Skip to content
Home » Developer Tutorials » A Developer’s Guide to Passwordless Authentication

A Developer’s Guide to Passwordless Authentication

Writer Name: Kenneth Ekandem

As its name implies, passwordless authentication is the process of verifying a user’s identity without the use of a password. There are a variety of methods by which this can be carried out, such as magic links, one-time passwords (OTPs), biometric scans, and mobile authentication.

Using these methods for passwordless authentication can be beneficial for several reasons, including:

  • Security: Using passwordless authentication makes an application more secure, as there is more uniqueness to the authentication process. For instance, with the OTP approach, all passcodes involve randomly generated numbers that are different and don’t repeat. There’s much less concern for data or identity theft, and it offers protection against two of the most dangerous and prevalent cyberattacks: phishing and brute force attacks.
  • Better user experience: Passwordless authentication naturally implies that users do not need to remember a password. With magic links and OTPs, a unique link or sequence of numbers is sent to the user’s email or phone number, giving them a secure and effortless experience—it’s as easy as clicking a link or checking their phone for a code.
  • Reduced long-term cost: With passwordless authentication, there is no need for organizations to invest in password management and storage. These investments typically amount to hefty annual costs that often continue to grow over time, in addition to the hours of productivity accounted for in the IT department.

In this guide, you’ll learn more about the various methods for performing passwordless authentication and explore tips for implementing them in your platform or application.

Implementing Passwordless Authentication

Now that you understand some of the benefits of passwordless authentication, let’s discuss a few methods for implementing it and unpack how each of them works.

This method of authentication involves the application sending the user a link via an inputted email or phone number, which can be used to automatically log them in for a period of time. Generally, the link can be used repeatedly before the time period expires. The verification process involves the creation of a token connected to the user-provided email address or phone number, which is then checked and authenticated by the application upon login.

Magic links can provide a great customer experience because they are impulsive, familiar, and simple for users. Furthermore, they don’t require developers to maintain the infrastructure for safe password storage. However, there are a few cautionary factors to consider:

  • Magic links rely heavily on the user’s email address provider, which means that magic links are only as secure as the user’s email address. The delivery speed of the provider is also a factor in ensuring the utility of the link, as slow email speeds may lead to distraction or abandonment. Additionally, spam filters may occasionally derail users from easy receipt of the email link.
  • Because magic links are persistent, it’s important to specify an expiry time in order to avoid unnecessary security vulnerabilities.
  • It’s also important to consider what happens when users send multiple requests in quick succession. For best security, the most rational way to handle this would be to ensure that older links expire, only granting access from the most recently sent link.

The implementation of magic links involves token generation and validation and can be broken down into two broad categories: stateful and stateless implementation. Let’s take a closer look at each of these.

Stateful Implementation

This category of implementation involves:

  1. Generating an arbitrary token as a random string
  2. Keeping the generated tokens in the server’s data store with associated user information and an expiration date
  3. Sending the generated token with the magic link
  4. Accomplishing token verification by matching the state of the token in the server’s data store

The steps above indicate that stateful implementation requires a separated data store on the server side. Third-party services that provide passwordless authentication, such as Auth0, can also be used.

Stateless Implementation

This category of implementation involves:

  1. Generating an authentication token with user information that is digitally signed
  2. Sending the generated token with the magic link
  3. Accomplishing token verification through electronic signature verification

Unlike stateful implementation, stateless implementation does not require a separate data store. A JSON Web Token (JWT) is an example of a token that can be used to achieve this.

One-Time Passwords (OTP)

A one-time password is a set of numbers (typically up to six digits) that is sent to a user to log in to a platform once. This alternative to contemporary passwords is considered more secure, as the OTP is renewed each time the user accesses the application for a single login session. In many cases, it’s used as an extra layer of security for a user’s account, making it more challenging for unauthorized users to access confidential information, networks, or online accounts.

There are a few different types of OTPs, categorized under hard tokens and soft tokens.

Hard tokens are physical devices (hardware devices) that communicate OTPs to a user. They are further classified into the following types:

  • Connected tokens: Users connect these tokens, such as smart cards or USB drives, into the system or device they are trying to access.
  • Disconnected tokens: This method of token generation is done manually by a user who inputs information into the system for verification, based on a series of numbers displayed on a piece of hardware. When the token is inputted, information is transmitted automatically and the user is authenticated.
  • Contactless tokens: These tokens, such as Bluetooth tokens, carry authentication data to a system which then examines the information and decides if the user has access rights.

Soft tokens, on the other hand, are sent through software on devices like mobile phones or laptops. There are a few ways to accomplish this, including:

  • SMS: In this method, anytime a user attempts to log in, they receive a text message with an OTP to their registered phone number.
  • Voice calls: Here, the OTP is communicated to the user through a phone call.
  • Push notifications: An OTP is sent to the user through a push notification on the app.

These types of OTPs all follow the same basic process. The user sends authentication data to a system, which verifies if the data is correct. If so, the system grants the user authorized access.

Biometric Authentication

Another way to accomplish passwordless authentication is by using a biometric signature to verify the identity of the user. In this case, a physical aspect of the user (like a fingerprint, eye, or face) is scanned for specific characteristics. If matched to a copy within the given database, the user is granted access and the authentication is considered to be successful. Real-world solutions may involve facial recognition, finger or palm recognition, iris or retina recognition, or even voice recognition.

Biometric authentication accomplishes two clear functions: identification and authentication/verification. In the identification process, the user information is gathered and compared against a database of a vast number of user characteristics, such as hair color, eye color, scars, etc. The verification function ensures that the biometric signature provided by the user matches an existing one in the database and then verifies the user based on the response.

The biometric comparison data may involve physiological attributes (classification based on a part of the human body, such as facial or fingerprint recognition) or behavioral attributes (measurements obtained from user actions such as voice recognition or a handwritten signature). Biometric authentication betters the user experience by diminishing risk; factors like the impossibility of another user guessing their password and the lower concern for identity theft—since biometric information like fingerprints are not transferable—make it a highly secure method.

Mobile Authentication

Finally, this type of passwordless authentication involves validating a user through a mobile device, using an existing authentication tool such as Google Authenticator or Octopush to verify whether the user is authorized for access.

Octopush is an SMS service that helps to automate the process of sending SMS texts using an SMS API. It allows for the implementation of multifactor authentication (MFA) and two-factor authentication (2FA), supports a universal system based on HTTP and SMTP protocols, and has a huge capacity for SMS sending. Implementing 2FA using mobile authentication involves the following general steps:

  • First, check if the user has activated 2FA. If so, generate a code to be saved to the database.
  • The same code is sent to the user as they are redirected to the double-authentication page.
  • The user receives the code by SMS and submits the double-authentication form.
  • The code the user submitted is compared with the one saved in the database. If it matches, the user authentication is validated.

User experience and security are prioritized with multiple sources of authentication, which the user can activate.


In this article, you learned about passwordless authentication, which provides users with a quicker and more secure method to log in to an application with no need to memorize passwords. The benefits of this process range from better security to great user experience and reduced long-term costs. There are several popular methods for implementing passwordless authentication, such as magic links, OTPs, biometric authentication, and mobile authentication.

Be sure to check out Octopush, a great SMS platform for mobile authentication using 2FA and multifactor authentication. Visit their help center for guides and FAQs or book a call to learn more.