Just for fun, a Hanko is the name of the stamp that Japanese citizens used to authorize documents and prove their identity on documents. Cool project name and cool logo!
Hanko.io is an open source authentication and user management solution that is optimized for passkeys as the upcoming default login method. The frontend (login box for now, user profile coming soon) is a web component, allowing for a simple and flexible integration to websites and apps built with a wide range of web frameworks.
We decided to go with email passcodes as fallback method because of the limitations we identified with magic links. The biggest issue was the inability to sign in on devices where the users don’t have access to their email account to click the link.
With that being said, we (or someone else) may reintroduce magic links as another login alternative of Hanko though, because we also think that it is a better UX to click a link than to type a code.
In any case, our take is that the importance of the fallback auth method will diminish over time due to the omnipresence of passkey support.
If someone's signing into a mobile app, quite a good backup option for magic links is to show a QR code containing the current URL, on the callback URL.
Assuming you're using universal app links, if they open it on a device with the app installed, it'll go straight there. If not, it'll show the QR code and the user can just scan that with their default camera app on the device they're trying to use.
I solved this for django-tokenauth[1] by making the token short and easy for humans to type in. Depending on how many tokens you have in flight at once, you can use very few digits.
Have you decided upon a minimum entropy level for the low digit tokens that prevents brute force attacks being feasible? I think easy to type in is something you can do with longer tokens, so long as it's readable as a sentence. "1676226" is harder to type in than "TotallyAgreeableCatPants" for example.
https://www.hanko.io/