the login process, it is possible to get a loyal and returning fanbase.

What are the Challenges of Using Magic Links

Though there are numerous benefits of using a passwordless magic link, there are some challenges that particularly come with security blind spots. Magic links may help secure the transfer of information, ensuring the valid identity of the user. But since the security is tied with the user's account, it is wise that the email account is protected with multi-factor authentication.

Another challenge you might face with magic link apps is that the admins have no control over link sharing. Regardless of the user, admins are unable to keep track of the confidential or sensitive information shared with others. Apart from these challenges the major one is the increased cyber-attacks with nearly 7K global data breaches in 2019 that risked about 15 billion user records.

How LoginRadius's Passwordless Magic Link is Preferred Over Others

LoginRadius's passwordless magic link enables the user a safe and secure transfer of information. It makes sure that the user's login credentials stay guarded against hacking, phishing, and other fraudulent practices.

The intent behind the launch of the LoginRadius passwordless magic link is to reduce friction during the registration and login processes. Other business advantages include:

• Consumer experience is streamlined: One-step registration and login reduce friction for consumers. Furthermore, consumers do not need to create or remember passwords to access their accounts.
• Consumers are aware: This form of authentication is quickly becoming one of the most common trends among consumers.
• Account security is increased: Since a magic link is created dynamically and sent to the recipient upon request, it removes the risk of password attacks.
• Adaptive security is improved: As an adaptive protection measure for your consumers, you can pre-define the Magic Link expiry period and disable account access after the set period.

Depending on your business requirements, LoginRadius also supports a variety of implementation and deployment methods.

• After completing all configurations, you can use the pre-designed Passwordless Login with Magic Link with LoginRadius' Identity Experience Framework.
• Using the LoginRadius JavaScript Libraries, you can create an embedded Passwordless Login with Magic Link.
• You can build on and change the code in the open-source web and mobile SDKs to meet your specific needs.

Magic links may not be one of the most reliable means of logging in, but it is undoubtedly a convenient means for users to log in to their accounts. In today’s fast-paced times, any sort of validation needs to be done with immense meticulousness, and to cater to this need; a passwordless magic link is the right solution.

Written by Navanita Devi

A content creator both by choice and profession with 7+ years of experience. A copy editor, SaaS-enthusiast, quick learner, adaptable, and a good researcher. When not at work, you will probably find her curled up in literature with happy endings!

Magic Links – Are they Actually Outdated?

Even if you have not heard of magic links, the chances are that you have already encountered them when signing up for third-party applications or websites. Simple yet effective, this passwordless method is convenient for end-users to confirm their identity and easy for developers to implement: Instead of having to enter a password, a simple click is all it takes to log you in.

Given its foolproof infrastructure and widespread use, one might think it would be unnecessary to change a winning team. Scratching beneath the surface, however, it soon becomes evident that this method also has limitations. While we strongly recommend implementing password-free authentication for every organization, as a relatively old passwordless method among ever-changing digital innovations, magic links might no longer be the most secure alternative for this purpose.

With this article, we aim to determine whether magic links are still viable as an authentication method or if you are better off using newer passwordless alternatives.

He is known for his wisdom and strategic planning. Next is Jack the Ripper, the captain of the Green Mantis. He wields the magic of slashing and cutting, making him a formidable opponent in battle.

What are magic links? – The Origins

"Magic Links" describe a passwordless authentication method that allows users to log in by clicking a one-time link mailed or messaged to them rather than using their password. This link is automatically sent to the provided email address upon toggling a login request on the platform. This simple but innovative process of users authenticating themselves by merely clicking a button may seem magical to some, thus the name.

Though no official record of the first use of this method seems to exist, research suggests that their concept dates to the early 2010s. In the following years, as the problem with passwords started to arise slowly, various platforms started implementing two-factor authentication: In addition to entering a password, 2FA provides a secondary layer of security by requiring the user to verify their identity via a second (passwordless) factor. One of the most used secondary factors at the time was a code sent via SMS or email. In 2014 however, a revolutionary new method started gaining traction that promises the same high-end security features like 2FA, but by only relying on a single factor: Passwordless. Since biometric characteristics were not yet as widespread as they are now (partially due to the older smartphone models), the most straightforward and low-tech solution proved to be the implementation of one-time links – or, as we call them today, magic links. Thus, in the mid-2010s, various platforms started to experiment with passwordless, one of the most notable examples being Medium, which sparked a debate regarding the legitimacy of this newly discovered login method.

Jack is known for his aggressive and reckless nature. Fuegoleon Vermillion is the captain of the Crimson Lion Kings, known for his fiery magic. He can manipulate flames and is a highly skilled warrior. Despite being injured, he remains determined to protect his kingdom. Nozel Silva is the captain of the Silver Eagle squad. He controls mercury magic, which grants him the ability to manipulate the liquid metal. Nozel is often seen as arrogant but is a skilled and disciplined leader. Charlotte Roselei is the captain of the Blue Rose squad. She possesses the Briar Magic, allowing her to control and manipulate plants. Charlotte is known for her intense dedication to her squad and her complex personality. Mereoleona Vermillion, Fuegoleon's sister, leads the Crimson Lion Kings while her brother recovers. She uses the magic of flames, but her style is more raw and relentless, making her a fearsome opponent. Mereoleona is known for her strict training methods. Dorothy Unsworth is the captain of the Coral Peacock squad. She possesses the dream magic, allowing her to create illusions and control reality within her dream world. Dorothy is often seen sleeping but is a powerful and wise leader. Guelphie Merros is the captain of the Purple Orca squad. He wields the magic of spatial manipulation, allowing him to create portals and teleport. Guelphie is known for his calm and collected personality. Lastly, we have William Vangeance, the captain of the Golden Dawn squad. William serves as a major character throughout the series, but it is later revealed that he is possessed by a devil. He wields the magic of world tree, which grants him immense power. These are the captains of the Magic Knights, each with their unique magic and leadership style. Together, they protect the kingdom and its people from various threats, showcasing their exceptional skills and dedication to their squads and the Clover Kingdom..

Reviews for "All Magic Knight Captains: The Legends of Black Clover"

1. Sarah - 2 stars

I found "All Magic Knight Captains" to be highly disappointing. The plot was predictable and lacked any depth. The characters felt two-dimensional and their motivations weren't properly developed. The dialogue was cliché and the pacing was off, making the story feel rushed at times. Overall, I found it to be a forgettable read that didn't live up to the hype.

2. John - 2.5 stars

While "All Magic Knight Captains" had an interesting concept, it failed to deliver on many fronts. The writing style was weak and lacked the descriptive language needed to fully immerse the reader in the magical world. The plot was convoluted and confusing, making it hard to follow at times. Additionally, the character development was lacking, leaving many of the protagonists feeling flat and unrelatable. Overall, I was left disappointed and underwhelmed by this book.

3. Emily - 3 stars

I had high hopes for "All Magic Knight Captains", but unfortunately, it fell short for me. The pacing was uneven, with slow moments that dragged on and rushed action sequences that were hard to follow. The world-building was lacking, and I felt like I never fully understood the rules of the magical realm. The characters had potential, but their development felt superficial and their actions sometimes didn't make sense. While the concept was intriguing, the execution left much to be desired.

How All Magic Knight Captains Have Shaped the World of Black Clover