Secondary Authentication Methods

SMS and Email Login methods can be used as secondary authentication methods when a passwordless login option is unavailable or encounters issues

At Passage, we offer users the option to use SMS, Email, and social connections as secondary authentication methods in addition to the option for a fully passwordless experience with no fallback. These methods can serve as backup authentication, allowing access through conventional means such as magic links or login codes in case passwordless options encounter any issues. Using a secondary authentication method is essential for ensuring a seamless and dependable login experience, enhancing security, convenience, and accessibility while reducing reliance on traditional password solutions.

Magic links are unique, one-time login links generated for website authentication. Instead of requiring users to enter passwords manually, these links include built-in passwords that are triggered upon clicking. To log in, users enter their email address or phone number and receive a message containing the unique link. By clicking the link, users are instantly logged in within the current session and in the initiating browser session.

Login Codes

Login codes, often referred to as one-time passwords (OTPs), allow users to input their email address or phone number and receive a 6-digit code via message. They enter this code in their original session to gain access to the application.

To bolster security, these codes come with an expiration time that you can configure within the console. Additionally, each code is designed for single-use only, further enhancing the level of protection.

Login codes are particularly beneficial for applications with a mobile-heavy user base, as most mobile platforms automatically autofill or copy login codes from text and email messages. This reduces context switching for users and enhances the login experience.

Social Login

Social login allows users to login using their Google or Github accounts. Clicking the corresponding login buttons, redirects users to the social provider's sign in page.

Social logins benefits include a rich and robust user profile for use from the social providers upon authentication. Data is automatically synced with their social accounts providing up to date information for use in your application or reporting. Learn how to enable social connections here.


When SMS and Email Logins are disabled, the element will perform a compatibility check to determine if the current browser or platform supports passkeys. If passkeys are not supported on the device, a screen will be displayed, informing users that passkeys are required for login but cannot be used on their device.

When passkeys are available and compatible, the standard login/register prompt will be shown. However, if there is a failure during passkey creation or login, users will be presented with the "Try Again" option instead of being redirected to a magic link or login code flow, as described earlier.

We only recommend selecting this option when you are implementing Passkey Flex and have a secondary login system to fall back on. This ensures a smooth user experience in case passkeys are not feasible or encounter any issues.

Last updated