Lock Android v2 Passwordless


This functionality has been deprecated in native. After June 2017, tenants cannot use the native passwordless flow. The functionality will continue to work for tenants that currently have it enabled. If at some point the passwordless mode feature is changed or removed from service, customers who currently use it will be notified beforehand and given ample time to migrate.

Lock Passwordless authenticates users by sending them an Email or SMS with a one-time password that the user must enter and confirm to be able to log in, similar to how WhatsApp authenticates you. This article will explain how to send a CODE using the Lock.Android library.

You can achieve a similar result by sending a LINK that the user can click to finish the passwordless authentication automatically, but a few more configuration steps are involved. You can check that article here.

In order to be able to authenticate the user, your application must have the Email/SMS connection enabled and configured in your Auth0 Dashboard.

Note that Passwordless Lock cannot be used with the OIDC Conformant Mode set to true. For more information, please see the OIDC adoption guide.

Implementing CODE Passwordless

In your app/build.gradle file add the Manifest Placeholders for the Auth0 Domain and the Auth0 Scheme properties which are going to be used internally by the library to register an intent-filter that captures the callback URI.

It's a good practice to define reusable resources like @string/com_auth0_domain but you can also hard code the value to YOUR_DOMAIN in the file.

Next, modify the AndroidManifest.xml file. Add the android.permission.INTERNET permission to allow Lock to make requests to the Auth0 API.

Add the PasswordlessLockActivity. Depending on which passwordless connection you need to handle, the data attribute of the intent-filter will differ:

The data attribute of the intent-filter defines which syntax of "Callback URI" your app is going to capture. In the above case it's going to capture calls from email passwordless connections. In case you're using the sms passwordless connection, the pathPrefix would end in sms.

In versions 2.5.0 or lower of Lock.Android you had to define an intent-filter inside the PasswordlessLockActivity to make possible to the library to capture a Social provider's authentication result. This intent-filter declaration is no longer required for versions greater than 2.5.0 , as it's now done internally by the library for you.

In case you are using an older version of Lock for Social Authentication, the data attribute that captures the "/callback" redirect URI inside the intent-filter must be added to the PasswordlessLockActivity by you.

Make sure the Activity's launchMode is declared as singleTask or the result won't come back in the authentication.

When the Passwordless connection is SMS you must also add the CountryCodeActivity to allow the user to change the Country Code prefix of the phone number.


In any of your activities, you need to initialize PasswordlessLock and tell it to send a CODE. We'll indicate this by calling the useCode() method.

Finally, just start PasswordlessLock from inside your activity and perform the login.

Depending on which passwordless connections are enabled, Lock will send the CODE in an Email or SMS. The 'email' connection is selected first if available. Then the user must input the CODE in the confirmation step. If the value equals to the one the server is expecting, the authentication will be successful.