Live P2

Sign in with magic links and passkeys

Use a short-lived email link for account access, then optionally enroll a platform passkey for later sign-ins.

Availability
Live
Last verified
Runtime anchor
ab084f79c5ed3fc6a28f07c64b29920944a0e5db
Certification anchor
db23559179dc3c67be8a1ab16a0f07323b9820f7
Evidence note
Login, one-time-link, passkey, logout, inactivity, and session-cap contracts were verified. Platform prompts vary by device.

What this does

Use a short-lived email link for account access, then optionally enroll a platform passkey for later sign-ins.

Before you begin

  • Use the email attached to the account and a device/browser that can receive the link.
  • Passkey support depends on the device, browser, and authenticator; it is optional.

What changes outside ArtDrop

Email me a magic link sends an email. Opening a valid one-use link creates a revocable ArtDrop session. Creating a passkey stores a public credential with ArtDrop and a private credential in your platform authenticator; ArtDrop does not receive biometric data.

ArtDrop sign-in page with email magic link and passkey options
Passwordless sign-in. Request a time-limited email link or use an enrolled passkey from the same sign-in screen.
ArtDrop passkey setup screen for Touch ID or device biometrics
Optional passkey setup. After a verified sign-in, a passkey can be enrolled for faster return visits or skipped for later.

Steps

  1. Request the link

    Open /login, enter the account email, and choose Email me a magic link. The sent state says the current link expires in 15 minutes.

  2. Open it once

    Use the newest email on the same or another trusted device. Expired, already-used, and revoked links require a new request.

  3. Optionally add a passkey

    After sign-in, on Set up a passkey choose Create passkey and follow the platform prompt, or choose ← Skip for now.

  4. Use the fallback

    On return visits choose I have a passkey (Touch ID) when available. If the passkey/device is lost, request a new magic link instead.

  5. End the session

    Choose Sign out to revoke the current hosted session. Inactivity and concurrent-session limits can also end a session.

Expected result

The app returns to the shared signed-in shell and the session can later be revoked without changing the account password because there is no account password.

Limits and non-goals

  • The UI says Touch ID, but a passkey can use Face ID, device PIN, or a security key depending on the platform.
  • Exact session lifetime/inactivity values can be environment-controlled.

Troubleshooting

  • If no email arrives, check spam, wait for rate limits, and request only one fresh link rather than opening several old ones.
  • If a passkey prompt fails, cancel it and use email; do not lock yourself out while troubleshooting the authenticator.

How to undo or clean up

Sign out revokes the current session. Remove a passkey from account controls when available and from the platform password/passkey manager separately.