Why magic-link login wins for care home staff (and how we hardened it)

The single biggest barrier to digital adoption in UK care homes isn't computer literacy — it's passwords. The average carer or domestic doesn't have an email account they check daily, doesn't want to install an app, and has six other systems screaming for credentials.

How magic links work in CareLoop

When a staff member needs to confirm a shift, sign a policy, or update a cert — we send a one-time link by their preferred channel (SMS, WhatsApp or email). Tap it, and they're in. No password. The link is single-use and expires in 30 minutes.

Where we hardened it

• Single-use, server-tracked. The link is invalidated the moment it's clicked or expires.
• Channel binding. The link is signed with the channel it was sent on, so a leaked SMS can't be replayed via email.
• Device binding (optional). Enterprise customers can require the same device that received the link.
• Rate limited per phone/email and per IP.
• Audit logged. Every issued link, every redemption, every failure.

What we don't do

Magic links aren't a silver bullet. For super_admin and org_admin roles we still require password + MFA — the impact of compromise is too high. For carers, the threat model is different: an attacker would need access to their phone to do anything dangerous, at which point you're past the perimeter anyway.

The win is adoption. We see 87% of invited staff active in CareLoop within seven days of invite — the published industry benchmark for password-based care SaaS is 41% in the same window.