Feature: Personalise Magic Link Email for Passwordless Authentication for improved trust

Feature: Personalise Magic Link Email for Passwordless Authentication for improved trust that the email is legitimate.

Description:

Users are becoming more aware of phishing attacks and one of the ways to identify a phish is generic emails.

Use-case:
We are building the ability for an user with an Administrator role (roles are not stored in Auth0) to invite another user to our application.

We want to use the passwordless authentication method and send the invited user an email with the magic link, so they can be directed to our application and create an account.

The current email can be customised to look like it comes from our company, but there is no way to personalise it. So we can make the email look how we want to, but we can’t use information my business should about the invitee and the inviter (invitee name, inviter name, inviter, business details etc).

When using passwordless authentication it is highly likely the first time the person is receiving an email from our business, and currently it can only be a generic email. We want to reduce the risk of the email being identified as a phishing attempt instead of a legitimate email by personalising it with information we know about the user and who invited them.

I would like to be able to optionally send additional metadata to the management API that starts a passwordless authentication, so that this data can be used in the email template, so we can personalise the email and increase the trust that the email is legitimate.

e.g

curl -X POST https://<domain>.auth0.com/passwordless/start 
-H "Content-Type: application/json" 
-d '{
"client_id": "<clientId>",
"client_secret": "<clientSecret>",
"connection": "email",
"email": "xxxxxx@xxxx.com",
"send": "link",
"authParams": {
  "scope": "openid profile",
  "redirect_uri": "<redirectUrl>"
},
"metadata": {
  "name": "Joe Blogs",
  "invitedByName": "Anne Green",
  "businessName": "Acme Co",
  "randomData": "xyz"
}
}'

and then use it to render the email via handlebars e.g

<p style="font-size: 1.2em;line-height: 1.3;-webkit-text-size-adjust: 100%;-ms-text-size-adjust: 100%;">Hi {{ metadata.name}}, {{metadata.invitedByName}} has invited you to {{ application.name }}. Click and confirm that you want to sign in to {{ application.name }}. This link will expire in three minutes.</p>

Hi Myee,

Have you been able to create and send innovations to users to create passwordless accounts?

Not with Auth0 Passwordless authentication. We had to build it ourselves through our own microservices that interact with the Auth0 API and in the web app use the Resource Owner Grant Flow to “silently” log the user in (that is not ideal).

With Auth0 passwordless we could not use the magic link for reasons above and it cant be used with Universal Login.

Another issue with the magic link for us was, we invite the user, and we want to know the status of the invite. E.g if an admin user invites someone, it’s pending. Once they click the link it’s activated. If they dont create a login in the expiry time then it is expired. So the admin user knows from the UI if they need to resend an invite. We also want the ability to cancel a pending invite. There was no sane way I could think of to implement this logic with the magic link.

Technically all the magic link does is stick a token on the link in an email, and if the link has not been clicked and is not expired, when the link is clicked it creates a Auth0 user profile that uses the passwordless connection. We actually have a database connection that requires a username+password, so we would have had to redirect users to a page to get them to set a password and use the Auth0 API to create another user profile that then gets linked to the passwordless one.

If you don’t have our requirements with the invitation email being personalised, dont have the invite logic I mentioned, and dont use universal login then you could potentially use the passwordless login.

I think really passwordless authentication with a magic link though, is meant for just that - passwordless login (not user invitation).