Increase Engagement and Enhance Security with Password-less Authentication

Guest post by Ado Kukic, Auth0

One of the most critical aspects of any application is its authentication system. Traditionally, users logged in by providing a username or email and password combo. This served many apps well for a while, but is problematic.

Users tend to reuse the same password for multiple services, choose weak passwords, and forget passwords to services they don’t often use. On top of that, developers have to make decisions about how to best hash and store user passwords in the database, implement recovery systems, enforce password complexity requirements, and more. It would appear that passwords are the problem. What if there were a better way to solve user authentication?

There is! It’s called passwordless authentication. As the name implies, passwordless authentication is authentication that does not require the user to enter a password. Instead, users simply enter an email or phone number, and the system sends them a one-time passcode or link that grants them access to the system. Some passwordless systems additionally allow users to log in via push notifications or by using their fingerprints.

There are many benefits to using passwordless authentication, and companies like Slack, Twitter, and the one you’re on right now, Medium, are embracing it. For users, there is an obvious convenience factor. Rather than having to go through a lengthy account setup process, they can simply provide an email or phone number, verify that the information they provided is valid, and gain access to your app. This in turn leads to a reduction in customer abandonment, which should make both developers and app owners happy.

Besides the convenience factor, there is also the added security benefit of going passwordless. Even the largest of enterprises have experienced data breaches. Although your app might not be a target, user accounts stolen from elsewhere can lead to unauthorized user access in your apps.

Implementing Passwordless Authentication

The flow of passwordless authentication is similar to that of two-factor authentication. The reliance of a secondary system, such as an email account or SMS — capable phone, enhances application security and makes it harder for malicious users to compromise an account.

Let’s examine an in-depth flow of a user authenticating with a passwordless authentication system that relies on the email:

1. The user sends a login request by providing an email address in a log-in form.
2. The system checks if the user exists. If found, the system sends an email to the email address that includes a magic link that the user must click to authenticate. If a user is not found, the system creates a new user, and then sends the email.
3. The user receives the email a few seconds later, and clicks the link in the email.
4. The system checks to ensure that the link is valid and, if so, grants the user access to the system.

There are many use cases and ways that this can be implemented. For example, instead of receiving a magic link, the user might receive a one-time passcode, which is a randomly generated, alpha-numeric password that is valid for only a single log-in attempt. Common use cases call for a magic link to be valid for only 5 minutes.

Additional Considerations

The examples we’ve provided so far assume that users are logging in through a web browser on their desktops. What about mobile users and native applications?

Native mobile applications can benefit from passwordless authentication as well. Android App Links and iOS Universal Links allow for a seamless integration between clicking a confirmation link and going back into the app as a logged-in user. Push notifications can enhance the experience even further by having the user simply accept or deny a login request — no need for one-time codes or links.

Passwordless Authentication with Auth0

Building a passwordless authentication system is difficult and time consuming. There are many factors to consider such as which providers to use when delivering the SMS and email messages, maintaining the database of valid one-time pass codes and more.

Auth0 makes implementing passwordless authentication a breeze. By flipping a few switches and configuring a few settings, you can have passwordless authentication up and running.

Once you’ve enabled passwordless in your Auth0 management dashboard, you can use the Lock widget to quickly implement one or multiple passwordless authentication strategies in your application. The following example shows how to add passwordless authentication with email magic links.

var CLIENT_ID = 'YOUR_AUTH0_CLIENT_ID';
var DOMAIN = 'YOUR_AUTH0_DOMAIN';
var CALLBACKURL = 'YOUR_AUTH0_CALLBACKURL';

function loginWithEmailLink(){
  var lock = new Auth0LockPasswordless(CLIENT_ID, DOMAIN)

// Add Passwordless Authentication that will be verified by users
     clicking a link they receive in their inboxes
  lock.magiclink({
    responseType: 'token',
    callbackURL: CALLBACKURL
  }
}

Auth0 passwordless authentication is highly customizable to fit the needs of any use case. Configuration options include the ability to allow a user to authenticate via SMS, email, and even TouchID. You can also mix and match and allow users to login via traditional methods such as social login and passwordless, all from one log-in modal. If Lock just isn’t your thing, you have full access to the API to build and implement your own login functionality however you see fit.

Let’s see it in action with SMS and a one-time passcode. The following gif shows a user going through the flow of requesting a one-time passcode, verifying it, and successfully logging in.

Sign up for a free account and implement passwordless authentication in your apps with Auth0 today. Be sure to check out the docs to get up and running quickly and to see all the options Auth0 provides.