Email code sign-in is the authentication method Loupely Lens uses. Instead of a password, you enter your email address and receive a one-time 6-digit code in your inbox. You enter the code, and you’re signed in.
How it works #
When you request a code, the system generates a one-time token, stores a hash of it, and emails you the 6-digit code. When you enter the code, it’s hashed and compared to what’s stored. A match signs you in and immediately deletes the stored hash. The code is consumed on use and can’t be reused.
Codes expire after 10 minutes. If you don’t enter the code within that window, request a new one.
Why no password #
A password that doesn’t exist can’t be stolen, guessed, or reused from another breach. Email code sign-in means nothing credential-based is stored in Loupely’s systems that could be extracted and used to access your account.
For a tool like Lens, which gets opened when a specific CSS problem comes up rather than on a daily schedule, not having to remember a password is also practical. The tool should be accessible when you need it, not blocked by a forgotten credential.
If a code arrives that you didn’t request #
Ignore it. It expires in 10 minutes and works exactly once. Someone entered your email address by mistake. Your account is not at risk.
How this differs from a magic link #
A magic link is a one-time sign-in URL sent to your inbox that you click to authenticate. Email code sign-in sends a short numeric code instead of a URL. You stay on the sign-in screen and enter the code there. The security properties are similar; the interaction is different.