ADR 0004: Passwordless Authentication for MVP (Magic Link)

Date: 2025-02-20
Status: Accepted

Context

Clerk integration was attempted but did not integrate well with Evalium’s backend-first approach.
Building full password authentication internally introduces major security responsibility:

credential storage
hashing/salting
MFA
reset flows
lockout, anti-bruteforce, breach handling

Evalium requires authentication quickly to support:

private assignments
org admin onboarding
reporting access via magic links
role assignment

Magic link login covers these needs.

Decision

Evalium will implement passwordless authentication using secure, single-use magic links as the primary login mechanism for MVP.

Options Considered

Full password system

Cons: high security liability, slow to build

OAuth-only (Google/Microsoft)

Cons: SMB buyers often avoid it, requires FE prereq

Magic Link (chosen)

Pros:

No password storage
Smaller security surface
Simple UX for SMBs
Reuses same machinery as reporting magic links
Cons:
Some enterprise clients will later demand SSO
Requires solid email deliverability

Consequences

Positive:

Fast implementation
High-security, low-surfaces
Perfect fit for initial consumers (training consultancies, SMEs)

Negative:

Will require a follow-up ADR introducing enterprise SSO in future

Notes

Does not preclude adding SSO/password auth later.
Magic link tokens stored hashed in DB using secure TTL.

Context​

Decision​

Options Considered​

Full password system​

OAuth-only (Google/Microsoft)​

Magic Link (chosen)​

Consequences​

Notes​