Subscribe
Sign in
Start new thread
p/supertokens-passwordless
Fully flexible, open source auth in 15 minutes
Visit Product
Michael Seibel
SuperTokens Passwordless β€” Fully flexible, open source auth in 15 minutes
Featured
72
β€’
Join Slack, Medium and Instagram in enabling a passwordless login experience.
With passwordless, developers can authenticate their users through email IDs or phone numbers!
Replies
Julien Zmiro
Top Product
Congrats on the launch!
Puneet Acharya
Maker
@zmiro Thanks, Julien! Would love to hear your feedback once you've signed up and implemented the code. Please join our Discord if you need help or have further questions. πŸ˜ƒ
Kevin ANTOINE
Hey @advait_ruia @rishabh_poddar1 @mufassir_kazi @joel_coutinho @bhumilsarvaiya and team! Really cool to see that feature being launched here today! Congrats all! Happy to have contributed a little bit to the SuperTokens journey :)
Puneet Acharya
Maker
@kant01ne Thank you! πŸ™Œ
Rishabh Poddar
Maker
@kant01ne Thank you!! We are very grateful for your contribution in laying out the foundation for the frontend library :))
Prashant Matta
This is awesome, and I personally have gotten more insight into how the product works from @nevilbutani This is a great way to access your accounts without remembering any passwords. Congrats on the launch! πŸ‘
Pradeep Sharma
Maker
@auttomatta thank you. @nevilbutani is the champion. we are able to showcase SuperTokens so well because of him only.
Advait Ruia
Maker
Hi everyone! Today, we’re releasing the most powerful passwordless solution ever built! πŸŽ‰ What is passwordless? Users can enter their email ID or phone numbers and receive a "Magic Link or an "OTP" instead of a password Magic links are URLs that contain a unique identifier (password) embedded in the URL itself. The OTPs and magic links are time based, one time use only. They expire quickly and can only be accessed by someone who has access to that specific email ID or phone number. Advantages and concerns: Users often reuse the same password or use "password123" which can be guessed or brute forced. Removing passwords out of equation removes this concern In terms of UX, passwordless may present a significantly improved UX depending on the type of app and user For eg: Phone number based OTPs may be a great way to maximize sign conversions for mobile apps. We support email and phone based auth in our implementation of passwordless. WebAuthN and push notif based auth coming soon! I'd love to hear what you think about passwordless and answer any questions about user experience and security!
Pradeep Sharma
Maker
Why I like Passwordless? It reminds me of my conversations with Dad. I keep asking him to create secure passwords and manage them as I say. And he keeps complaining it is hard to remember passwords and keeps asking me the same questions repeatedly * why can't I create a simple password as "password123", I have nothing to hide * why can't I reuse it everywhere, what would someone get by hacking my account * ok, I will create different strong passwords everywhere. Can I write it in a diary then? and a very deadly question - why can't I share my password with my friend. He says that all his friends do all those things and they have never been hacked. When I think more closely, that's the level of awareness or tech experience of most people. Dealing with passwords gives them a headache. It seems like a common sense to us developers who are well aware of what happens in the background when we make a login request. When we give those people password-based auth, we expect them to work as per best practices while in reality, they make the worst choices and this makes the password-based auth highly insecure. I think passwordless fills this gap, makes systems more secure for users who are not that tech savvy. Definitely, passwordless auth goes on top of my list of auth strategies to implement in my next app. I'm curious what are some guidelines that we can give to end users(similar to my Dad) to make passwordless more secure and easier to use? Althoug most of the passwordless security I see is at the implementer side only but still if there are any thoughts from the community, I'd love to learn that
Advait Ruia
Maker
@saman_sinaei Thank you Saman! We are planning on writing a more comprehensive piece on it!
Prineel Bandellu
This is nice! We are already getting used to this behaviour using banking apps and wallets. It will be a good push for standardized logins as well. Congrats on the launch!
Puneet Acharya
Maker
@prineelbandellu You're absolutely right! And thank you! πŸ™Œ
Travis Garland
Passwordless is the future, very impressed with what you guys assembled.
Gaurav Chaturvedi
This is awesome! Congrats on the launch. I've been using SuperTokens off/on for the past year or so. Since I develop mostly NextJS apps, passwordless auth will match up really well with what NextAuth offers. I prefer passwordless auth since it seems more secure than the traditional username & password option, so excited to keep using SuperTokens and now that this is offered I'll be enabling this in my project alongside the social login.
Pradeep Sharma
Maker
@gaurav_chaturvedi amazing. can't wait to see your launch with passwordless.
Adrian Marin πŸ₯‘
RP is such a cool founder! He was always open to answering all our questions and concerns πŸ’ͺ supertokens is the real deal!
Rishabh Poddar
Maker
@adrianthedev Thank you!! Appreciate the love :) It's always great chatting with you.
Simon White
Congrats team!
Sergej GoriΕ‘ek
This is awesome! Congratulations on your launch! πŸ™Œ
Manav Sharma
Pretty cool product. Do you guys have any best practices on how to implement this?
Pradeep Sharma
Maker
@manav_sharma1 checkout the Github repo and the passwordless guide. We have a demo repo in node+react that you can get started with as well. * GitHub repo - https://github.com/supertokens/s... * Passwordless setup guide - https://supertokens.com/docs/pas... * For more discussion from the community, do ask question in discord community - https://supertokens.com/discord
Rishabh Poddar
Maker
@manav_sharma1 SuperTokens follows all the best practices by default. So you just have to follow the docs and you should be good to go. Some of the best practices we follow: - Keeping passwordless codes (OTP or magic links) short lived - Limiting the number of OTP tries per login attempt. After the number of tries has been reached, a new OTP is generated. - Preventing email clients from consuming the magic link if they open the magic link to scan them. - Removing unused passwordless codes after they have expired. - Revoking all passwordless codes for a user once they have successfully consumed any one of them. - Allowing our users to easily implement their own spam protection for SMS based login. And on the session side: - Using httpOnly for session cookies. - Preventing against CSRF attacks. - Using rotating refresh tokens for session management (to detect session hijacking)
Nunzio Martinello
Great product!
Puneet Acharya
Maker
@nunziomartinello Thanks, Nunzio. Means a lot! Let us know if we can help you with anything else. πŸ˜ƒ
Nazan Kurt
Congrats on the launch! πŸš€
Raunak Dembla
This looks fantastic @advait_ruia, will recommend to a bunch of folks :D Congratulations on a great launch and an even better product πŸš€
Rishabh Poddar
Maker
@advait_ruia @raunak_dembla Thank you! Really appreciate it.
Puneet Acharya
Maker
Thanks, Raunak! πŸ™ŒπŸš€
Mufassir Kazi
Maker
Finally! :D A lot of time was spent primarily on creating the best experience for developers. Thinking from the most common use cases to the most far fetched ones (you can add phone no. + email based passwordless together), it was fun to be a part of this. And though we launched passwordless today, for all we know, you may need a password based solution. For that, do check out all the other β€œrecipes” we have on our guides page.
Harshit Beniwal
This is looking promising!! Is it time to ditch my password manager? πŸ‘€
Pradeep Sharma
Maker
@almost_designer you can go almost_passwordless now :)
Joel Coutinho
Maker
Really proud to be part of the team that built this and super pumped to see what devs are going to do when they get their hand on it.
Philip Scott
SuperTokens is amazing β€” we were able to add password + social authentication in a matter of hours rather than weeks!
Marco Ancona
Hi @advait_ruia, congrats on the launch πŸš€ I am a fan of passwordless and yet I find that in terms of UX is not necessarily better. With email and password: 1. User signs up with username and password 2. User is in the product (Assuming email verification can be done asynchronously) With passwordless: 1. User signs up with email 2. User needs to go out of the product to find the OTP - at this point, many bad things can happen. The user is distracted by another email; the mail gets to spam; the mail takes a few minutes to arrive breaking the flow on the onboarding, etc. In what sense do you think passwordless has a better UX? Do you know if there is any study comparing the drop-off rate of password and passwordless approaches?
Advait Ruia
Maker
@marco_ancona2 Hey Marco! Passwordless is not always better UX. It depends on your app and your customers. You are correct that the user may need to switch to another app and get distracted. The flip is that they may not remember their password, which could also create a similar or worse issues In certain cases, passwords are a better experience and in other cases, passwordless is preferable. For eg: if your user is on a mobile app, sending them an OTP to their phone number allows them to login without needing to leave the app. The OS will autofill the OTP from the SMS into the app or at the very least the user will see the OTP as a notification and can type it in without navigating away. In this case, passwordless could be preferable.