tl;dr: Auth0 Passwordless is a drop-in authentication system based on Email, SMS, or Apple's TouchID that improves security and user experience. Check it out

It’s clear that passwords are not fun anymore. According to the website, 220,385,281 accounts were exposed in the top 10 breaches, and 152,450,038 of them were compromised this past year. On the other hand, according to a study, more than half (59%) of the users surveyed admit they reuse the same password because it’s hard to remember them.

What is our industry doing to address this problem?

  1. A second factor of authentication (Google Authenticator, SMS, etc.)
  2. Password managers

A second factor significantly reduces the risk of your account being compromised. We support multifactor at Auth0 and it has been a very popular feature, but you still have a password to remember and the second factor introduces more complexity and friction to the average user. Password managers are useful (I personally use one) but still they feel like a band-aid on the problem, not addressing the real issue.

A third trend we've started to see is to remove the password input from the login box altogether. Companies like Medium, Slack, Twitter, and WhatsApp are already doing it, and even Google’s new login screens hints at a future beyond passwords.

trend to remove password input from login box

We’ve been experimenting over the past few months, and we’re ready to release our first version today. With Auth0 Passwordless you can use one time codes or “magic links” delivered via SMS or e-mail, or use the iPhone’s TouchID without having to worry about the implementation details.

SMS authentication, email authentication and TouchID authentication

Log in via e-mail or SMS, simplified

Following our philosophy of "just a few lines of code", here is how you trigger a "magic link" that will be sent to the user’s email:

var lock = new Auth0LockPasswordless('client-id', '');

And log in via SMS is this simple as well:

var lock = new Auth0LockPasswordless('client-id', '');
lock.sms(options, function(err, profile, jwt) {
  alert('welcome ' + profile.phone_number);

Try this yourself on the playground.

What's behind this?

Although conceptually simple, implementing passwordless authentication requires coordination of many components. And Auth0 Passwordless takes care of them all. These components include:

  • A public API with appropriate rate limiting that prevents abuse.
  • A beautiful, extensible and open source client JavaScript API library and UI widget for Web apps.
  • An open source native component and UI widget for iOS and Android.
  • Integration with well known, scalable and secure Email (SendGrid, Mandrill and Amazon SES) and SMS providers (Twilio).
  • An admin dashboard to manage and customize all of the above.

We implemented all of these and made it easy, accessible and secure to everyone. We also docummented typical questions that come up around passwordless: check out the FAQ.

Works everywhere

As developers we have to deal with a handful of devices, screen sizes, and browser-specific challenges. We wanted the Lock Passwordless widget to automatically adapt to mobile web browsers on various iOS and Android versions.

Auth0 Passwordless can be used on all platforms: native apps, web apps, mobile web, command line interfaces or anything that can send an HTTP request over the net. It's a great way to achieve Single Sign On across everything with a single uniform authentication scheme across the board.

"Auth0 Passwordless can be used on all platforms and anything that can send an HTTP request over the net."

Future directions

We are seeing a trend that web applications are moving to longer session expirations so that users are not asked to log in frequently - similar to a native app on a mobile device. Then, whenever a user asks to perform a sensitive operation, they’re asked for "step up" authentication (think "sudo" command on Linux). Auth0 Passwordless is a way to implement such a mechanism quickly and securely. Combine this with anomaly detection, suspicious logins and centralized session revocation and you have a robust yet usable authentication system.

Auth0 Passwordless is ready to be used in production today and it is included in every Auth0 plan.

We can’t wait to see what you will build. And we look forward to continuing to contribute more improvements to identity and security on the web 🔐.