Actions can be used to implement passwordless authentication, where Authsignal serves as the primary authentication method instead of traditional passwords. This approach eliminates password-related security risks while providing a smooth user experience.

Passwordless login flow

In a passwordless flow, you track an action to initiate the authentication challenge directly, without validating a password first:

Implementation

  1. Look up the user by their identifier (email, username) in your database or external identity provider
  2. Track the authentication action for the identified user:
const request = {
  userId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
  action: "signIn",
  attributes: {
    redirectUrl: "https://yourapp.com/callback",
  },
};

const response = await authsignal.track(request);

const url = response.url;
  1. Handle the response based on the action state:

    • If CHALLENGE_REQUIRED: Present the authentication challenge
    • If ALLOW: Complete the login (user may have been auto-authenticated)
    • If BLOCK: Deny access
    • If REVIEW: Review the challenge
  2. Follow the standard integration steps covered in actions getting started to launch the challenge URL and validate the result

Combining passwordless with rules

You can combine rules with actions to create passwordless flows:

Progressive authentication

  • Low risk: Email magic link
  • Medium risk: Email OTP or SMS
  • High risk: Passkey authentication

Context-aware authentication

  • Known devices: Auto-allow or simple OTP
  • New devices: Require passkey or stronger authentication
  • Suspicious activity: Block or require multiple factors