We currently use magic links for users who sign in via e-mail. These have been full of problems especially with users on corporate firewalls or Microsoft Outlook where those magic links are seem to no longer work when they attempt to sign in. We’d like to start migrating users to username/password. Here are some questions off the top of my head:
Is it possible to give users a choice of staying with the magic link (if it works for them)? Or must we use one or the other?
How do users change login methods to username/password without creating a new account? Or is it the same as signing up a new account?
We have user information that’s stored on our own systems and not in Auth0. Will that still remain the case if we use Auth0 to store username/password?
If users can choose login method, can we know which one when they send in just an email? Is there an API where we send it an email address and we get back which login method they prefer? This would affect the way we design our UI.
1 & 2.)If you are using Lock (Classic Universal Login), it can only be configured for either Passwordless or Database type connections, not both at the same time unfortunately.
You could workaround this to an extent by adding conditional logic to your hosted login page to show a “Lock” or “Passwordless Lock” widget based on the connection parameter sent in the /authorize request, or possibly a custom querystring parameter.
The downside is you would need to a way to figure out what method the user wanted to use before firing the /authorize request for this to work. This could be a couple different login buttons in your app or some other means of picking and sending the user with the right parameters to /authorize
Alternatively, you could create a custom login form which can accept both, using Auth0.js or even directly using the Authentication API for a “roll your own auth” (obviously this would require a lot more work on your side than using Lock).
Either way, a passwordless account would be seen as separate to a normal database account, (or any other connection type for that matter), so they would need to “sign up” again to set a password. You could however link the two accounts afterwards though to bring the two profiles together:
3.) Regarding information on your system, this can be kept as is if you prefer, you would just need to have a map between the Auth0 user_id and your internal resources, adding a password just means Auth0 stores the password hash and email/username for you. The only snag is if you require any additional information for authentication authorization purposes, in which case it is best to store that information in Auth0 for best performance so it is easier to access in rules, RBAC policies etc. on the Auth0 side.
4.) There isn’t an API for this unfortunately, you would need to create a custom script that could work this out based on the user profile via the Management API, but I wouldn’t recommend going down that route as this would almost definitely cause problems with rate limits on the Management API if it is fired before every login attempt.
Updating this topic with our latest solution that makes it possible to create an account with flexible identifiers → Activate and Configure Attributes for Flexible Identifiers. You can select between Email, Phone, or Username as Identifiers for your database connection.