I am currently evaluating the passwordless authentication option and have encountered some questions regarding the implementation process. On Google and ChatGPT answers vary widely on my topic, so I’m looking forward to your expert advice.
My primary concern relates to the sign-up flow requirement. While I notice there is an option to “Disable Sign-ups” in the configuration (I want to get rid of this flow in the UX), my testing in the ACC environment has revealed some unexpected behavior:
When entering a new email address, there is no system response
No OTP is sent to the email address
Users receive no notification that their account doesn’t exist
From a user experience perspective, I would expect the system to:
Send an OTP regardless of account existing or not
Automatically create the account in the background upon successful OTP verification
However, this doesn’t appear to be the current behavior. Could you please clarify:
Are sign-ups still mandatory for passwordless authentication?
If so, what are the key advantages of this approach from a user perspective?
What is the recommended implementation strategy for passwordless authentication?
I appreciate your guidance on this matter.
Best regards,
Robert
/Update
Wow. I just discovered that perhaps the account is created automatically on the background, once I enabled the sign-ups, even though the user didn’t go through the new account creation flow that I just enabled. Is this how it should be implemented? Why is this extra flow there, if it’s possible to create user accounts without going through it? Security reasons?
Thank you @sumansaurav for the insight on the matter!
Regarding Passwordless authentication, it appears to be designed to allow users to log in using an email which is not yet registered in the DB and allowing them to complete the process. Indeed, as mentioned above, that opens you to several vulnerabilities which can be mitigated via actions.
My best advise would be to implement either an invitation only policy for new users via email or to implement various methods to mitigate the risks.
Otherwise, I encourage you to post on the Feedback section of the Community Page in order to propose this feature!
Let us know if the proposed community post is of any help or if you have additional questions on the matter.
I think it’s working as expected now on my test environment, but account registration needs to be enabled, even though this flow is not needed for users to create new accounts.