Passwordless authentication

Please let me know what you think of this approach. I’m not absolutely sure what Bubble is actually doing behind the scenes, so I can’t be certain this process works the way I think it’s working.

Hokay, so, I’m trying to “hack” Bubble’s system to provide a “passwordless” experience for the user.

The rationale is that password-based security rests almost entirely on the uniqueness and security of the user’s email inbox anyway. It doesn’t matter how many special characters they use if a malicious actor gets into their mailbox and requests a password reset email. Day to day security depends on the token in the user’s browser.

Bubble requires an email+password combo so for pseudo-passwordless I need a password but I’m not going to give it to the user. I’m going to generate a random or temporary password on the fly, store it, and never refer to it again. If the user has to re-authenticate they’ll just get logged out and go back through the “click a link in your email” process.

It starts with the Sign Up popup. The only field that matters is Input Email.

If the user already has an account, and wants to log in again under the same email, we’ve got a problem. Bubble needs the email+password that’s already stored in the database to log the user in. So instead of using the Log User In action we’re going to use the Reset Password action. That’s what the whole system relies on for security anyway.

On the password reset page, we’ll give the user a temporary password and then feed that into Bubble to be stored as their actual password. The user never types in a password or even knows what the new password is.


we’ll also reset the trust_time variable

On the index page, we can set a couple of conditions to log the user out if their email confirmation is “no” or they’ve been logged in too long.

8 Likes

I’ve been contemplating doing this same thing for a subset of my users… Looks good so far!

Genious! I like it a lot.
So in practice, the user login keeps remembered (in the cookie), but if the user tries to login in a new computer, it clicks the reset password, and click the link sent from the email?

I’m not sure if the user can be logged in on multiple browsers at the same time. I think they can, because it would take extra logic for Bubble to log people out and nothing indicates Bubble does that.

EDIT - in practice, the user can be logged in from more than one browser simultaneously.

1 Like

Good point. They would only be logged out when the session expires.

1 Like

Excellent work! Your method seems like this would work perfect for those of us trying to use a phone number to authenticate users in a mobile app (the only difference being that the user would be logged in using a phone # instead of email). When the password reset is initiated via email, could we prompt a workflow to have them enter a unique code (which would be sent to them via Twilio)?

1 Like

Thanks, but it’s not working the way I’d like it to.

I’m having to sign up and then also log in. So the user has to click on two emailed links to get logged in. For some reason the first link isn’t doing the job.

So the first link, the one sent to verify email during sign up, isn’t logging them in.
The second link, the one to reset their password, that does get them logged in.

EDIT - I got that two-email thing fixed so it normally only requires one email now.

1 Like

Yes, it appears that bubble doesn’t yet allow alterations to their login flow. We wanted to use Twilio to text a code during password reset, sadly email appears to be the only way for now.

1 Like

Hey mate,

Would you be able to update this guide to reflect what you’ve learnt since last year? Pros/Cons?

I’m looking to migrate a very large user base to Bubble, and I will be migrating user accounts (without passwords). This seems like a great solution to ensure a seamless relaunch and an elegant and modern password less authentication workflow.

1 Like

I stopped trying to use a passwordless flow. It’s not something Bubble wants to support and even if I could have hacked it together properly they might have changed something to invalidate it. They definitely wouldn’t have supported any troubleshooting of my hack(s).

You can generate passwords for users, so if your users are okay with making replacement passwords it should be just like any other signup process.

1 Like

This is really too bad. The lessons from Twitter’s Digits service seems to be that sign ups on apps increase by 40-50% and many users actually welcome giving their phone number, which is a big get. Digits is now tied into Firebase Phone Authentication, which has auto sign in with fingerprint on Android and coming to iOS. Using Firebase, managed by Google seems like a great plugin and way to manage users.

1 Like