Passwordless login with Phoenix

Passwordless login is, as you might have guessed, a login without a password. The flow is similar to “Recover password”: you submit an email address and you receive an URL to access the system. As simple as that.
This process became more popular when medium started offering this login strategy instead of using a password, which has some security complexities, or login with Twitter or Facebook, which is not that simple and not everyone uses or trusts this way of login on any system.
You can get more posts explaining why passwords are not always a good option by checking ‘Signing in to Medium by email’ and ‘Why passwords suck.’
But here we are, talking about how to do this Phoenix-style. Want to know what this is about? Check the full article:


So you are sent a link that essentially logs you in when clicked - then when you want to visit the site again and login you click the link again?

I didn’t read the blog post yet, but no… you wouldn’t want to let the user click the same link more than once. The user enters their email address, the system sends them an email with a one-use link, they click on that and they now have a user session for however long you normally let someone have a user session. If they logout of the system and then want to login again, you send them a fresh link.

1 Like

Ah right thanks - that’s interesting.

This looks similar to Slack’s “Click the magic link” login, which is pretty handy. I haven’t thought of security implications, but Slack’s doing it - and 3 billion can’t be wrong…right?

Also, could this be used in a simple two-factor workflow?

I don’t see why not. It would be like any other typical two-factor process.