Skip to main content
Auth0 allows you to configure email and phone-based passwordless authentication directly on a database connection. Rather than creating a separate connection for one-time password (OTP) authentication, you can offer passwordless login directly from your database connection. This reduces implementation complexity and simplifies the login experience for end-users.
Passwordless for database connections is not supported for use with Classic Login.

How it works

Auth0 uses an Identifier-First Authentication approach in which users are verified with OTP authentication:
  1. An end user enters an identifier to login with Auth0’s Universal Login.
  2. Auth0 looks up the authentication methods for each identifier configured on your database connection.
  3. The user is presented with the most suitable option based on the default_method and available authentication methods (for example, receive an OTP by email or phone or provide a password).
  4. If OTP is the determined authentication method, Auth0 sends a code to the user’s email or phone.
  5. The user enters the code and is authenticated. If you’ve configured passkeys, the user is prompted for progressive passkey enrollment.

Before you start

Configure attributes (identifiers)

When configuring email and phone-based passwordless authentication on database connections, you must first determine which attribute(s) you want end-users to provide during signup and login. Review the identifier type and corresponding authentication method:
IdentifierAuthentication Method(s)
EmailPassword, Email OTP, Passkey
PhonePassword, Phone OTP, Passkey
UsernamePassword
For email and phone identifiers, if password is not enabled, you must have OTP verification enabled for sign up. You can configure email and phone attributes as optional on signup, so users can sign up with just an email or just a phone number. When a user authenticates via email OTP, email_verified is automatically set to true on their profile. When a user authenticates via phone OTP, phone_verified is automatically set to true.
If you want end-users to authenticate with passkeys, you must have an alternative authentication method configured, such as email or phone. Passkey-only authentication is not supported.
To learn more, read Activate and Configure Attributes for Flexible Identifiers.

Create a new database connection

If you do not have an existing database connection, create one using the Auth0 Dashboard or Management API.
  1. Navigate to Auth0 Dashboard > Authentication > Database. Choose Create DB Connection to create the connection.
  2. Enter a unique name for your connection.
  3. Choose one or more attributes for end-users to log in or sign up.
  4. Select your authentication method(s). You can further configure these methods once you’ve created the connection.
  5. Toggle on Disable Sign Ups if you don’t want users to sign up using public endpoints.
  6. Toggle on Promote Connection to Domain Level if you want to use this connection with third-party applications.
  7. Select Create.
For a true passwordless connection, complete the following additional steps:
  1. In your new connection, select the Attributes tab.
  2. To disable Username as an identifier, select Configure and toggle off Use Username as Identifier.
  3. To configure Email and Phone identifiers, select Configure.
  • For Email attributes, select One-Time Password (OTP) under Verification Methods and enable Verify email on sign up for true passwordless configuration. This ensures email_verified is automatically set so users are always prompted for OTP on login and signup.
  1. Select Save.
  2. Configure settings for authentication methods that correspond to the chosen identifiers. You cannot disable password unless you have phone_otp and/or email_otp configured.
  3. Under Password settings, select Policy and choose Block for:
    • Password on Login
    • Password on Signup
    • Self-service change password (updates automatically)
  4. Toggle on Support users without a password.
    You may get an error if you do not toggle on Support users without a password.
  5. Select Save. In the prompt, select Continue to confirm you understand that existing users may be affected.
  6. Navigate to the Applications tab and enable the connection for your application or API.

Update existing connections

If you have current database connections, update the settings for passwordless in the Auth0 Dashboard or Management API.
  1. Open the connection: Navigate to Auth0 Dashboard > Authentication > Database and select the connection you want to update.
  2. Activate Attributes: Under the Attributes tab, select Activate to enable the New Attributes Configuration.
  3. Add Email and Phone attributes: Choose + Add Attributes and add Email and Phone Number if they are not already present.
    For a true passwordless (OTP) connection, the username identifier is not supported.
  4. Enable OTP authentication methods: Under the Authentication Methods tab:
    • Configure Phone to Allow Phone OTP and save your changes.
    • Configure Email to Allow Email OTP and save your changes.
  5. Block password authentication: Under Password settings, choose Policy and select Block for:
    • Password on Login
    • Password on Signup
    • Self-service change password
    Toggle on Support users without a password.
    You may get an error if you do not toggle on Support users without a password.
  6. Save: Select Save.

Use Auth0 Actions

For more insight into passwordless authentication factors on database connections, configure attributes with Auth0 Actions.

Post-login trigger

The post-login trigger fires after a user authenticates but before the authorization server returns a token. The event.authentication object in Auth0 Dashboard > Actions > Triggers > Post Login exposes the following methods:
MethodParameterDescription
Email OTPemailEmail OTP used to authenticate the user as the first factor.
Phone OTP with textsmsPhone OTP (SMS) used to authenticate the user as the first factor.
Phone OTP with voicetelPhone OTP with voice used to authenticate the user as the first factor.
PasswordpwdPassword used to authenticate the user as the first factor.
email_verified and phone_verified are set automatically on the user profile when a user authenticates via email OTP or phone OTP. If you previously used a post-login Action to manually set these flags, you can remove that workaround.
Use event.authentication to:
  • Detect which passwordless factor the user completed (email, sms, tel, or pwd)
  • Add custom claims to tokens based on the authentication method
  • Conditionally run logic based on how the user authenticated

Example

The following example reads event.authentication.methods to detect which passwordless factor the user completed and adds it as a custom claim on the ID token. 
exports.onExecutePostLogin = async (event, api) => {
  if (!event.authentication?.methods || event.authentication.methods.length === 0) {
    return;
  }

  if (event.connection.name !== 'YOUR_AUTH0_CONNECTION') {
    return;
  }

  const firstFactor = event.authentication.methods[0];

  if (firstFactor.name === 'email') {
    api.idToken.setCustomClaim('https://your-app.com/auth_method', 'email_otp');
  } else if (firstFactor.name === 'sms' || firstFactor.name === 'tel') {
    api.idToken.setCustomClaim('https://your-app.com/auth_method', 'phone_otp');
  } else if (firstFactor.name === 'pwd') {
    api.idToken.setCustomClaim('https://your-app.com/auth_method', 'password');
  }
};

Post-challenge trigger

The post-challenge trigger fires after users complete a challenge, such as password reset, phone validation, or MFA. The event.authentication object in Auth0 Dashboard > Actions > Triggers > password-reset-post-challenge exposes the following attributes:
AttributeParameterDescription
EmailemailPassword reset with email OTP or magic link.
Phonephone_numberPassword reset with phone OTP.

Example

The following example reads event.authentication.methods to detect which passwordless factor completed the challenge and adds it as a custom claim on the ID token. 
exports.onExecutePostChallenge = async (event, api) => {
  if (!event.authentication?.methods || event.authentication.methods.length === 0) {
    return;
  }

  if (event.connection.name !== 'YOUR_AUTH0_CONNECTION') {
    return;
  }

  const firstFactor = event.authentication.methods[0];

  if (firstFactor.name === 'email') {
    api.idToken.setCustomClaim('https://your-app.com/challenge_method', 'email_otp');
  } else if (firstFactor.name === 'phone_number') {
    api.idToken.setCustomClaim('https://your-app.com/challenge_method', 'phone_otp');
  }
};

Benefits

  • Simplified Implementation: Fewer connections to configure and maintain. No need for account linking unless using social/federated connections in conjunction with database connections.
  • Improved User Experience: Offer combinations of email and phone-based OTP with passwords, passkeys, and social/federated login all from the same identifier-first experience in Universal Login.
  • Flexible Signup Flows: Configure email and phone attributes as optional on signup, allowing users to sign up with just an email or just a phone number — ideal for mobile-first or email-only experiences.
  • Voice OTP: Voice OTP is included as a first factor when configured in the Unified Phone Experience.

Limitations

  • Available for Universal Login-based flows only; not yet supported for API-based authentication.
  • Passwordless for database connections is not supported for use with Classic Login.
  • Passwordless for database connections does not support Implicit Signup & Login.
  • In legacy passwordless connections, there was no difference in user experience between signup and login. Database connections distinguish between the signup and login experience, which requires explicit signup and login.
    • If a user without an Auth0 identity enters the login flow, the system will not automatically sign them up. The user receives an error after validating the OTP.
    • If a user with an Auth0 identity enters the signup flow, the user receives an error after validating the OTP.

Learn more