SuperTokens is used by 10,000s of developers worldwide. It eliminates vendor lock in and other tradeoffs associated with traditional SaaS providers. With launch of passwordless, apps can authenticate their users through email IDs or phone numbers!
Easy set-up and configuration, but the best thing is not those...
It's the confidence in what I deploy and what my users interact with since I control all the code/servers and don't have to redirect them off-site for authentication.
Supertokens made it easy to set up passwordless email and GitHub authentication. It's the best open-source authentication library that works end-to-end with Python.
Hi everyone!
Today, we’re releasing the most powerful passwordless solution ever built! 🎉
What is passwordless?
Users can enter their email ID or phone numbers and receive a "Magic Link or an "OTP" instead of a password
Magic links are URLs that contain a unique identifier (password) embedded in the URL itself. The OTPs and magic links are time based, one time use only. They expire quickly and can only be accessed by someone who has access to that specific email ID or phone number.
Advantages and concerns:
Users often reuse the same password or use "password123" which can be guessed or brute forced. Removing passwords out of equation removes this concern
In terms of UX, passwordless may present a significantly improved UX depending on the type of app and user
For eg: Phone number based OTPs may be a great way to maximize sign conversions for mobile apps.
We support email and phone based auth in our implementation of passwordless. WebAuthN and push notif based auth coming soon!
I'd love to hear what you think about passwordless and answer any questions about user experience and security!
Why I like Passwordless? It reminds me of my conversations with Dad.
I keep asking him to create secure passwords and manage them as I say. And he keeps complaining it is hard to remember passwords and keeps asking me the same questions repeatedly
* why can't I create a simple password as "password123", I have nothing to hide
* why can't I reuse it everywhere, what would someone get by hacking my account
* ok, I will create different strong passwords everywhere. Can I write it in a diary then?
and a very deadly question - why can't I share my password with my friend. He says that all his friends do all those things and they have never been hacked.
When I think more closely, that's the level of awareness or tech experience of most people. Dealing with passwords gives them a headache. It seems like a common sense to us developers who are well aware of what happens in the background when we make a login request. When we give those people password-based auth, we expect them to work as per best practices while in reality, they make the worst choices and this makes the password-based auth highly insecure.
I think passwordless fills this gap, makes systems more secure for users who are not that tech savvy. Definitely, passwordless auth goes on top of my list of auth strategies to implement in my next app.
I'm curious what are some guidelines that we can give to end users(similar to my Dad) to make passwordless more secure and easier to use? Althoug most of the passwordless security I see is at the implementer side only but still if there are any thoughts from the community, I'd love to learn that
This is awesome, and I personally have gotten more insight into how the product works from @nevilbutani
This is a great way to access your accounts without remembering any passwords. Congrats on the launch! 👏
@auttomatta thank you. @nevilbutani is the champion. we are able to showcase SuperTokens so well because of him only.
Report
@pradeep_io Thank you so much! It was really fun to work on it! 😃
Report
For me, passwordless is definitely a great thing. The "standard" flow can be so bad:
1. sign up/log in once and use the app for a day
2. not need the password for a year and forget
3. reset the password (which is kind of like a passwordless login), go to step 1
However, when I'm using something every day/week, waiting for the OTP can get annoying.
What's your limit? I prefer using passwords if I'm using something more than once/twice a month.
@mihaly_lengyel1 you can use SuperTokens to implement password-based or social login as well. Which method to use? I think it is not only about the # of times you use the app. That is one parameter, it also depends on your use case, the purpose of the app, how sensitive your data is, how much resources you have to invest on security, and other choices you make for auth, etc. If your your use case requires frequent user visits in a day/week, you might also want to think about making longer lived sessions using refresh tokens. You can do that with SuperTokens by changing a configuration. All in all, Passwordless can be a great choice even when you have frequent login. Do you already have a use case in mind where you need to implement it?
I don't see a way to add a user to orgs / manage orgs / org-roles within an application. Is this possible? This would be a critical component in adopting for SaaS.
Hi @advait_ruia, congrats on the launch 🚀
I am a fan of passwordless and yet I find that in terms of UX is not necessarily better.
With email and password:
1. User signs up with username and password
2. User is in the product
(Assuming email verification can be done asynchronously)
With passwordless:
1. User signs up with email
2. User needs to go out of the product to find the OTP - at this point, many bad things can happen. The user is distracted by another email; the mail gets to spam; the mail takes a few minutes to arrive breaking the flow on the onboarding, etc.
In what sense do you think passwordless has a better UX? Do you know if there is any study comparing the drop-off rate of password and passwordless approaches?
@marco_ancona2 Hey Marco! Passwordless is not always better UX. It depends on your app and your customers.
You are correct that the user may need to switch to another app and get distracted. The flip is that they may not remember their password, which could also create a similar or worse issues
In certain cases, passwords are a better experience and in other cases, passwordless is preferable. For eg: if your user is on a mobile app, sending them an OTP to their phone number allows them to login without needing to leave the app. The OS will autofill the OTP from the SMS into the app or at the very least the user will see the OTP as a notification and can type it in without navigating away. In this case, passwordless could be preferable.
SuperTokens Passwordless
SuperTokens Passwordless
SuperTokens Passwordless
Slackmin
SuperTokens Passwordless
SuperTokens Passwordless
eesel
SuperTokens Passwordless
SuperTokens Passwordless
Decentro
SuperTokens Passwordless
SuperTokens Passwordless
SuperTokens Passwordless
Morgen
SuperTokens Passwordless
Morgen