A classic approach to user authentication that doesn’t rely on the password credential.
While Passkeys represent the latest generation of passwordless workflows, the classic approach of Magic Link (typically via Email) and OTP still offer relevant alternatives.
Hi, I’m Peter Fernandez, and as a CIAM expert, I want to share my experience building Passwordless User Authentication into modern applications.
Magic Link
A Magic Link is a unique URL sent to a user’s email or phone, which, when clicked, automatically authenticates that user without requiring a password. Magic Links can be used in all kinds of different scenarios ranging from first-factor authentication to user registration, invite workflow, device/email verification, and beyond.
OTP
OTPs are temporary, one-time-use passcodes sent to users via email, SMS, or via authentication apps. The user enters this code during the authentication process (as part of credential validation) to gain application access. Like Magic Links, OTPs can be used in various scenarios beyond first-factor, including continuous authentication and 2FA.
First-Factor and Beyond
Passwordless doesn’t just stop at first-factor authentication. Magic Link, for example, can be used to enable out-of-band workflows for mobile apps, et al, that initiate ad-hoc user interaction as part of progressive profiling. Whilst OTP interactions — via email or SMS — can be used as part of identity validation for account linking scenarios.
Buy vs DIY
You could build an in-house custom solution yourself…it’s certainly an option. Particularly if you have a team with the time, capacity, knowledge, and expertise to develop SSO; deploy and maintain Attack Protection; leverage OIDC and/or SAML for Authentication, Social and/or (Enterprise) Federation; implement Passwordless, Passkeys and/or MFA, and/or optionally OAuth 2.0 for API Authorization.
The alternative is to integrate with a SaaS solution provided by one of the popular vendors, and the cost of subscribing to one of these typically depends on the features you use and the number of active consumer identities you have.
With vendor-based CIAM the cost is typically associated with the platform hosting the backend service(s) that deliver Authentication, Authorization, Management and Protection from attack. With consumer-oriented software, much of this infrastructure is already in place: cloud-based “compute”, database, network resources, etc. could be a necessity for your solution, and delivering these at scale may be something you also need to do.
Deploying a standards-based open-source DIY solution within your existing infrastructure might provide a more cost-effective approach — delivering secure and robust CIAM without the need to build everything yourself and with the added benefit of more flexibility and control.
Got questions?
Feel free to reach out!
