Guides & tutorials

The complete guide to passwordless authentication flows

No items found.
Import this tutorial scenario in your workspace
Table of contents

Passwordless authentication is said to the future of online authentication. This trendy system is gaining popularity over the years, and experts agree it will keep on growing. Even though many online sites still rely on the combination of email and passwords to authenticate their users, passwordless is more secure, economical and user-friendly.

If this is your case and you want to take your auth system to the next level, we've got you covered. This is the ultimate guide to passwordless authentication: what is it, which passwordless solutions suit you better and how to implement them without coding.

What is passwordless authentication?

In online authentication, a passwordless authentication system is any process that authenticates the user without using a password. Moreover, passwordless authentication can also be applied online and offline. Given this broad definition, we can affirm there are many different types of passwordless authentication, depending on the method used to authenticate the user. Don't worry — every passwordless auth system has its advantages, and we'll analyze them one by one.

3 types of passwordless authentication solutions

As we have seen, there are many different types of passwordless authentication, since this comprehends any type of authentication that doesn't imply using a password. Let's take a look at each system!

1. One-time passwords (OTPs)

They are most known in multi-factor authentication processes, but one-time passwords or one-time codes can also be used as a standalone authentication method.

Passwordless flow with a one-time password via SMS

How do OTPs work in passwordless authentication?

One-time passwords (or OTPs) are numeric codes linked to a reference. These codes are sent to the user, so only the server and the user can know this code. When the user enters the code in the platform, they are granted with access and hence they are authenticated.

Depending on the type of platform, these codes can be sent to the user's phone via SMS, text or notification, to the user's email, or even to the user's mail in offline processes.

Furthermore, one-time passwords are always linked to a unique reference, so there aren't any chances that the code is overtaken by different uses. OTPs can be limited in time too, which limits the time of validity of the code.

Pros and cons of using OTPs

Top security. One-time passwords are a secure way to authenticate users, and there is almost no chance of breaching them.

More inclusive. OTPs can be sent in voice strings included in texts, SMS or voice calls. This is a more inclusive option than simply relying on text.

Apt for different devices. One-time codes can be sent in voice strings, via SMS, via email or even via a messaging app.

Device verification. One-time passwords are sent to the user, normally via email or phone. When they enter the code right, the device is automatically verified. Hence, OTPs are useful not only for authentication purposes, but also for device verification purposes.

SMS fraud or email hack. The only spot for vulnerability in OTPs is hacking the user's device by duplicating a SIM card or hacking their emails.

Less user-friendly. Having to enter a code in a different device may add some friction to the process. Still, keep in mind this is less irritating than using passwords.

2. Magic links

Magic links are the most popular option in passwordless authentication, since it implies only one step and it's also a one-click solution.

How do magic links work in passwordless authentication?

Magic links are URLs that trigger an authentication process when they are clicked. These URLs contain an authentication token, so when users click them they will be automatically verified, authenticated and redirected.

Magic links in passwordless authentication forms

Pros and cons of magic links

Optimal friction. Clicking one link can be considered the minimum effort there is. If this is the only authentication factor, you can be sure you're using one of the most frictionless auth systems there is.

Apt for different devices. Magic links are usually sent via email, but you can still send them via SMS, which means you can choose the device you need to verify.

Device verification. Magic links can verify user's devices too. Basically, you can choose between verifying the user's email or phone number, depending if you're sending the magic link via email or SMS.

Parameterized URLs. Being a link, you can personalize the URL you're sending with your own parameters, for instance to redirect the user to a particular spot.

SMS fraud or email hack. Just like one-time passwords, the only way of breaching a magic link is by hacking the user's device.

3. Hardware authentication

Authentication can be done online and offline, and that's where hardware authentication enters the scene. Plus, hardware authentication can also be used in apps and webs, for instance to access our private area in a bank account.

There are many different types of systems in this area, but some of the most popular nowadays are probable facial recognition and fingerprints. Actually, they are broadly used to verify users, unlock phones and computers, and so on and so forth.

Pros and cons of hardware authentication

Extra security. Adding offline auth methods adds extra layers of security, very rare to trespass.  

More friction. Depending on the method, hardware authentication can add friction to the process.

More infrastructure. Most offline authentication factors require hardware devices and technology to be effective, which makes it costly.

How to implement it without coding?

Arengu is a low-code forms and flows builder that allows you to build personalized onboardings without coding. Simply select the template for your use case, or start your forms and flows from scratch to build flexible and personalized server-side logic.

As you can see in the image below, you will find native actions to build your flows, including passwordless actions for PrestaShop and WordPress. You can embed your forms everywhere, regardless of the tech stack you use!

Form builder for passwordless forms

If you want to know how to create your passwordless forms, check out our step-by-step tutorials and build yours now!

👉 Passwordless forms with magic links for WordPress and WooCommerce

👉 Passwordless login with OTPs for PrestaShop

👉 Passwordless login form with OTPs for WordPresss

You might like to read

See more tutorials

Getting started with Arengu

Arengu allows you to build all your user flows connected to your current stack, and avoids coding all the UI, complex integrations, validations or logic from scratch. Try it for free and start building faster and scaling your application needs as they grow.