22Tem
Account verification emails with links vs codes
I need to send verification emails for things like
- email verification
- password reset
- email change
- password change
In the past most webapps would send an email with a clickable verification link that I'd click to go back to the site and complete the process.
These days I see many webapps instead send an email with a verification code that I must copy-paste into the browser, and sometimes it's a short random number that is easy to type manually (e.g. because I'm working on my desktop but I read the email on my phone).
What are the pros/cons to these two approaches?
I feel the "new" way is more UX than security, but I'm unsure. Which is more secure, and what tradeoffs should I consider?