Feature:
Completely Passwordless Auth with WebAuthN, SMS and Email
Description:
The ability to go completely passwordless using WebAuthN, SMS or Email.
There would be two auth flow options:
Biometrics
User enters email/mobile number
User receives MFA code to email/phone number
User enrols device for Biometric auth (WebAuthN)
User is authenticated
Magic link
User enters email/mobile number
User receives MFA code to email/phone number
User receives auth link to email/phone number
User visits link and is authenticated
Use-case:
My company are building a crypto wallet and security is the biggest concern. Passwords are not safe and reliable forms of authentication. The ability to go completely passwordless would ensure a higher level of security for our app and customers.
I just found out the New Universal Login Experience doesn’t support Passwordless SMS and Email features. This is a major downside to the product. I would like to have an authentication flow that is completely passwordless.
Hi Dan, our company requires this feature too. - Universal Login Experience doesn’t support Passwordless SMS. Could you please update us when this feature will be on your roadmap.
We are expecting it towards Q4 this year, but it is possible that timeline could change.
Edit: This was a target for passwordless SMS with New Universal Login in response to a specific question. This is not a target for Passwordless with webauthn.
It looks like the target has been pushed to Q1. As I mentioned, it’s still possible this target could change.
Edit: This was a target for passwordless SMS with New Universal Login in response to a specific question. This is not a target for Passwordless with webauthn.
Latest Auth0 roadmap says Q1 2023 (Feb-April) includes “Passwordless flows for Univeral Login”. We’ve been waiting a long time for this, and are super keen to use it in Universal login. (Early access would be great Auth0 team! Note: we’re also an enterprise customer).
Also in Auth0’s Q1 roadmap is “FIDO passkey - Beta”. Given PassKeys is now supported in Apple’s iOS16/MacOS Ventura, and coming soon to Microsoft Windows/Edge and Google’s Android/Chrome, this can’t come soon enough!
@dan.woda having turned on the newly-supported email+passwordless option now available in the naive Universal login flow (), we couldn’t understand why WebAuthn wasn’t working, in exacty the same way it would for email+password – especially as Auth0’s own UI shows that password or passwordless 1FA enjoys the same logic flow (as would be expected).
Surprisingly, WebAuthn simply doesn’t work for 1FA with email passwordless activated. Auth0 team, will this be fixed soon? (We’re especially looking forward to the forthcoming PassKeys support, but unless WebAuthn is fixed for passwordless, I suspect this will also not work).
Hey folks, apologies for the delay. I don’t have any updates regarding webauthn + passwordless sms/email, it is still in our backlog.
To be clear, the timelines I mentioned in this thread were in direct response to a question about new universal login support for SMS. I think there may be some confusion in this thread and I’d like to apologize for that, I should have been more explicit. I’m going to update my posts to reflect it.
Are there any updates on that? Looks like quarter is passed. If it’s needed, we can raise our use case and business problem. Do you already have some specific timelines on that? We would like to see biometry as separate user identity as email, sms, or google that users can use to authenticate as they authenticate via passwordless flow for now.
Or probably I may be wrong and miss something - and it’s possible to implement passkeys without using password login for now
And also, I believe this thread is also created around an idea of giving user an ability to, on the one New Universal Page, use email, phone, and passkeys to register/login at the same time. Is that something you are considering? Our business problem is still that our users, on the SSO page, can’t choose between Email & Phone during login, we should handle that on our side. Ideally, we would like to give our users and option to login using Passkeys, Email OR Phone number.
A lot of products, using passwordless, require two identities of user during registration, so they will be able to regain access if they lose device/email. Also such products give user options to login through SMS or Email on the SSO page. That is what we are looking forward to achieve.
), we couldn’t understand why WebAuthn wasn’t working, in exacty the same way it would for email+password – especially as Auth0’s own UI shows that password or passwordless 1FA enjoys the same logic flow (as would be expected).