Passwordless Authentication
Passwordless authentication provides users with a seamless and more secure login experience. As technology advances, traditional methods of authentication, such as usernames and passwords, become more prone to cyber attacks (like phishing or keylogging) and potential breaches.
With passwordless authentication, users no longer need to remember or manually enter a password to access an application. Instead, they can use a variety of authentication methods that rely on time-based access links and tokens, stored passkeys, biometrics, or social accounts.
By eliminating the reliance on passwords and other memorized codes, you can provide users with a more convenient way of accessing applications while also reducing the likelihood of data breaches due to stolen or weak passwords.
Auth0 currently supports the following methods of passwordless authentication:
Each of these methods provides a unique passwordless login experience to users. To learn more about which method is right for your needs, review the sections below.
Passwordless connections vs. passwordless authentication
A passwordless connection is a distinct connection type from database, social, or enterprise connections. Passwordless connections are used specifically for:
Even though a user from an Auth0 user database or social provider might share the same email address, the identity associated with their passwordless connection is distinct. Account linking can be used to associate passwordless connection identities with other connection identities.
You cannot create passwordless users from the Auth0 Dashboard. Create them directly from the Management API if signup is disabled. In the Connection field, use email for passwordless users using an email address and SMS for passwordless users using a mobile phone number.
Social Login
Social login is a method of authentication that allows users to log in to an application using existing credentials from a social identity provider, such as Google or Facebook. As users frequently have their social credentials stored in their browser or device, social login provides a frictionless user experience that requires minimal manual interaction with your application.
The general workflow for social login is as follows:
A user arrives at your application’s login screen and selects the Continue with [provider] option.
The user follows prompts from the selected provider to authenticate with their existing social credentials.
The user is redirected to your application to complete the login process.
For web-based applications, Auth0 supports multiple social identity providers out of the box. Visit the Social Login section of Auth0 Marketplace to review a full list of supported providers. If a specific provider is not available, you can also configure custom social login connections through the Auth0 Dashboard.
For native applications, Auth0 supports social login for select providers:
For these applications, Auth0 supports social connection token exchange, which enables authentication without the need for web redirects.
Passkeys
Passkeys are a phishing-resistant alternative to traditional authentication factors modeled from FIDO® W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) specifications.
Auth0 supports passkeys as an authentication method for database connections and offers two methods of implementation:
Universal Login passkeys for web-based applications
Native passkeys for Android and iOS applications
Passkeys reduce the friction experienced with single-device authentication methods by allowing credentials to sync across devices. Cross-device authentication eliminates the need for users to re-enroll each of their devices.
An example passkeys workflow for web-based applications is as follows:
A user arrives at your application’s Universal Login page and enters their email address.
The user then has the choice to create a passkey or continue with traditional authentication.
When the user selects Create a new passkey, the browser’s passkey flow initiates and prompts the user to authenticate with their device credentials, such as biometrics.
After local authentication is complete, the passkey is saved to the user’s device and synced with their passkey provider (such as iCloud or Google).
After this process is complete, the user can authenticate with the saved passkey upon subsequent logins to your application.
SMS-Based Passwordless Authentication
SMS-based passwordless authentication allows users to access applications using single-use codes known as one-time passwords (OTP). With this implementation, OTPs are sent to users’ phone numbers via SMS.
The general workflow for SMS-based OTPs is as follows:
A user arrives at your application’s login screen and enters their phone number.
Auth0 sends the user an OTP through SMS.
The user copies the code and returns to your login screen.
The user enters the code in the space provided and logs in to your application.
While Auth0 recommends using Universal Login to implement this method of authentication, you can also use Classic Login or Embedded Login as appropriate for your needs.
To learn more about configuring SMS-based passwordless authentication for different login types, review the resources below:
This category of passwordless authentication is currently treated as a unique connection type in your tenant, separate from other database, social, or enterprise connections.
When a user authenticates with this method, their profile is created on the passwordless connection using Auth0 as the Identity Provider (IdP). As you cannot ensure users will log in with the same email or phone number every time, users may end up with multiple user profiles in the Auth0 datastore. If duplicates are created, you can associate multiple user profiles by linking their accounts.
In some scenarios, a user profile created through this type of passwordless connection may share an identifier (such as email or phone number) with a profile associated with another type of connection, such as enterprise or social. If this occurs, you can use account linking to associate passwordless profiles with identities from other connections.
Email-Based Passwordless Authentication
Email-based passwordless authentication encompasses two methods:
This category of passwordless authentication is currently treated as a unique connection type in your tenant, separate from other database, social, or enterprise connections.
When a user authenticates with this method, their profile is created on the passwordless connection using Auth0 as the Identity Provider (IdP). As you cannot ensure users will log in with the same email or phone number every time, users may end up with multiple user profiles in the Auth0 datastore. If duplicates are created, you can associate multiple user profiles by linking their accounts.
In some scenarios, a user profile created through this type of passwordless connection may share an identifier (such as email or phone number) with a profile associated with another type of connection, such as enterprise or social. If this occurs, you can use account linking to associate passwordless profiles with identities from other connections.
One-time passwords
This method of passwordless authentication allows users to access applications using single-use codes known as one-time passwords (OTP). With this implementation, OTPs are sent to users through their email.
The general workflow for email-based OTPs is as follows:
A user arrives at your application’s login screen and enters either their email.
Auth0 sends an OTP to the user’s email.
The user copies the code and returns to your login screen.
The user enters the code in the space provided and logs in to your application.
While Auth0 recommends using Universal Login to implement passwordless connections, you can also use Classic Login or Embedded Login as appropriate for your needs.
To learn more about configuring email-based passwordless authentication for different login types, review the resources below:
Magic Links
Magic links are a method of passwordless authentication that allow users to access an application through a link sent to their email. If the user does not access the link within a specific timeframe, the link becomes inaccessible.
The general workflow for magic links is as follows:
A user arrives at your application’s login screen and enters their email.
Auth0 sends a magic link to the user at the provided email.
The user selects the magic link in their email and automatically logs in to your application.
Magic links can only be implemented in Classic Login. To learn more, review the following resources:
Biometrics (WebAuthn)
Biometrics is a method of passwordless authentication that uses an individual’s physical attributes to verify their identity and grant them access to an application. Auth0 currently supports biometric authentication using fingerprint scans and facial recognition.
While Auth0 still supports the legacy Identifier First with Biometrics authentication method, it is strongly recommended that you use passkey-based authentication instead.
To implement biometrics for your application, the following configurations are required:
Enabling Universal Login.
Setting up a database connection.
Configuring Identifier First + Biometrics authentication.
When implemented, users can choose to enroll their devices in biometrics after logging in to your application with traditional credentials. To enroll in biometrics, a user must be using a device with biometric capabilities, such as a mobile smart device.
The general workflow for biometric authentication is as follows:
A user arrives at your application’s Universal Login page and enters their email address.
The user first authenticates with their traditional credentials. Then, they are prompted to enroll their device in biometrics.
If the user chooses to enroll, they follow their device’s prompts to complete the biometric setup process.
After the user enrolls their device, they can use biometrics as their primary method of authentication upon subsequent logins to your application.
To learn more about biometric authentication, review Configure WebAuthn with Device Biometrics for Passwordless Authentication.