Why I like Passwordless? It reminds me of my conversations with Dad. I keep asking him to create secure passwords and manage them as I say. And he keeps complaining it is hard to remember passwords and keeps asking me the same questions repeatedly * why can't I create a simple password as "password123", I have nothing to hide * why can't I reuse it everywhere, what would someone get by hacking my account * ok, I will create different strong passwords everywhere. Can I write it in a diary then? and a very deadly question - why can't I share my password with my friend. He says that all his friends do all those things and they have never been hacked. When I think more closely, that's the level of awareness or tech experience of most people. Dealing with passwords gives them a headache. It seems like a common sense to us developers who are well aware of what happens in the background when we make a login request. When we give those people password-based auth, we expect them to work as per best practices while in reality, they make the worst choices and this makes the password-based auth highly insecure. I think passwordless fills this gap, makes systems more secure for users who are not that tech savvy. Definitely, passwordless auth goes on top of my list of auth strategies to implement in my next app. I'm curious what are some guidelines that we can give to end users(similar to my Dad) to make passwordless more secure and easier to use? Althoug most of the passwordless security I see is at the implementer side only but still if there are any thoughts from the community, I'd love to learn that

@saman_sinaei Thank you Saman! We are planning on writing a more comprehensive piece on it!

@prineelbandellu You're absolutely right! And thank you! 🙌

@auttomatta thank you. @nevilbutani is the champion. we are able to showcase SuperTokens so well because of him only.

@jaymistry_st thank you for your kind words. Would love to hear your feedback on the product roadmap - https://supertokens.com/product-...

@kant01ne Thank you! 🙌

@kant01ne Thank you!! We are very grateful for your contribution in laying out the foundation for the frontend library :))

@harsh_siriah1 You're right! Lots of use cases for OTP login. Plus, with regards to your point - the fact that mobile apps can now enter the OTP automatically, it just makes life a lot easier. 😃

@neet Thanks you so much! Please feel free to join our Discord (https://supertokens.com/discord) if you need any help or guidance with implementation. 😺

@joel_coutinho 🙌

@advait_ruia @raunak_dembla Thank you! Really appreciate it.

Thanks, Raunak! 🙌🚀

@almost_designer you can go almost_passwordless now :)

@manav_sharma1 checkout the Github repo and the passwordless guide. We have a demo repo in node+react that you can get started with as well. * GitHub repo - https://github.com/supertokens/s... * Passwordless setup guide - https://supertokens.com/docs/pas... * For more discussion from the community, do ask question in discord community - https://supertokens.com/discord

@manav_sharma1 SuperTokens follows all the best practices by default. So you just have to follow the docs and you should be good to go. Some of the best practices we follow: - Keeping passwordless codes (OTP or magic links) short lived - Limiting the number of OTP tries per login attempt. After the number of tries has been reached, a new OTP is generated. - Preventing email clients from consuming the magic link if they open the magic link to scan them. - Removing unused passwordless codes after they have expired. - Revoking all passwordless codes for a user once they have successfully consumed any one of them. - Allowing our users to easily implement their own spam protection for SMS based login. And on the session side: - Using httpOnly for session cookies. - Preventing against CSRF attacks. - Using rotating refresh tokens for session management (to detect session hijacking)

@mihaly_lengyel1 you can use SuperTokens to implement password-based or social login as well. Which method to use? I think it is not only about the # of times you use the app. That is one parameter, it also depends on your use case, the purpose of the app, how sensitive your data is, how much resources you have to invest on security, and other choices you make for auth, etc. If your your use case requires frequent user visits in a day/week, you might also want to think about making longer lived sessions using refresh tokens. You can do that with SuperTokens by changing a configuration. All in all, Passwordless can be a great choice even when you have frequent login. Do you already have a use case in mind where you need to implement it?

@gaurav_acharya1 Thanks! 🙌 Please feel free to reach out to us via Discord if you need any help with the implementation. Here is the link: https://supertokens.com/discord Oh and feel free to go through our repo as well: https://github.com/supertokens/s...

@zmiro Thanks, Julien! Would love to hear your feedback once you've signed up and implemented the code. Please join our Discord if you need help or have further questions. 😃

@gaurav_chaturvedi amazing. can't wait to see your launch with passwordless.