Subscribe
Sign in
SuperTokens Passwordless β Fully flexible, open source auth in 15 minutes
Join Slack, Medium and Instagram in enabling a passwordless login experience.
With passwordless, developers can authenticate their users through email IDs or phone numbers!
72
Replies
Best
Why I like Passwordless? It reminds me of my conversations with Dad.
I keep asking him to create secure passwords and manage them as I say. And he keeps complaining it is hard to remember passwords and keeps asking me the same questions repeatedly
* why can't I create a simple password as "password123", I have nothing to hide
* why can't I reuse it everywhere, what would someone get by hacking my account
* ok, I will create different strong passwords everywhere. Can I write it in a diary then?
and a very deadly question - why can't I share my password with my friend. He says that all his friends do all those things and they have never been hacked.
When I think more closely, that's the level of awareness or tech experience of most people. Dealing with passwords gives them a headache. It seems like a common sense to us developers who are well aware of what happens in the background when we make a login request. When we give those people password-based auth, we expect them to work as per best practices while in reality, they make the worst choices and this makes the password-based auth highly insecure.
I think passwordless fills this gap, makes systems more secure for users who are not that tech savvy. Definitely, passwordless auth goes on top of my list of auth strategies to implement in my next app.
I'm curious what are some guidelines that we can give to end users(similar to my Dad) to make passwordless more secure and easier to use? Althoug most of the passwordless security I see is at the implementer side only but still if there are any thoughts from the community, I'd love to learn that
@saman_sinaei Thank you Saman! We are planning on writing a more comprehensive piece on it!
This is nice! We are already getting used to this behaviour using banking apps and wallets. It will be a good push for standardized logins as well. Congrats on the launch!
Wow! This product looks super useful. My parents keep forgetting their social media passwords and this will be a lifesaver. Logging in with OTP is the most convenient way for most users and this will surely be successful.
Congratulations on the launch! π
@harsh_siriah1 You're right! Lots of use cases for OTP login. Plus, with regards to your point - the fact that mobile apps can now enter the OTP automatically, it just makes life a lot easier. π
Hi @advait_ruia, congrats on the launch π
I am a fan of passwordless and yet I find that in terms of UX is not necessarily better.
With email and password:
1. User signs up with username and password
2. User is in the product
(Assuming email verification can be done asynchronously)
With passwordless:
1. User signs up with email
2. User needs to go out of the product to find the OTP - at this point, many bad things can happen. The user is distracted by another email; the mail gets to spam; the mail takes a few minutes to arrive breaking the flow on the onboarding, etc.
In what sense do you think passwordless has a better UX? Do you know if there is any study comparing the drop-off rate of password and passwordless approaches?
@marco_ancona2 Hey Marco! Passwordless is not always better UX. It depends on your app and your customers.
You are correct that the user may need to switch to another app and get distracted. The flip is that they may not remember their password, which could also create a similar or worse issues
In certain cases, passwords are a better experience and in other cases, passwordless is preferable. For eg: if your user is on a mobile app, sending them an OTP to their phone number allows them to login without needing to leave the app. The OS will autofill the OTP from the SMS into the app or at the very least the user will see the OTP as a notification and can type it in without navigating away. In this case, passwordless could be preferable.
This is awesome, and I personally have gotten more insight into how the product works from @nevilbutani
This is a great way to access your accounts without remembering any passwords. Congrats on the launch! π
@auttomatta thank you. @nevilbutani is the champion. we are able to showcase SuperTokens so well because of him only.
Hey @advait_ruia @rishabh_poddar1 @mufassir_kazi @joel_coutinho @bhumilsarvaiya and team! Really cool to see that feature being launched here today! Congrats all! Happy to have contributed a little bit to the SuperTokens journey :)
@kant01ne Thank you!! We are very grateful for your contribution in laying out the foundation for the frontend library :))
This looks fantastic @advait_ruia, will recommend to a bunch of folks :D Congratulations on a great launch and an even better product π
RP is such a cool founder! He was always open to answering all our questions and concerns πͺ supertokens is the real deal!
@adrianthedev Thank you!! Appreciate the love :) It's always great chatting with you.
SuperTokens is amazing β we were able to add password + social authentication in a matter of hours rather than weeks!
@kartikk10 Thanks! We also integrate with the web frameworks in these languages, and are planning to support Java and PHP as well (soonish)
@neet Thanks you so much! Please feel free to join our Discord (https://supertokens.com/discord) if you need any help or guidance with implementation. πΊ
Really proud to be part of the team that built this and super pumped to see what devs are going to do when they get their hand on it.
When you have multiple subscriptions, it is extremely difficult to keep track of passwords. This is especially useful for platforms where I only need to log in once every few months or a year; logging in via OTP or Magic link makes the process much smoother and easier!
@manav_sharma1 checkout the Github repo and the passwordless guide. We have a demo repo in node+react that you can get started with as well.
* GitHub repo - https://github.com/supertokens/s...
* Passwordless setup guide - https://supertokens.com/docs/pas...
* For more discussion from the community, do ask question in discord community - https://supertokens.com/discord
@manav_sharma1 SuperTokens follows all the best practices by default. So you just have to follow the docs and you should be good to go. Some of the best practices we follow:
- Keeping passwordless codes (OTP or magic links) short lived
- Limiting the number of OTP tries per login attempt. After the number of tries has been reached, a new OTP is generated.
- Preventing email clients from consuming the magic link if they open the magic link to scan them.
- Removing unused passwordless codes after they have expired.
- Revoking all passwordless codes for a user once they have successfully consumed any one of them.
- Allowing our users to easily implement their own spam protection for SMS based login.
And on the session side:
- Using httpOnly for session cookies.
- Preventing against CSRF attacks.
- Using rotating refresh tokens for session management (to detect session hijacking)
This is awesome! Congrats on the launch.
I've been using SuperTokens off/on for the past year or so. Since I develop mostly NextJS apps, passwordless auth will match up really well with what NextAuth offers. I prefer passwordless auth since it seems more secure than the traditional username & password option, so excited to keep using SuperTokens and now that this is offered I'll be enabling this in my project alongside the social login.
@gaurav_chaturvedi amazing. can't wait to see your launch with passwordless.
For me, passwordless is definitely a great thing. The "standard" flow can be so bad:
1. sign up/log in once and use the app for a day
2. not need the password for a year and forget
3. reset the password (which is kind of like a passwordless login), go to step 1
However, when I'm using something every day/week, waiting for the OTP can get annoying.
What's your limit? I prefer using passwords if I'm using something more than once/twice a month.
@mihaly_lengyel1 you can use SuperTokens to implement password-based or social login as well. Which method to use? I think it is not only about the # of times you use the app. That is one parameter, it also depends on your use case, the purpose of the app, how sensitive your data is, how much resources you have to invest on security, and other choices you make for auth, etc. If your your use case requires frequent user visits in a day/week, you might also want to think about making longer lived sessions using refresh tokens. You can do that with SuperTokens by changing a configuration. All in all, Passwordless can be a great choice even when you have frequent login. Do you already have a use case in mind where you need to implement it?
Passwordless is the most convenient way to sign in into every platform as it is terribly difficult to remember all the passwords. Great Initiative! Congratulations on the Launch !
Finally! :D
A lot of time was spent primarily on creating the best experience for developers. Thinking from the most common use cases to the most far fetched ones (you can add phone no. + email based passwordless together), it was fun to be a part of this.
And though we launched passwordless today, for all we know, you may need a password based solution. For that, do check out all the other βrecipesβ we have on our guides page.
@joeff This is something that we will be adding in the coming months. But for now, you can achieve this by using our override feature.
SuperTokens Passwordless