Auth0 Home Blog Docs

Passcode only login functionality

custom-login
passwordless

#1

I have a typical user registration journey(mobile app) which during signup takes email, name, mobile and passcode(also unique). I am then creating a user with the “/dbconnections/signup” api.

Now during login I want to authenticate the user with only his unique passcode(no email given).

This is where I need some advice on how to go about achieving this? I know Auth0 allows login using “User-Password-Authentication”, Passwordless - SMS, Email only, Touch ID functionalities but none of them help my case.

Any help is much appreciated!


#2

That does not sound right, if you enforce the uniqueness on passcode that means you need to generate it automatically which likely results in you choosing to generate very easy to remember (guess) passcode’s or hard to remember (aka users will have to write them down somewhere which is not ideal).

The above assumption is because if you allow end-users to provide the passcode themselves then whenever someone entered an already existing one that end-user would also have just found a way to login to another end-user account.

If the goal is to simplify the login experience you may indeed go with passwordless authentication through email or SMS instead of traditional username/email and password credentials.


#3

Yes, but what if we don’t allow the end-user to create a passcode which already exists(while registration) ?

This would maintain uniqueness of passcode having 1-1 relatiionship(enduser-passcode)


#4

That would result in you failing the registration because it’s not unique and then as I mentioned:

whenever someone entered an already existing one that end-user would also have just found a way to login to another end-user account.


#5

Ok I understand the issue. On a different note wanted to ask, can we use only “auth0 userID” to authenticate/login a user ?


#6

No, not that I’m aware. You can setup it so that users use a one-time code delivered to their email or phone to authenticate which would mean they would not have to memorize any additional credential. An approach like this could offer some simplicity for end-users, but it would not be a repeatable code/identifier that they could use everytime.


#7

Thanks for the info. I maybe not looking correctly but I wanted to know if there is “login” API to check if user exists in Auth0 db ?

I know there is “/authorize” to authorize a client, but I wanted for users in an account who were registered using “/signup”.


#8