Laravel Passwordless Sign-In with Fortify 2FA Support | Mohamed Said        [  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MH.png)   Mohamed Said Laravel Backend Engineer  ](https://msaied.com) [ Home ](https://msaied.com) [ Projects ](https://msaied.com/projects) [ Articles  ](https://msaied.com/articles) [ Certificates ](https://msaied.com/certificates) [ Contact ](https://msaied.com#contact-section) 

       [  ](https://github.com/EG-Mohamed)       

 [ Home ](https://msaied.com) [ Projects ](https://msaied.com/projects) [ Articles ](https://msaied.com/articles) [ Certificates ](https://msaied.com/certificates) [ Contact ](https://msaied.com#contact-section) 

  [ home ](https://msaied.com)    [ articles ](https://msaied.com/articles)    Passwordless Sign-In with Fortify Two-Factor Support in Laravel        On this page       1. [  Passwordless Sign-In with Fortify Two-Factor Support in Laravel ](#passwordless-sign-in-with-fortify-two-factor-support-in-laravel)
2. [  Scanner-Safe Magic Links ](#scanner-safe-magic-links)
3. [  Fortify Two-Factor Handoff ](#fortify-two-factor-handoff)
4. [  Issuing Links and Codes Yourself ](#issuing-links-and-codes-yourself)
5. [  Resend Limiting ](#resend-limiting)
6. [  Installation ](#installation)
7. [  Key Takeaways ](#key-takeaways)

  ![Passwordless Sign-In with Fortify Two-Factor Support in Laravel](https://cdn.msaied.com/409/dfd6ae4c1a91c60ca1d81cd84452bbc1.png)

 [  Laravel ](https://msaied.com/articles?category=laravel) [  Composer Pacakge ](https://msaied.com/articles?category=composer-pacakge)  #passwordless   #authentication   #magic-link   #fortify   #laravel-package  

 Passwordless Sign-In with Fortify Two-Factor Support in Laravel 
=================================================================

     10 Jul 2026      3 min read    ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MJ.jpg)  Mohamed Said  

       Table of contents

1. [  01   Passwordless Sign-In with Fortify Two-Factor Support in Laravel  ](#passwordless-sign-in-with-fortify-two-factor-support-in-laravel)
2. [  02   Scanner-Safe Magic Links  ](#scanner-safe-magic-links)
3. [  03   Fortify Two-Factor Handoff  ](#fortify-two-factor-handoff)
4. [  04   Issuing Links and Codes Yourself  ](#issuing-links-and-codes-yourself)
5. [  05   Resend Limiting  ](#resend-limiting)
6. [  06   Installation  ](#installation)
7. [  07   Key Takeaways  ](#key-takeaways)

 Passwordless Sign-In with Fortify Two-Factor Support in Laravel
---------------------------------------------------------------

The **Email Magic Link for Laravel** package (`pushery/email-magic-link-for-laravel`) brings passwordless authentication to Laravel 13 applications. Users sign in via an emailed link or a one-time code, and the package integrates cleanly alongside Laravel Fortify without adding any runtime dependencies beyond the framework itself.

Scanner-Safe Magic Links
------------------------

The classic magic-link problem is that security appliances pre-fetch every URL in an email, burning the single-use token before the user ever clicks it. This package solves that with a two-step flow:

1. A `GET` to `/magic-link/verify/{token}` renders a signed confirmation page — it changes nothing.
2. An explicit `POST` from that page consumes the token — something an email scanner will never issue.

Tokens are never stored in the clear. Only a keyed HMAC-SHA256 hash is persisted, consumption uses a race-free conditional claim, and each token has its own brute-force lockout (`max_attempts_per_token`, default `5`). Responses are identical whether or not the email address exists, preventing user enumeration.

Fortify Two-Factor Handoff
--------------------------

If a user has confirmed TOTP through Fortify, verifying their magic link does **not** log them in directly. Instead, they are routed to Fortify's two-factor challenge while still unauthenticated — there is no path that trades a link click for a bypassed second factor.

For SPA and mobile clients, set `api.enabled` to `true` and the endpoint returns a JSON response indicating which branch was taken:

```json
{ "authenticated": false, "two_factor": true, "redirect": "" }

```

Issuing Links and Codes Yourself
--------------------------------

The `EmailMagicLink` facade lets you mint credentials without sending anything, which is useful when delivering over SMS, push notifications, or a custom mailable:

```php
use EmailMagicLink\Facades\EmailMagicLink;

$link = EmailMagicLink::issueLink($user);
$link->url;              // Signed confirmation URL
$link->expiresAt;        // Carbon instance
$link->expiresInMinutes;

$code = EmailMagicLink::issueCode($user);
$code->code;
$code->expiresAt;

```

You can also inject the `EmailMagicLink\Contracts\MagicLinkIssuer` contract directly. Rebinding `MagicLinkAuthenticator` controls post-verification behaviour, and implementing `CaptchaGuard` adds a CAPTCHA to the confirmation form.

Resend Limiting
---------------

Passwordless flows invite users to hammer the resend button. The bundled `ResendGuard` applies escalating cooldowns (30 s, 60 s, 120 s) plus a rolling cap of five sends per hour:

```php
use EmailMagicLink\Contracts\ResendGuard;

public function resend(Request $request): Response
{
    $decision = $this->guard->attempt('custom-key');

    if (! $decision->allowed) {
        return back()->with('retry_after', $decision->retryAfterSeconds);
    }

    // Send mail…
}

```

Expired tokens are cleaned up by a scheduled command:

```bash
Schedule::command('email-magic-link:purge')->daily();

```

Installation
------------

The package requires PHP 8.4 and Laravel 13. Fortify is optional.

```bash
composer require pushery/email-magic-link-for-laravel
php artisan email-magic-link:install
php artisan migrate

```

Key Takeaways
-------------

- **Two-step link flow** prevents email scanners from consuming single-use tokens.
- **HMAC-SHA256 hashed tokens** with per-token brute-force lockout protect at rest.
- **Fortify TOTP handoff** ensures magic links cannot bypass a configured second factor.
- **Mint API** lets you issue links or codes for SMS, push, or custom mailables.
- **ResendGuard** applies escalating cooldowns and a rolling hourly send cap.
- **JSON API mode** supports SPA and mobile clients, including alternate guards.

---

*Source: [Passwordless Sign-In with Fortify Two-Factor Support in Laravel — Laravel News](https://laravel-news.com/passwordless-sign-in-with-fortify-two-factor-support-in-laravel)*

 Found this useful?

          [  ](https://twitter.com/intent/tweet?url=https%3A%2F%2Fmsaied.com%2Farticles%2Fpasswordless-sign-in-with-fortify-two-factor-support-in-laravel&text=Passwordless+Sign-In+with+Fortify+Two-Factor+Support+in+Laravel) [  ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fmsaied.com%2Farticles%2Fpasswordless-sign-in-with-fortify-two-factor-support-in-laravel) 

 Frequently Asked Questions 
----------------------------

  3 questions  

     Q01  How does Email Magic Link prevent email scanners from consuming the token?        The package splits verification into two steps. The GET request to the verify URL only renders a confirmation page and does not consume the token. The token is consumed only by an explicit POST from that page, which email security scanners do not issue. 

      Q02  Does the package bypass Laravel Fortify's two-factor authentication?        No. If a user has confirmed TOTP through Fortify, clicking the magic link routes them to Fortify's two-factor challenge while still unauthenticated. There is no code path that skips the second factor. 

      Q03  Can I use the package to send magic links via SMS or push notifications instead of email?        Yes. The EmailMagicLink facade exposes issueLink() and issueCode() methods that mint credentials without sending anything, so you can deliver them over any channel you choose. 

  Continue reading

 More Articles 
---------------

 [ View all    ](https://msaied.com/articles) 

 [ ![Laravel Enum Casts, Backed Enums, and Value Semantics in PHP 8.3](https://cdn.msaied.com/408/3534df365ffb2c8f6c430180bfaba8f1.png) laravel php8.3 enums 

### Laravel Enum Casts, Backed Enums, and Value Semantics in PHP 8.3

PHP 8.3 backed enums combined with Laravel's native enum casting unlock type-safe domain models. Learn how to...

  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MJ.jpg)  Mohamed Said 

 10 Jul 2026     1 min read  

  Read    

 ](https://msaied.com/articles/laravel-enum-casts-backed-enums-and-value-semantics-in-php-83) [ ![Laravel Queues: Reliable Job Retry Strategies with Exponential Backoff and Dead-Letter Handling](https://cdn.msaied.com/407/704b143d40e1a6ac5a2faa4efb900174.png) laravel queues reliability 

### Laravel Queues: Reliable Job Retry Strategies with Exponential Backoff and Dead-Letter Handling

Beyond basic retries: how to implement exponential backoff, custom retry delays, and dead-letter queue pattern...

  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MJ.jpg)  Mohamed Said 

 10 Jul 2026     4 min read  

  Read    

 ](https://msaied.com/articles/laravel-queues-reliable-job-retry-strategies-with-exponential-backoff-and-dead-letter-handling) [ ![Filament v3 Custom Table Columns: Rendering, State, and Performance at Scale](https://cdn.msaied.com/406/145404572d600dbdab49a13226b0537d.png) filament laravel tables 

### Filament v3 Custom Table Columns: Rendering, State, and Performance at Scale

Go beyond built-in columns in Filament v3. Learn how to build custom table columns with precise state resoluti...

  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MJ.jpg)  Mohamed Said 

 10 Jul 2026     4 min read  

  Read    

 ](https://msaied.com/articles/filament-v3-custom-table-columns-rendering-state-and-performance-at-scale) 

   [  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MH.png)   Mohamed Said Laravel Backend Engineer  ](https://msaied.com)Senior Backend Engineer specializing in Laravel, scalable SaaS platforms, APIs, and cloud infrastructure. I build secure, high-performance web applications that help businesses grow.

Explore

- [Home](https://msaied.com)
- [Projects](https://msaied.com/projects)
- [Articles](https://msaied.com/articles)
- [Certificates](https://msaied.com/certificates)
- [Contact](https://msaied.com#contact-section)

Connect

- [   hello@msaied.com ](mailto:hello@msaied.com)
- [   +20 109 461 9204 ](tel:+201094619204)

© 2026 Mohamed Said. All rights reserved.

 [  ](https://github.com/EG-Mohamed) [  ](https://www.linkedin.com/in/msaiedm/) [  ](https://wa.me/201094619204) [  ](mailto:hello@msaied.com) [  ](https://drive.google.com/file/u/0/d/1MF20IPRJyzfy32mhEutjL5EpSls0w2Q8/view)
