Skip to content

Magic Link Authentication

BreachSpider does not use passwords. Every login is authenticated with a one-time magic link sent to your registered email address. This guide explains how the system works, why it was designed this way, and how to troubleshoot common issues.

Why No Passwords

Passwords are the most common attack vector in credential-based breaches. OT environments are especially vulnerable because operators often share credentials across systems or use simple passwords for convenience during plant operations.

Magic link authentication eliminates these risks:

  • No password to steal, phish, or brute-force.
  • No password reuse across systems.
  • No shared credentials between operators.
  • Every login creates a fresh, time-limited session tied to a verified email.
  • The email address is the only credential, and it is verified every time.

For environments subject to NERC CIP or IEC 62443, this approach simplifies compliance documentation because there is no password policy to maintain or audit.

How to Log In

  1. Navigate to breachspider.com/login.
  2. Enter your registered email address.
  3. Click Send Login Link.
  4. Check your inbox for an email from [email protected].
  5. Click the link in the email.
  6. You are logged in and redirected to your dashboard.

The login link is valid for 15 minutes from the time it is sent. Each link can only be used once. After clicking, the link is consumed and cannot be reused.

If your magic link has expired (you will see a "Link expired" message), return to the login page and request a new one. There is no penalty or lockout for expired links. You can request as many links as needed.

Links expire after 15 minutes. If you consistently find that links expire before you can use them, check whether your email provider has a significant delivery delay. Corporate email filters and security gateways can sometimes hold messages for scanning.

PWA vs Browser Behavior

When you open BreachSpider as a Progressive Web App (installed on your home screen or desktop), magic links behave differently than in a standard browser:

  • Browser login: Clicking the magic link in your email opens a new browser tab, verifies the session, and redirects to the dashboard. Straightforward.
  • PWA login: The magic link opens in your default browser, not inside the PWA. BreachSpider uses a poll-and-complete handoff mechanism: the PWA polls for session confirmation while the browser tab verifies the link. Once verified, the PWA detects the active session and logs you in automatically. The browser tab can be closed.

If the PWA does not detect the session within 30 seconds, close and reopen the PWA. The session should be active.

Session Management

After logging in, your session is maintained with an httponly cookie. Sessions remain active for 30 days of inactivity. Any activity within that window resets the timer.

To view your active sessions:

  1. Navigate to Account > Security > Active Sessions.
  2. Each session shows: device type, browser, IP address, last active timestamp.
  3. Click Revoke on any session to immediately invalidate it.

Revoking a session logs out that device. The revocation is recorded in the audit log as SESSION_REVOKED.

Troubleshooting

Magic link email not arriving:

  • Check your spam or junk folder.
  • Check if your email provider blocks transactional emails from new senders.
  • Verify you are entering the same email address you registered with.
  • If you use a corporate email gateway, ask your IT team to allowlist [email protected].
  • Wait 2 minutes -- some email providers batch-deliver messages.

Link says "already used":

Each magic link is single-use. If you see this message, the link was already consumed (possibly by an email security scanner that pre-fetches links). Request a new link and click it promptly.

Link says "expired":

Return to the login page and request a new link. Links expire after 15 minutes.

Logged out unexpectedly:

Your session expired due to 30 days of inactivity, or an admin revoked your session. Request a new login link.

Security Considerations

  • Magic links are transmitted over HTTPS and verified server-side.
  • Each link contains a cryptographically random token that is invalidated after use.
  • Session cookies are httponly, secure, and same-site strict.
  • All login events are recorded in the audit log with timestamp, IP address, and user agent.
  • If you suspect unauthorized access, revoke all sessions under Account > Security and review the audit log for unfamiliar LOGIN events.