I’m very excited to use the new Magic Link system.
Just a question though, if a person who is not signed up with our Client Portal (assuming sign-up is disabled) enters their email and clicks the Email Me a Login Link button, what happens? Does a login link get sent?
I just tested it with a made-up email, but there is no error message saying that there is no account.
Hi Andrew, great question. No login link gets sent in that case. That is intentional for security purposes. If we were to show an error like email doesn’t exist that would expose information about your clients to a bad actor. Someone could try to guess various emails and then figure out which emails are actual clients when they don’t see an error message. Admittedly, it can be a confusing experience, but this is best practice for login flows like this.
Ahh that makes sense.
If that’s the case, would the team consider changing the verbiage to something like this?
"If you have a client portal account with this email address, the login link has been sent to that email address.
Click the login link to login"
This would be a little clearer to the client and would still have anonymity to protect against bad actors.
Updated verbiage would be preferrable for the “Forgot Password” page as well if possible.
Thanks for the suggestion. I agree that would be a better. Will pass on this feedback so we can make this improvement.