Magic Link
TL;DR
A one-time URL emailed or texted to a user that logs them in without a password. Used heavily in customer portals.
A magic link is a single-use, time-limited URL sent to a verified email or phone number. Clicking the link authenticates the user and starts their session. No password required, no signup friction.
For repair-shop customer portals, magic links are the right pattern: customers rarely log in (maybe twice a year per device), so passwords get forgotten, and forgotten-password resets become a support burden. Magic links sidestep all of that.
Security model: links expire after a short window (typically 15 minutes for sensitive actions, 24 hours for status views), can only be used once, and are bound to the originating IP/device fingerprint when used for actions like estimate approval.
Quick answers
Are magic links secure?
More secure than reused passwords. The risk vector is email account compromise, which exists for passwords too (password reset goes to email). For repair-shop customer flows, the threat model is low enough that magic links are the right call.
What if the customer doesn't get the link?
Re-send. Most systems include a 'didn\'t get the link?' button that re-issues a fresh one. The shop can also see whether the link was clicked, which helps with support.