Register new users without password?

I would like to know if we can configure the universal login to sign up (register) new users without requiring a password? We want to authenticate and create the user via SMS/Email OTP and nothing else.

Hi @Riftsan , welcome to the community!

You would need to configure your Universal Login page to use a Passwordless connection, and then have your apps only enable the relevant passwordless connection, please see the documentation here:

Please note that you can only use Email or SMS unless you provide additional parameters in your authorize request, which could be read from config.extraParams and used in your code’s logic to set the allowedConnections parameter dynamically:

Currently, the New Universal Login experience does not support email or SMS Passwordless connections, but can support WebAuthn with Device Biometrics. So to use Email or SMS you would need to use the Classic Universal Login Experience:

2 Likes

Thanks for helping on this one Steve!

1 Like

@sgo Thank you for your response. We are currently using password-less connections, and we noticed a few things.

  1. The accounts are not stored in the auth0 database.

    • What is the difference between using the database and creating users via password-less?
    • Are there any fallbacks or issues that we may encounter later on?
  2. What would be the best way to identify if a user already exists by checking email & phone numbers?

Here is the list of APIs that we are using currently:

  1. We noticed that once an OTP is sent to a user, the account gets created regardless if the user was verified. This causes conflicts because we think we may get stale accounts from users not completing the verification. Are there policies that we can run to remove these accounts, or are we missing something?

  2. We are also considering creating users in the database with a randomized password that will never be shared, but we enable password-less connections. Do you think this would be a better approach?

Our goal is to:

  1. Verify a user via SMS/Email OTP without creating a password.
    -Use that same email/phone to login into their account.
  2. Not have non-verified users created.
  3. Only send one registration verification code per user.

Thank you!

@konrad.sopala @sgo Do you guys happen to know the answer to these questions? or have documentation that could point us in the right direction? Thank you! :slight_smile:

Hi @Riftsan , I’ve been drafting this reply as and when I’ve had a spare moment, sorry for the wait:

1.) Passwordless accounts will have a profile stored in your Auth0 tenant once the user has logged in once successfully, and should be marked as verified automatically as they would have proven they have access to the email / phone number by the act of logging in successfully.
Otherwise, they are the same as database connection users except for their method of authentication, and can be found in the Users section of your tenant dashboard like any other connection type.

2.) A database connection will not allow a user to sign up with the same email address, and a passwordless connection would treat anyone who can prove they are in possession of a given email account / phone number by sending back the right OTP code as the user assigned to said email/phone number, so it should not be possible for any duplicates to be created. However, you cannot control users using multiple emails or phone numbers to create new accounts (accidentally or intentionally), and would have to link these accounts if needed:

Please note though that if you were to start using both Database and Passwordless connections, they are treated as completely separate identities, so a user could have 2 accounts for the same email address for example split across the 2 connections.

3.) Unless you are creating these users via the Management API, passwordless users who complete a login will have an account created only after the login, and will be marked as verified. If you are creating users ahead of time, then they will need to login in once successfully to be marked as verified.

4.) I don’t think this would provide any benefit over just using a passwordless connection, unless you wanted to at some point make the users start using a password to log in. But I may have misunderstood your need for this second Database connection based account.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.