Passwordless connections allow users to log in without the need to remember a password. Instead, users enter their mobile phone number or email address and receive a one-time code or link, which they can then use to log in.

When a user authenticates via Passwordless, the user is attached to the connection using Auth0 as the Identity Provider (IdP). Since you can't force users to use the same mobile phone number or email address every time they authenticate, users may end up with multiple user profiles in the Auth0 datastore; you can link multiple user profiles through account linking.

Passwordless differs from Multi-factor Authentication (MFA) in that only one factor is used to authenticate a user—the one-time code or link received by the user. If you want to require that users log in with a one-time code or link in addition to another factor (e.g., username/password or a social Identity Provider, such as Google), see Multi-factor Authentication (MFA).

The benefits of enabling passwordless connections include:

• Improved user experience, particularly on mobile applications, because users only need an email address or mobile phone number to sign up, and the credential used for authentication is automatically validated after sign-up.

• Enhanced security because users avoid the insecure practice of using the same password for many purposes.

• Less effort for you because you will not need to implement a password reset procedure.

• Use of Auth0 as the Identity Provider (IdP), which provides a centralized location for user management.

Auth0 Passwordless connections support one-time-use codes sent via SMS or email, and magic links sent via email.

To implement passwordless authentication, you will need to:

1. Set up the passwordless connection in Auth0.
2. Set up your login page to work with Passwordless.
   • Universal Login + Lock (with passwordless)
   • Universal Login + Custom UI + Auth0.js
   • Embedded Login
3. Configure your application.

To learn how to set up a passwordless connection, configure your login page, and configure your application, see Implement Passwordless Authentication.

Passwordless connections have several limitations:

• Native applications, which use device-specific hardware and software, must use Universal Login.
• Only the Universal Login Classic Experience currently supports passwordless.
• Using Embedded Login with any application type leaves your application vulnerable to cross-origin resource sharing (CORS) attacks and requires the use of Auth0 Custom Domains, which is a paid feature.
• Since you can't force users to use the same mobile phone number or email address every time they authenticate, users may end up with multiple user profiles in the Auth0 datastore; you can link multiple user profiles through account linking.
• With magic link transactions, both the initial request and its response must take place in the same browser or the transaction will fail. This is particularly relevant for iOS users, who cannot change their default web browser. For example, the user makes the request using Chrome, but iOS opens the magic link received via email using Safari. If this happens, the transaction fails.
• To use a custom SMTP email provider, the SMTP server must:
  • support LOGIN authentication
  • support TLS 1.0 or higher
  • use a certificate signed by a public certificate authority (CA)

• Use the Universal Login Classic Experience with the Lock (passwordless) template for your login page.

• Sample Use Cases: Rules with Passwordless
• Relevant API Endpoints
• Implement Passwordless Authentication
• Troubleshooting