Passwordless Login
Passwordless Login streamlines the authentication process by enabling users to access their accounts without a password. Instead of relying on traditional credentials, users receive a secure link or a One-Time Password (OTP) via email or phone. Users can securely log in by verifying the link or OTP, improving convenience and security. This approach eliminates the need to remember complex passwords, providing a smoother, more user-friendly login experience.
How It Works
- The user enters their registered email or phone number.
- A login link or OTP is sent to their email or phone.
- The user clicks the link or enters the OTP.
- Upon successful verification, they are logged in.
📌 Note: Users must first register with a password. Afterward, they can log in using their link or OTP.
Key Features
- Frictionless Login: Enables seamless login without needing to remember passwords.
- Enhanced Security: This reduces the risk of password theft or breaches.
- Improved User Experience: Provides a hassle-free passwordless auth process.
- Alternative Authentication: Useful when users forget passwords or prefer OTP-based logins.
Configurations
Here's how to enable and configure Passwordless Login in your authentication settings in the admin console:
- Enable Passwordless Login
- Passwordless Login Email Configuration
- Passwordless Login Phone Configuration
Enable Passwordless Login
Steps to Enable Passwordless Login:
- Log in to the Admin Console.
- Navigate to Passwordless Login in Admin Console.
- Ensure Passwordless Login is enabled.
- If not enabled, contact the LoginRadius Support Team.
Passwordless Login Email configuration
- This option sends a login link to the user's email, allowing them to log in by clicking the link.
- You can configure an email provider to send emails to users. For detailed instructions on configuring the email provider and its usage, please refer to this documentation.
- You can customize the email template to modify the content sent to users, ensuring it aligns with your requirements. For detailed instructions on configuring email templates, refer to this document.
Passwordless Login Phone configuration
- In this option, an OTP is sent to the registered phone number, which the user can use to log in.
- You can set up an SMS provider to send messages to users containing the OTP. For detailed instructions on configuring the SMS provider and its usage, please refer to this documentation.
- You can customize the SMS template to tailor the content sent to users according to your requirements. For detailed instructions on SMS template configuration, refer to this document.
Integration Guide
The LoginRadius Identity Platform offers multiple implementation methodologies, enabling you to customize customer flows and select the passwordless login integration method that best suits your requirements.
- Passwordless Login Setup using Javascript interface
- User Registration
- User Login
- User Verification
- MFA Authentication
Passwordless Auth login interface setup using javascript
Step 1: Include the JavaScript Library
Add the following script to your HTML file in the <head> tag:
<script src='https://auth.lrcontent.com/v2/LoginRadiusV2.js' type='text/javascript'></script>
Step 2:Initialize the LoginRadiusV2 Object
Set up your LoginRadius configuration in the <head> tag:
<script>
var commonOptions = {};
commonOptions.apiKey = "<your loginradius API key>";
commonOptions.appName = "<LoginRadius site name>";
commonOptions.instantLinkLogin = true;
commonOptions.instantOTPLogin = true;
var LRObject = new LoginRadiusV2(commonOptions);
</script>
These two options enable the display of the passwordless login feature for both methods:
commonOptions.instantLinkLogin = true;commonOptions.instantOTPLogin = true;
Step 3: Load the Passwordless Login Interface and Validate Result
Add the following script before closing the </head> tag:
<script>
var login_options = {};
login_options.container = 'login-container';
login_options.onSuccess = function(response) { console.log(response); };
login_options.onError = function(errors) { console.log(errors); };
LRObject.util.ready(function() { LRObject.init('login', login_options); });
// Validate OTP
var passwordlessloginvalidate_options = {};
passwordlessloginvalidate_options.onSuccess = function(response) { console.log(response); };
passwordlessloginvalidate_options.onError = function(errors) { console.log(errors); };
LRObject.util.ready(function() { LRObject.init('passwordlessLoginValidate', passwordlessloginvalidate_options); });
</script>
Step 4: Include the Login Container
Insert the following code within the <body> tag to add the login container div:
<div id="login-container"></div>
User Registration
Register a new user with a unique email and password. The system securely stores credentials for authentication.
Auth User Registration by Email: Register users using their email and password.
For detailed information on User Registration, please refer to this document.
User Login
After registration, users can log in using Passwordless Login via one of the following options:
Option 1: Login via Registered Email
Passwordless Login By Email API: This API sends a Passwordless Login verification link to the specified email ID.
Option 2: Login via Phone
Passwordless Login by Phone API: This API sends a One-Time Passcode (OTP) if the account has a verified Phone ID.
Please refer to this document for detailed information on the Passwordless Login API.
User Verification
After the user requests a link or OTP, verify their account using the following APIs:
Passwordless Login Email Verification: This API is used to verify the Passwordless Login verification link.
Passwordless Login Phone Verification: This API verifies an account by OTP and allows the customer to log in.
Upon successful account verification, the response will include the complete user profile.
MFA with Passwordless Login
Passwordless Login can be combined with Multi-Factor Authentication (MFA) for enhanced security. The system automatically handles MFA requirements based on tenant and user-level configurations.
Compatible MFA Options: To make the passwordless login compatible with your MFA flow we recommend the following:
| Passwordless Channel | Not Allowed as MFA | Allowed MFA Options |
|---|---|---|
| Email OTP | Phone OTP, TOTP, Security Keys | |
| Phone | Phone OTP | Email OTP, TOTP, Security Keys |
| Both Enabled | N/A | TOTP, Security Keys |
API Behavior:
When MFA is required, Passwordless Login APIs (Email/Phone/Username) return a response containing SecondFactorAuthentication details:
{
"SecondFactorAuthentication": {
"SecondFactorAuthenticationToken": "b1fbbba5-2a5e-41a2-96da-c216df36e6f4",
"ExpireIn": "2021-04-06T08:36:53.3005592Z",
"QRCode": "http://chart.googleapis.com/chart?cht=qr&chs=150x150&chl=otpauth...",
"IsEmailOtpAuthenticatorVerified": false,
"IsOTPAuthenticatorVerified": false,
// Additional MFA status fields...
},
"Profile": null,
"access_token": "00000000-0000-0000-0000-000000000000",
"expires_in": "0001-01-01T00:00:00"
}
If MFA is optional and not configured, or not enabled, the API returns the standard profile response with an access token.
Implementation Notes:
- The same factor cannot be reused for both passwordless login and MFA.
- Verification APIs support query parameters like
duoredirecturi,emailtemplate2fa, andsmstemplate2fafor customizing the redirect URI and email/SMS templates. - If users attempt to use the same channel for both factors, they are prompted to set up an additional method.
For detailed implementation, refer to the Multi-Factor Authentication documentation.
You can use any SDKs provided by LoginRadius based on your requirements for Passwordless Login SDK implementation. LoginRadius GitHub Repositories
Best Practices
- Customize OTP messages to identify your app and reduce phishing risks.
- Enforce limits on OTP retries and expiration time, and prevent reuse to block brute-force attempts.
- Use secure and compliant email/SMS providers to ensure message deliverability and protection against spoofing.