ory
Register and login with magic link
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [X] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe your problem
Our product requires users to be able to register without a password or any other credential. Just provide an email address and click a link. The current workflow is not designed to support registering without any form of credential.
Describe your ideal solution
For quick and easy onboarding, we require users to register and login, providing only an email address and clicking the 'magic link' that's sent to that email address after submitting. By clicking the link, the user proves ownership of that email address, simultaneously verifying their account.
While not as secure as requiring credentials, this is necessary for a high conversion rate at first. Specific, sensitive features may require the user to set up a password or MFA at a later stage. That should be configurable as well, if it's not supported already.
Workarounds or alternatives
Perhaps randomly generate a password on the fly, without the user knowing it. Then add a hook that logs in users after verification.
For any login after registration, one could implement the login flow as a password reset with that hook, each time generating a new password behind the scenes.
Version
v0.10.1
Additional Context
To give a bit more context: we want to provide three levels of security for our users.
- For onboarding, users only need to provide an email address and check a box. Now they're "in", so we can provide services that aren't sensitive to security threats.
- For more advanced features, we require users to set a password.
- For highly sensitive features, such as financial transactions, we require a MFA/2FA authentication method. Which one remains TBD.
We currently support passwordless authentication - which is what you're asking for if I understand correctly - with WebAuth. Support for passwordless login via email / SMS will also be introduced!
Is there a projected timeframe for the introduction of passwordless login via email / SMS?
We currently support passwordless authentication - which is what you're asking for if I understand correctly - with WebAuth. Support for passwordless login via email / SMS will also be introduced!
@aeneasr I'm not asking for passwordless authentication with WebAuthn. In the flow above, there's essentially no other credential than the email address and the user's proof of owning that email by clicking the link. So no public key credential either, which would be the case in WebAuthn.
SMS will probably be a similar flow, though that's less secure IIRC. Both capture the idea of single factor: having the sim card that receives the SMS or knowing the email-password combination that retrieves the email message.
@aeneasr can you provide any updates regarding this to clarify regarding @kasbuunk's query and provide a best guess timeframe on implementation?
Thanks,
Just want to register we're interested in this as well. We serve customers that want to authenticate users for "blue collar" jobs, like for example delivery drivers. We do not want these users to need to create an account explicitly, which would be a requirement if this were set up strictly as a "second factor". If we send them an e-mail with action required, links to those actions should have "one-time-use" tokens embedded in them, or if they visit the application's URL of their own accord, they can request to log in through a "magic link". Hope that's helpful 🙇
Hello all, I still have to verify this with the team, but I think you can use the recovery flow as a workaround. The completed recovery flow sends out an email with a link that will give you a session. You just have to redirect the user immediately to your home or dashboard screen instead of displaying the recovery screen and also tweak the email template so there is no confusion. I am not sure how exactly you can do a "normal" recovery flow then, but should still be possible
edit: After clarifying with the team, it is best to not use workarounds like the above, since they are viable to break with further updates. If you like to open a conversation around sponsoring a feature like this in Ory Cloud, feel free to contact [email protected]
Also we are working on an OTP login method via email/sms/out-of-band-comms in this PR: https://github.com/ory/kratos/pull/2645
We generally do not give out timelines for open source features to prevent maintainer burnout @Harwood - a rough timeline would be in Q4 this year. If this is a feature you want to see in your Ory Cloud instance, could you please open an issue here, so we can track it. Thanks!
I can see that https://github.com/ory/kratos/pull/2645 is merged. Does that mean the feature is implemented?
@kasbuunk no, unfortunately not. That PR only provided the basis for this feature and an implementation for the recovery strategy. Login & Verification are the next flows we want to implement this for, though.
When there is progress you will read it here first @ChrisLahaye. It is known that many users are looking forward to this feature, so it is high in the priority list! You can also watch the Ory changelog: https://changelog.ory.sh/
Hi, Ory Network will ship "Login and sign up with magic code" next week to production in a preview! This basically sends a one time code to the user's email (similar to verification or recovery) and they use it to sign up or sign in.
Magic links we do not plan on supporting because of many issues that come with magic links. However, the experience from magic code is basically the same, and it's much better because it will also work with SMS in the future, and it is more reliable!
https://github.com/ory/kratos/pull/3378
Given this context, I'm closing this issue as done!