Guides & tutorials
LoginSign Up


The complete guide to passwordless authentication flows

Passwordless authentication is said to be the future of online authentication. This method has been gaining popularity, and experts agree it will keep on growing. Passwordless is a more secure, economical and user-friendly method of authentication, still many online sites rely on the combination of email and passwords to authenticate their users. 

If this is your case and you want to take your auth system to the next level, we've got you covered. This is the ultimate guide to passwordless authentication: what is it, which passwordless solutions suit you better and how to implement them without coding.

What is passwordless authentication?

In online authentication, a passwordless authentication system is any process that authenticates a user without using a password. Moreover, passwordless authentication can also be applied online and offline. Given this broad definition, we can affirm that there are many different types of passwordless authentication, depending on the method used to authenticate the user. Don't worry — every passwordless auth system has its advantages, and we'll analyze them one by one.

3 types of passwordless authentication solutions

As we have seen, there are many different types of passwordless authentication, since this means any type of authentication method that doesn't imply using a password. Let's take a look at each method!

1. One-time passwords (OTPs)

They are most known in multi-factor authentication processes, but one-time passwords or one-time codes can also be used as a standalone authentication method.

How do OTPs work in passwordless authentication?

One-time passwords (or OTPs) are numeric codes linked to a reference. These codes are sent to the user, so only the server and the user know the code. When the user enters the code, they are granted access and hence they are authenticated.

Depending on the type of platform, these codes can be sent to the user's via SMS or email.

Furthermore, one-time passwords are always linked to a unique reference and can be timelimited too

Pros and cons of using OTPs

Top security. One-time passwords are a secure way to authenticate users, and there is almost no chance of breaching them.

More inclusive. OTPs can be sent in voice strings included in texts, SMS or voice calls. This is a more inclusive option than simply relying on text.

Apt for different devices. One-time codes can be sent in voice strings, via SMS, via email or even via a messaging app.

Device verification. One-time passwords are sent to the user, normally via email or phone. When they enter the code right, the device is automatically verified. Hence, OTPs are useful not only for authentication purposes, but also for device verification purposes.

SMS fraud or email hack. The only spot for vulnerability in OTPs is hacking the user's device by duplicating a SIM card or hacking their emails.

Less user-friendly. Having to enter a code in a different device may add some friction to the process. Still, keep in mind this is less irritating than using passwords.

2. Magic links

Magic links are the most popular option in passwordless authentication, since it implies only one step and it's also a one-click solution.

How do magic links work in passwordless authentication?

Magic links are URLs that trigger an authentication process when they are clicked. These URLs contain an authentication token, so when users click them they will be automatically verified, authenticated and redirected.

Pros and cons of magic links

Optimal friction. Clicking one link can be considered the minimum effort there is. If this is the only authentication factor, you can be sure you're using one of the most frictionless auth systems there is.

Apt for different devices. Magic links are usually sent via email, but you can still send them via SMS, which means you can choose the device you need to verify.

Device verification. Magic links can verify user's devices too. Basically, you can choose between verifying the user's email or phone number, depending if you're sending the magic link via email or SMS.

Parameterized URLs. Being a link, you can personalize the URL you're sending with your own parameters, for instance to redirect the user to a particular spot.

SMS fraud or email hack. Just like one-time passwords, the only way of breaching a magic link is by hacking the user's device.

3. Hardware authentication

Authentication can be done online and offline, and that's where hardware authentication enters the scene. Plus, hardware authentication can also be used in apps and webs, for instance to access our private area in a bank account.

There are many different types of systems in this area, but some of the most popular nowadays are facial recognition and fingerprints. They are broadly used to verify users, unlock phones and computers.

Pros and cons of hardware authentication

Extra security. Adding offline auth methods adds extra layers of security, very rare to trespass.  

More friction. Depending on the method, hardware authentication can add friction to the process.

More infrastructure. Most offline authentication factors require hardware devices and technology to be effective, which makes it costly.

How to implement it without coding?

Arengu is a low-code forms and flows builder that allows you to build personalized onboardings without coding. Simply select the template for your use case, or start your forms and flows from scratch to build flexible and personalized server-side logic.

As you can see in the image below, you will find native actions to build your flows, including passwordless actions for PrestaShop and WordPress. You can embed your forms anywhere, regardless of the tech stack you use!

If you want to know how to create your passwordless forms, check out our step-by-step tutorials and build yours now!

Table of contents