Passwordless authentication with email OTP
Hello everyone,
I am an Authentik user and I am considering alternatives because I cannot make this workflow work in Authentik and honestly it's hard to use it.
I manage my users manually. I create the users in Authentik with the respective emails. No passwords.
The flow is supposed to be fail proof for non-tech people. I am trying to make my parents use Immich without having to remember passwords.
So basically it would work like this:
1. User opens Immich (or any other webapp with OIDC)
2. User enters email address
3. User receives a temporary code
4. User enters the code in Zitadel/SSO login page
5. User is logged in to Immich.
Bonus points if the user can login by clicking on a link sent via email instead of a teporary code.
Is this possible?
Thanks in advance!
6 Replies
Hi @csgoexpert, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
---
Yes, ZITADEL supports email-based One-Time Password (OTP) authentication, which aligns with your workflow requirements (1) (2) .
ZITADEL's hosted login page supports OTP via email as a second factor authentication method (1) . When you enable "One Time Password with Email (Email OTP) " in the multifactor settings, users can authenticate using a temporary code sent to their email .
The authentication flow you described can work with ZITADEL's hosted login UI (3) . Users can enter their email address (or username) , and if Email OTP is configured as an authentication method, they'll receive a temporary code to complete login (1) (2) .
To enable this:
1. Configure Email OTP in your default settings under "Login Behavior and Access" → "Multifactor (MFA) " section (1)
2. Enable "One Time Password with Email (Email OTP) " as a second factor
3. Ensure your SMTP notification settings are properly configured
ZITADEL also supports passwordless authentication with passkeys (FIDO2/WebAuthn) as an alternative, which provides a phishing-resistant and convenient authentication method (2) . However, based on your specific requirement for email-based codes, the Email OTP feature should meet your needs (1) (2) .
Note: The sources don't explicitly mention a "magic link" option where users click a link in the email instead of ent
ering a code. The documented method requires users to enter the OTP code they receive via email (1) (4) .
To learn more, see the sources I considered:
[1] ZITADEL Default Settings
[2] Features .
[3] Login users into your application with a hosted login UI
[4] Add One-Time Password (OTP) Email
Feel free to tag @Ask Inkeep with additional questions.
hey @csgoexpert thanks for your question and welcome to the server.
There are various ways to setup/invite users and login with OTP. You can read about it here
https://zitadel.com/docs/guides/integrate/onboarding/end-users#manually-addinvite-users
BUT that being said, I am confused if you want to have a login always with email-code-only login flow where users enter their email, receive a temporary code via email, and then enter that code to authenticate through zitadel's hosted login?. Or is it just when a new users tries logging in for the first time?.
There's no way to JUST use SMS as login as such, you can add a passkey to make it passwordless. I will check with my team tho(maybe I will get back Monday with more info) but for now, pls give the above doc, a read and lmk if that helped.
Thanks
something like this I believe
this was a new user created on login
@Rajat I want users to login all the time via the email code
hey @csgoexpert No, zitadel doesn’t support “email code as the only (first-factor) login” Email OTP exists as a verification/MFA factor, not as a standalone primary sign-in method. You can enforce Email OTP as second factor via the login policy, but users still need a primary method (password, passkey, or IDP).