SMS Passwordless Authentication
Going passwordless isn't new in the world of authentication, with Slack and Whatsapp on board. Learn how to build a secure app with SMS passwordless authentication.
Join the DZone community and get the full member experience.Join For Free
Check out the repo to get the code for this tutorial.
What Is SMS Passwordless Authentication?
SMS Passwordless authentication is a type of authentication where users do not need to log in with passwords. This form of authentication totally makes passwords obsolete. With this form of authentication, users are presented with the option of logging in simply via a one-time unique code that is delivered via text message.
Benefits of Passwordless Authentication
Without much ado, passwordless authentication helps:
- Improve user experience: The faster users can sign up and use your service, the more users your app tends to attract. Users dread having to fill out forms and go through a rigorous registration process. Imagine eliminating that extra five minutes of asking users to remember their grandmother's maiden name as a security question. Passwordless authentication helps improve user experience in this regard!
- Increase security: 59% of internet users admit to using the same password for multiple accounts. Once an attacker gets hold of one account's password, he or she can compromise other accounts that use the same password. However, once you go passwordless, there are no passwords to be hacked.
How Does SMS Passwordless Authentication Work?
Let's take a look at how SMS passwordless authentication actually works. Check out the process below:
- The user is asked to enter a valid phone number. The user enters a valid phone number.
- A unique one-time code is then sent to the phone number. The one-time code is received.
- Once the user enters this code into your application, your app validates that the code is correct and that the phone number exists and belongs to a user, a session is initiated, and the user is logged in. In Auth0's case, the user has five minutes to input the code into the app and get logged in.
Take a look at Auth0's one-time code via SMS implementation below:
If the phone number matches an existing user, Auth0 just authenticates the user like so:
Other forms of passwordless authentication are:
- Authentication with a magic link via email.
- Authentication with a one-time code via e-mail.
- Authentication with a fingerprint. Auth0 supports TouchID.
Check out this excellent article to have an in-depth understanding of how these other forms of passwordless authentication work!
Phone Number/SMS Passwordless Authentication With Auth0
With Auth0, SMS passwordless authentication otherwise known as phone number authentication is dead simple to implement. There are diagrams earlier in this post that already show the SMS passwordless authentication flow using Auth0. The Passwordless API is an efficient API implementation of passwordless authentication.
We'll build an application that allows you log in via your mobile phone number. Let's get started.
index.html file in your directory and add this piece of code to it:
auth0-variables.js. We'll add Auth0 variables to this file.
var AUTH0_CLIENT_ID='CLIENT_ID'; var AUTH0_DOMAIN='AUTH0_DOMAIN';
app.css file and add the code here to it.
Run your app. The landing page should look like this:
When you click on Sign In, you should see this:
- On the Auth0 dashboard, click on the red
Create Clientbutton to create a new app, like so:
- Head over to the Passwordless Connections side of the dashboard and enable SMS option. It should show something similar to the image below:
- The next page will show you a page to fill in your
Twilio Auth Tokenand the
- Head over to Twilio, sign up and get the
Auth Tokenvalues, then add them to the Auth0 page and save.
- Head over to your settings tab for the
Swapartapp and copy your
- Open up
auth0-variables.jsin your code and replace the
AUTH0_DOMAINvalues with your real Auth0 keys.
- Make sure you add your app URL to the Allowed Origins(CORS) in the Auth0 dashboard. Your app has to run on a server.
nginxare good options.
Let's try our app. Click the Login button and put in your phone number.
The code from Auth0 is delivered to your phone.
Enter the code from your phone number.
Submit and be logged in.
Check out the token saved in the localStorage.
You can go further and use the token to determine the
logged-out auth status of a user.
There is no doubt that passwords have become more susceptible to being compromised in recent years. Passwordless authentication aims to eliminate authentication vulnerabilities. This recent analysis of passwordless connections shows that passwordless adoption is increasing. Passwordless authentication is also very useful and gaining ground in the IoT world. It's easier, friendlier, and faster to be authenticated into an IoT device via Touch ID, push notification, or even a one-time passcode than with traditional means. If you really care about security, you should look into passwordless authentication!
Published at DZone with permission of Prosper Otemuyiwa, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.