Greetings, We are a startup in the Netherlands considering to use Ory Kratos. But we need magic links to work via email. Is that supported in Ory Kratos?

Hi, awesome! Could you elaborate on your use-case a little? Magic links are currently supported for account recovery & address verification. But they won’t be supported for long, as magic links pose significant security risk if not done correctly & do not provide the best UX. See https://github.com/ory/kratos/issues/1451 for some more information.

@bland-eye-99092 We want to enable sign up based entirely on email addresses. That means users get an email invite and can log in and use our platform immediately by just clicking a link. They are also signed up to a newsletter, which again contains magic links to use our app without logging in. Users would of course also have the option to set a password when they're ready.

You could build a signup just based on email addresses using the account recovery flow: https://www.ory.sh/docs/kratos/manage-identities/account-recovery So you create an account via the API with a random password, initiate the recovery flow for them with a custom email template -> end-user gets a link via email which they can use to login and have to change their password. (I think they would have to change the password upon first login, you could also make it optional to change later probably - but security-wise it would be best to change it directly IMO)

The “magic” link strategy will still be there for some time. But it is not recommended for usage anymore, due to the various issues with it.

A bit confused by this ticket. I can see how it might be a problem. But I haven’t seen antivirus software “opening” links. Is that really a problem? 😅

Yes, there have been a few reports. And since we need to invalidate links (tokens) once they have been opened to prevent session takeovers this issue leads to users not being able to recover or verify their accounts at all.