Have your logging-in session wait for / poll "has visited magic link", and authenticate that session when it's done.
Tons of systems do this. It works great, and it can quite easily work without any web browser at all on the logging-in side because it just needs to curl something -> poll for completion and save the cookies -> curl against the API. A number of oauth flows for e.g. TVs work this way, for instance, because it's a heck of a lot easier than integrating a full browser in the [embedded thing]. Many app-based 2FA (e.g. Duo) works this way too.
So I misclick a link in my email client and the evil guy who requested in is now logged in on his browser god knows where? Surely that can’t be real. It sounds awful. TVs involve copying a code to make sure the right device is being authenticated, or the ones I’ve used have at least.
Duo 2FA works the same way. In principle yes. And it's basically always accompanied by a "click this link" -> "are you trying to log in, and is this you? yes/no" page to resist that.
Small code copying is also a very good answer though, yes. Roughly as easily manipulated, but nothing's perfect, and it's less "I didn't mean to click that button"-prone.
Yeah but I routinely click links in emails whereas logging in is the sole purpose of Duo. I could easily just intend to scroll the page and end up tapping the link.
so have that open a site that says "confirm login? y/n".
I don't mean to imply that just visiting the link should be enough to complete a login. That's a GET and there's a LOT of issues with doing anything important on GET. Just "do something on a different machine, then automatically complete login on the one logging in", and magic links to trigger that flow are a rather straightforward option.
There's no reason at all that it has to all occur on the same machine, and many reasons why attempting to require that doesn't work out in practice even when it does happen on the same machine.
1. Attacker starts a log in and triggers a magic link email
2. Email received and my browser client previews the link without my desire
3. Attacker is now logged in
That’s why you combine it with a check for source IP and tell your user that they need to approve from a device that has same IP as the one they are logging in on. So if I’m logging in on my laptop, and approving with my phone, it will be rejected if my phone is using mobile data while my laptop is using landline, but will approve if my phone is connected to WiFi of the same network my laptop is connected to, or if my laptop is tethered via my phone, because then I have same external source IP on both devices.
This scenario is a solution only in simplest cases. It doesn't work when someone routinely uses a VPN on the phone (when often uses free public wi-fi in airports, railway stations, markets etc) because of possible MITM attacks.
The links are one-time use so you need to take this into account anyway or users simply can't login. It's usually done with a required button click after following the magic link. Or you can try JavaScript techniques to detect a real browser.
No "tons" of systems do not do this. If you come across one that does it was built by a team that has no idea about security.
TVs etc. are special cases because obviously there is no way to redirect to them, and even there developers will always have some kind of secondary checks like having you enter a code displayed on the screen.
When I sign on to a bank it sends an SMS. Then my phone prompts me to share that code with the brower, on my desktop. It's a neat QOL "feature" - but kinda feels too automated to be secure.
That's because the server recognizes both clients, and you are prompted to approve the other client from the client that has the code. You are giving permission to the remote client, not taking permission from the remote client.
Google does it. Paypal does it. Duo does it. Lots of single-sign-on systems do it. All of those including not-TV scenarios, just normal computer-and-phone stuff, as well as sometimes other weird flows. Many of these are far beyond what most would label as "security competent", into "login security is a large part of their business and they have significant numbers of specialists hired".
(it is probably safe to say none are "truly secure" or "actually security obsessed", but I doubt that's actually possible in large quantities. the requirements are too steep, for both implementers and users.)
It's not the most common, certainly, nor anywhere close. But it's very far from nonexistent.
Have your logging-in session wait for / poll "has visited magic link", and authenticate that session when it's done.
Tons of systems do this. It works great, and it can quite easily work without any web browser at all on the logging-in side because it just needs to curl something -> poll for completion and save the cookies -> curl against the API. A number of oauth flows for e.g. TVs work this way, for instance, because it's a heck of a lot easier than integrating a full browser in the [embedded thing]. Many app-based 2FA (e.g. Duo) works this way too.