How DEIS magic-link authentication works and why it is secure
No passwords to remember or breach. Here is how our magic-link login works and the security measures behind it.
DEIS uses magic-link authentication instead of passwords. Here is why and how it works.
Why no passwords?
Passwords are the most common attack vector for business applications. Weak passwords, reused passwords, and phishing attacks account for the majority of account compromises. By eliminating passwords entirely, we remove these attack vectors.
How it works
- You enter your work email on the login page.
- DEIS generates a single-use, time-limited token and emails it as a clickable link.
- You click the link. DEIS verifies the token, creates a session, and logs you in.
- The token expires after 15 minutes or after first use, whichever comes first.
Security measures
Single use. Each magic link can only be used once. After the first click, the token is invalidated.
Time-limited. Tokens expire after 15 minutes. Even if an email is intercepted later, the token is useless.
Email verification. The magic link is sent to the email address associated with the account. If someone does not have access to the email inbox, they cannot log in.
Session management. Sessions are stored in encrypted, httpOnly cookies with a configurable expiry. Sessions are invalidated on logout.
Rate limiting. Login requests are rate-limited to prevent abuse.
For the transparency portal
Individual transparency portal access also uses magic links. The link is sent to the individual's email address and provides access to their specific data — no passwords, no account creation.
Debt collection agencies: privacy compliance when tracing and collecting
NextReceived a compliance notice from the Privacy Commissioner? Here is what to do