Passwordless connections allow users to log in without the need to remember a password. Instead, users enter their mobile phone number or email address and receive a one-time code or link, which they can then use to log in.
When a user authenticates via Passwordless, the user is attached to the connection using Auth0 as the Identity Provider (IdP). Since you can't force users to use the same mobile phone number or email address every time they authenticate, users may end up with multiple user profiles in the Auth0 datastore; you can link multiple user profiles through account linking.
A passwordless connection is another type of connection separate from any existing database, social, or Enterprise connections. Even though a user from an Auth0 user database or social provider might share the same email address, the identity associated with their passwordless connection is distinct. As with linking multiple email addresses or mobile phone numbers used for the passwordless connection, account linking can also be used to associate a passwordless identity with identities from other types of connections.
Passwordless differs from Multi-factor Authentication (MFA) in that only one factor is used to authenticate a user—the one-time code or link received by the user. If you want to require that users log in with a one-time code or link in addition to another factor (e.g., username/password or a social Identity Provider, such as Google), see Multi-factor Authentication (MFA).
The benefits of using Passwordless authentication include:
Improved user experience, particularly on mobile applications, because users only need an email address or mobile phone number to sign up.
Enhanced security: Passwords are a major vulnerability as users reuse passwords and are able to share them with others. Passwords are the biggest attack vector and are responsible for a significant percentage of breaches. They also lead to attacks such as credentials stuffing, corporate account takeover, and brute force attacks.
Reduces the total cost of ownership, as managing passwords is expensive (implementing password complexity policies, password expiration, password reset processes, password hashing and storing, breached password detection).
Supported authentication methods
Auth0 Passwordless connections support one-time-use codes sent via SMS or email, and magic links sent via email.
When using passwordless authentication with SMS, users:
- Provide a mobile phone number instead of a username/password combination.
Receive a one-time-use code via SMS.
Enter the one-time-use code on the login screen to access the application.
When using passwordless authentication with email, users:
- Provide an email address instead of a username/password combination.
Depending on how you have configured your passwordless connection, receive either a one-time-use code or magic link via email.
Enter the one-time-use code on the login screen (or click the magic link in the email) to access the application.
To implement passwordless you'll need to make two key decisions:
- Which authentication factor you want to use (SMS or Email with one-time-use code, Email with Magic Link).
- If you are going to implement authentication using Embedded Login or Universal Login.
The main driver for picking the authentication factor is user experience, and that depends on your application and its target audience. If the application will run on mobile phones, it is highly likely that users will be able to receive SMS messages. If it's an internal web application that is used in an environment where users cannot have their mobile phones with them, Email would be the only choice.
If you decide to use Email, then you need to decide between an one-time-use code or a magic link. We recommend using one-time-use code as the login flow is more predictable for end users. To learn more refer to the following documents:
- Passwordless using Email and one-time-use code
- Passwordless using Email and Magic Links
- Passwordless using SMS
Auth0 supports two way of implementing authentication: Embedded Login and Universal Login.
The industry is aligned in that Universal Login is the proper way to implement authentication in all apps, but in the case of Native Applications, sometimes customers prefer to implement Embedded Login for UX reasons.