Passwordless Mobile App Authentication

TL;DR

This guide shows how to set up mobile app authentication without usernames and passwords using magic links sent via email or SMS. It’s more secure and easier for users.

How it Works

Instead of asking for a password, we send a unique link (magic link) to the user’s registered email address or phone number. Clicking this link logs them in automatically. This relies on verifying the user owns the email/phone.

Step-by-Step Guide

1. Choose an Authentication Provider: Several services simplify passwordless authentication. Popular options include:
   • Firebase Authentication: Easy to integrate, especially for Google Cloud users.
   • Auth0: Flexible and supports many features.
   • Amazon Cognito: Good integration with AWS services.
   • Magic (magic.link): Dedicated passwordless authentication service.

   For this example, we’ll outline the general process using Firebase Authentication as it’s widely used and free for basic use.

2. Set up your Project in the Provider: Create a new project within your chosen provider (e.g., Firebase). Configure authentication settings to enable email/SMS passwordless login.
   • In Firebase, go to Authentication > Sign-in method and enable ‘Email/Link’.
   • Configure the email template for the magic link. Customize it with your branding.
3. Integrate the SDK into Your Mobile App: Add the provider’s SDK to your iOS or Android project.
   • Android (using Gradle): Add the Firebase Authentication dependency to your app’s build.gradle file:

     implementation 'com.google.firebase:firebase-auth:22.3.0'

   • iOS (using Swift Package Manager or CocoaPods): Follow the provider’s documentation for installation instructions.
4. Implement the Email/SMS Link Request Flow: When the user tries to log in, prompt them for their email address or phone number. Then:
   • Call the provider’s function to send a magic link (e.g., Firebase’s sendSignInLinkToEmail).

     firebaseAuth.signInWithEmail(email) .then(() -> { // Link sent successfully! }) .catch(Exception e -> { // Handle errors });

   • Display a message to the user informing them that a link has been sent to their email/phone.
5. Handle the Magic Link: When the user clicks the magic link:
   • The link will redirect them back to your app (using a custom URL scheme or Universal Links).
   • Your app needs to handle this redirection.

     // Example in Android's Manifest file: <intent-filter> <action android_name="android.intent.action.VIEW"/> <category android_name="android.intent.category.DEFAULT"/> <category android_name="android.intent.category.BROWSABLE"/> <data android_scheme="your-app-scheme"/> </intent-filter>

   • Call the provider’s function to complete the sign-in process (e.g., Firebase’s completeSignInWithLink).

     firebaseAuth.signInWithCredential(credential) .then(() -> { // Sign-in successful! }) .catch(Exception e -> { // Handle errors });

6. Store User Data: Once signed in, store the user’s information securely (e.g., in a database).
7. Implement Error Handling: Handle potential errors gracefully:
   • Invalid email/phone format.
   • Link expired.
   • User doesn’t exist.
   • Network issues.
8. Security Considerations:
   • Link Expiration: Set a short expiration time for magic links (e.g., 15-30 minutes).
   • Rate Limiting: Limit the number of link requests from a single email/phone to prevent abuse.
   • Email Verification: Ensure users verify their email address before enabling passwordless login.
   • Universal Links (iOS): Use Universal Links instead of custom URL schemes for better security and user experience.

Further Improvements

• Multi-Factor Authentication: Add an extra layer of security with a one-time password sent via SMS or email after the magic link is used.
• Social Login Integration: Allow users to sign in using their existing social media accounts (e.g., Google, Facebook).