I want to set up a passwordless OTP-based login, but I couldn’t find anything in the system, How would you implement this feature?
I appreciate the help
1 Like
By passwordless do you mean using WebAuthn? Web Authentication API - Web APIs | MDN
This would require a necessary data model, code, transitions, ui, and a cursory security audit as needed
I would be interested working on this
Hello Michael,
I believe what @b.chirani is asking for in here is simply no password on login, but rather you enter your usename, and an OTP is sent to you (mostly over SMS) with something like a 6 digit code for one-time use. Once you enter that code it enables login to the system without a password.
Now granted this might be a little less secure, or require different kinds of validation. The nature of the login will be from mobile devices. So I am assume we have other extra options to augment this like biometric checks.
Anyway, if you (or anyone) have insights on this it would be quite valuable.
1 Like
Oh you mean a magic link login
I think conceptually it should not be viewed as OTP as it is equivalent to a password reset (and equally relies on the email provider as a secure method for communication, and OTP can be used in addition to a magic link login. Also OTP codes are short and cross device, but magic links need to be the same browser (according to auth0).
I think the main process is (see based on):
- User enters userName, email, or phone number
- System generates a login token, url, generation time, expiry time, and stores session / browser information
- System uses the information generated to send an email, phone number, push notification, or other contact method configured for secure communication
- User clicks on button, link, or notification
- System checks if the link has the proper login token, is after generation time, but before expiry time, and depending on contact method the correct browser / session / app token
- If the System finds a valid login for the User, the System logs the User in and creates a valid session
- etc. etc.
Then the data modeling and integration with the moqui services etc could be done in more detail