> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://auth0.com/feedback

```json
{
  "path": "/docs/authenticate/passwordless",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Passwordless Authentication on Auth0

> Learn about the available methods of passwordless authentication supported by Auth0.

<Tooltip tip="Passwordless: Form of authentication that does not rely on a password as the first factor." cta="View Glossary" href="/docs/glossary?term=Passwordless">Passwordless</Tooltip> authentication provides users with a seamless and more secure login experience. As technology advances, traditional methods of authentication, such as usernames and passwords, become more prone to cyber attacks (like phishing or keylogging) and potential breaches.

With passwordless authentication, users no longer need to remember or manually enter a password to access an application. Instead, they can use a variety of authentication methods that rely on time-based access links and tokens, stored passkeys, biometrics, or social accounts.

By eliminating the reliance on passwords and other memorized codes, you can provide users with a more convenient way of accessing applications while also reducing the likelihood of data breaches due to stolen or weak passwords.

Auth0 currently supports the following methods of passwordless authentication:

* [Social login](#social-login)
* [Passkeys](#passkeys)
* [SMS-based passwordless authentication](#sms-based-passwordless-authentication)
* [Email-based passwordless authentication](#email-based-passwordless-authentication)
* [Biometrics (WebAuthn)](#biometrics-webauthn-)

Each of these methods provides a unique passwordless login experience to users. To learn more about which method is right for your needs, review the sections below.

### Passwordless connections vs. passwordless authentication

A passwordless connection is a distinct connection type from database, social, or enterprise connections. Passwordless connections are used specifically for:

* [SMS-based passwordless authentication](#sms-based-passwordless-authentication)
* [Email-based passwordless authentication](#email-based-passwordless-authentication)

Even though a user from an Auth0 user database or social provider might share the same email address, the identity associated with their passwordless connection is distinct. [Account linking](/docs/manage-users/user-accounts/user-account-linking) can be used to associate passwordless connection identities with other connection identities.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  You cannot create passwordless users from the Auth0 Dashboard. Create them directly from the [Management API](https://auth0.com/docs/api/management/v2/users/post-users) if signup is disabled. In the Connection field, use email for passwordless users using an email address and SMS for passwordless users using a mobile phone number.
</Callout>

## Social Login

Social login is a method of authentication that allows users to log in to an application using existing credentials from a social <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip>, such as Google or Facebook. As users frequently have their social credentials stored in their browser or device, social login provides a frictionless user experience that requires minimal manual interaction with your application.

The general workflow for social login is as follows:

1. A user arrives at your application’s login screen and selects the **Continue with \[provider]** option.
2. The user follows prompts from the selected provider to authenticate with their existing social credentials.
3. The user is redirected to your application to complete the login process.

For web-based applications, Auth0 supports multiple social identity providers out of the box. Visit the [Social Login](https://marketplace.auth0.com/categories/social-login) section of Auth0 Marketplace to review a full list of supported providers. If a specific provider is not available, you can also configure [custom social login connections](/docs/authenticate/identity-providers/social-identity-providers/oauth2) through the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>.

For native applications, Auth0 supports social login for select providers:

* [Apple](/docs/authenticate/identity-providers/social-identity-providers/apple-native)
* [Facebook](/docs/authenticate/identity-providers/social-identity-providers/facebook-native)
* Google (coming soon!)

For these applications, Auth0 supports social connection token exchange, which enables authentication without the need for web redirects.

## Passkeys

Passkeys are a phishing-resistant alternative to traditional authentication factors modeled from FIDO® W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) specifications.

Auth0 supports passkeys as an authentication method for database connections and offers two methods of implementation:

* [Universal Login passkeys](/docs/authenticate/database-connections/passkeys) for web-based applications
* [Native passkeys](/docs/authenticate/database-connections/passkeys/native-passkeys-for-mobile-applications) for Android and iOS applications

Passkeys reduce the friction experienced with single-device authentication methods by allowing credentials to sync across devices. Cross-device authentication eliminates the need for users to re-enroll each of their devices.

An example passkeys workflow for web-based applications is as follows:

1. A user arrives at your application’s Universal Login page and enters their email address.
2. The user then has the choice to create a passkey or continue with traditional authentication.
3. When the user selects **Create a new passkey**, the browser’s passkey flow initiates and prompts the user to authenticate with their device credentials, such as biometrics.
4. After local authentication is complete, the passkey is saved to the user’s device and synced with their passkey provider (such as iCloud or Google).

After this process is complete, the user can authenticate with the saved passkey upon subsequent logins to your application.

## SMS-Based Passwordless Authentication

SMS-based passwordless authentication allows users to access applications using single-use codes known as one-time passwords (OTP). With this implementation, OTPs are sent to users’ phone numbers via SMS.

The general workflow for SMS-based OTPs is as follows:

1. A user arrives at your application’s login screen and enters their phone number.
2. Auth0 sends the user an OTP through SMS.
3. The user copies the code and returns to your login screen.
4. The user enters the code in the space provided and logs in to your application.

To learn more about configuring SMS-based passwordless authentication for different login types, review the resources below:

* [Passwordless Authentication with Universal Login](/docs/authenticate/passwordless/passwordless-with-universal-login)
* [Passwordless Authentication with Classic Login](/docs/authenticate/passwordless/implement-login/universal-login)
* [Passwordless Authentication with Embedded Login](/docs/authenticate/passwordless/implement-login/embedded-login)

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  This category of passwordless authentication is currently treated as a unique connection type in your tenant, separate from other database, social, or enterprise connections.

  When a user authenticates with this method, their profile is created on the passwordless connection using Auth0 as the Identity Provider (IdP). As you cannot ensure users will log in with the same email or phone number every time, users may end up with multiple user profiles in the Auth0 datastore. If duplicates are created, you can associate multiple user profiles by [linking their accounts](/docs/manage-users/user-accounts/user-account-linking).

  In some scenarios, a user profile created through this type of passwordless connection may share an identifier (such as email or phone number) with a profile associated with another type of connection, such as enterprise or social. If this occurs, you can use [account linking](/docs/manage-users/user-accounts/user-account-linking) to associate passwordless profiles with identities from other connections.
</Callout>

## Email-Based Passwordless Authentication

Email-based passwordless authentication encompasses two methods:

* [One-time passwords](#one-time-passwords)
* [Magic links](#magic-links)

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  This category of passwordless authentication is currently treated as a unique connection type in your tenant, separate from other database, social, or enterprise connections.

  When a user authenticates with this method, their profile is created on the passwordless connection using Auth0 as the Identity Provider (IdP). As you cannot ensure users will log in with the same email or phone number every time, users may end up with multiple user profiles in the Auth0 datastore. If duplicates are created, you can associate multiple user profiles by [linking their accounts](/docs/manage-users/user-accounts/user-account-linking).

  In some scenarios, a user profile created through this type of passwordless connection may share an identifier (such as email or phone number) with a profile associated with another type of connection, such as enterprise or social. If this occurs, you can use [account linking](/docs/manage-users/user-accounts/user-account-linking) to associate passwordless profiles with identities from other connections.
</Callout>

### One-time passwords

This method of passwordless authentication allows users to access applications using single-use codes known as one-time passwords (OTP). With this implementation, OTPs are sent to users through their email.

The general workflow for email-based OTPs is as follows:

1. A user arrives at your application’s login screen and enters either their email.
2. Auth0 sends an OTP to the user’s email.
3. The user copies the code and returns to your login screen.
4. The user enters the code in the space provided and logs in to your application.

To learn more about configuring email-based passwordless authentication for different login types, review the resources below:

* [Passwordless Authentication with Universal Login](/docs/authenticate/passwordless/passwordless-with-universal-login)
* [Passwordless Authentication with Classic Login](/docs/authenticate/passwordless/implement-login/universal-login)
* [Passwordless Authentication with Embedded Login](/docs/authenticate/passwordless/implement-login/embedded-login)

### Magic Links

Magic links are a method of passwordless authentication that allow users to access an application through a link sent to their email. If the user does not access the link within a specific timeframe, the link becomes inaccessible.

The general workflow for magic links is as follows:

1. A user arrives at your application’s login screen and enters their email.
2. Auth0 sends a magic link to the user at the provided email.
3. The user selects the magic link in their email and automatically logs in to your application.

Magic links can only be implemented in Classic Login. To learn more, review the following resources:

* [Passwordless Authentication with Magic Links](/docs/authenticate/passwordless/authentication-methods/email-magic-link)
* [Passwordless Authentication with Classic Login](/docs/authenticate/passwordless/implement-login/universal-login)

## Biometrics (WebAuthn)

Biometrics is a method of passwordless authentication that uses an individual’s physical attributes to verify their identity and grant them access to an application. Auth0 currently supports biometric authentication using fingerprint scans and facial recognition.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  While Auth0 still supports the legacy Identifier First with Biometrics authentication method, it is strongly recommended that you use [passkey-based authentication](/docs/authenticate/passwordless#passkeys) instead.
</Callout>

To implement biometrics for your application, the following configurations are required:

* Enabling [Universal Login](/docs/authenticate/login/auth0-universal-login).
* Setting up a [database connection](/docs/authenticate/database-connections).
* Configuring [Identifier First + Biometrics authentication](/docs/authenticate/login/auth0-universal-login/identifier-first).

When implemented, users can choose to enroll their devices in biometrics after logging in to your application with traditional credentials. To enroll in biometrics, a user must be using a device with biometric capabilities, such as a mobile smart device.

The general workflow for biometric authentication is as follows:

1. A user arrives at your application’s Universal Login page and enters their email address.
2. The user first authenticates with their traditional credentials. Then, they are prompted to enroll their device in biometrics.
3. If the user chooses to enroll, they follow their device’s prompts to complete the biometric setup process.

After the user enrolls their device, they can use biometrics as their primary method of authentication upon subsequent logins to your application.

To learn more about biometric authentication, review [Configure WebAuthn with Device Biometrics for Passwordless Authentication](/docs/authenticate/login/auth0-universal-login/passwordless-login/webauthn-device-biometrics).