Docs

Passwordless Connections

Passwordless connections allow users to log in without the need to remember a password. Instead, users enter their mobile phone number or email address and receive a one-time code or link, which they can then use to log in.

When a user authenticates via Passwordless, the user is attached to the connection using Auth0 as the Identity Provider (IdP). Since you can't force users to use the same mobile phone number or email address every time they authenticate, users may end up with multiple user profiles in the Auth0 datastore; you can link multiple user profiles through account linking.

Passwordless differs from Multi-factor Authentication (MFA) in that only one factor is used to authenticate a user—the one-time code or link received by the user. If you want to require that users log in with a one-time code or link in addition to another factor (e.g., username/password or a social Identity Provider, such as Google), see Multi-factor Authentication (MFA).

Benefits

The benefits of enabling passwordless connections include:

  • Improved user experience, particularly on mobile applications, because users only need an email address or mobile phone number to sign up, and the credential used for authentication is automatically validated after sign-up.

  • Enhanced security because users avoid the insecure practice of using the same password for many purposes.

  • Less effort for you because you will not need to implement a password reset procedure.

  • Use of Auth0 as the Identity Provider (IdP), which provides a centralized location for user management.

Supported authentication methods

Auth0 Passwordless connections support one-time-use codes sent via SMS or email, and magic links sent via email.

SMS

Send one-time-use codes to users' entered mobile phone number using:

Customization

For SMS, you can customize the following properties:

  • Message text and syntax (Markdown or Liquid)
  • Message language
  • One-time-use code length
  • One-time-use code expiration period
  • Whether to allow user sign-up via passwordless

User experience

When using passwordless authentication with SMS, users:

  1. Provide a mobile phone number instead of a username/password combination.

Provide Mobile Phone Number

  1. Receive a one-time-use code via SMS.
Receive Code via SMS
  1. Enter the one-time-use code on the login screen to access the application.

Enter Code for SMS

Email

Send users one-time-use codes or magic links using:

Customization

For emails, you can customize the following properties:

  • Email template and syntax (HTML or Liquid
  • Message language
  • Email variables
  • One-time-use code length
  • One-time-use code expiration period
  • Whether to allow user sign-up via passwordless

User experience

When using passwordless authentication with email, users:

  1. Provide an email address instead of a username/password combination.

Provide Email Address

  1. Depending on how you have configured your passwordless connection, receive either a one-time-use code or magic link via email.
  1. Enter the one-time-use code on the login screen (or click the magic link in the email) to access the application.

Implement Passwordless

To implement passwordless authentication, you will need to:

  1. Set up the passwordless connection in Auth0.
  2. Set up your login page to work with Passwordless.
    • Universal Login + Lock (with passwordless)
    • Universal Login + Custom UI + Auth0.js
    • Embedded Login
  3. Configure your application.

To learn how to set up a passwordless connection, configure your login page, and configure your application, see Implement Passwordless Authentication.

Limitations

Passwordless connections have several limitations:

  • Native applications, which use device-specific hardware and software, must use Universal Login.
  • Only the Universal Login Classic Experience currently supports passwordless.
  • Using Embedded Login with any application type leaves your application vulnerable to cross-origin resource sharing (CORS) attacks and requires the use of Auth0 Custom Domains, which is a paid feature.
  • Since you can't force users to use the same mobile phone number or email address every time they authenticate, users may end up with multiple user profiles in the Auth0 datastore; you can link multiple user profiles through account linking.
  • With magic link transactions, both the initial request and its response must take place in the same browser or the transaction will fail. This is particularly relevant for iOS users, who cannot change their default web browser. For example, the user makes the request using Chrome, but iOS opens the magic link received via email using Safari. If this happens, the transaction fails.
  • To use a custom SMTP email provider, the SMTP server must:
    • support LOGIN authentication
    • support TLS 1.0 or higher
    • use a certificate signed by a public certificate authority (CA)

Limitations of One-Time Passwords

  • Only the last one-time password (or link) issued will be accepted. Once the latest one is issued, any others are invalidated. Once used, the latest one is also invalidated.
  • Only three failed attempts to input the one-time password are allowed. After this, a new code will need to be requested.
  • The one-time password issued will be valid (by default) for three minutes before it expires. This time can be altered in the connection settings in the Dashboard.

Best practices

Keep reading