Magic Link
TL;DR
A one-time URL emailed or texted to a user that logs them in without a password. Used heavily in customer portals.
A magic link is a single-use, time-limited URL sent to a verified email or phone number. Clicking the link authenticates the user and starts their session. No password required, no signup friction.
For repair-shop customer portals, magic links are the right pattern: customers rarely log in (maybe twice a year per device), so passwords get forgotten, and forgotten-password resets become a support burden. Magic links sidestep all of that.
Security model: links expire after a short window (typically 15 minutes for sensitive actions, 24 hours for status views), can only be used once, and are bound to the originating IP/device fingerprint when used for actions like estimate approval.
Quick answers
Are magic links secure?
More secure than reused passwords. The risk vector is email account compromise — which exists for passwords too (password reset goes to email). For repair-shop customer flows, the threat model is low enough that magic links are the right call.
What if the customer doesn't get the link?
Re-send. Most systems include a 'didn\'t get the link?' button that re-issues a fresh one. The shop can also see whether the link was clicked, which helps with support.