Passwordless authentication with email OTP

Hello everyone,

I am an Authentik user and I am considering alternatives because I cannot make this workflow work in Authentik and honestly it's hard to use it.

I manage my users manually. I create the users in Authentik with the respective emails. No passwords.
The flow is supposed to be fail proof for non-tech people. I am trying to make my parents use Immich without having to remember passwords.

So basically it would work like this:

User opens Immich (or any other webapp with OIDC)
User enters email address
User receives a temporary code
User enters the code in Zitadel/SSO login page
User is logged in to Immich.

Bonus points if the user can login by clicking on a link sent via email instead of a teporary code.

Is this possible?

Thanks in advance!

Ask Inkeep•10/9/25, 3:11 PM

Hi @csgoexpert, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/9/25, 3:11 PM

Answer

---

Yes, ZITADEL supports email-based One-Time Password (OTP) authentication, which aligns with your workflow requirements (1) (2) .

ZITADEL's hosted login page supports OTP via email as a second factor authentication method (1) . When you enable "One Time Password with Email (Email OTP) " in the multifactor settings, users can authenticate using a temporary code sent to their email .

The authentication flow you described can work with ZITADEL's hosted login UI (3) . Users can enter their email address (or username) , and if Email OTP is configured as an authentication method, they'll receive a temporary code to complete login (1) (2) .

To enable this:

Configure Email OTP in your default settings under "Login Behavior and Access" → "Multifactor (MFA) " section (1)
Enable "One Time Password with Email (Email OTP) " as a second factor
Ensure your SMTP notification settings are properly configured

ZITADEL also supports passwordless authentication with passkeys (FIDO2/WebAuthn) as an alternative, which provides a phishing-resistant and convenient authentication method (2) . However, based on your specific requirement for email-based codes, the Email OTP feature should meet your needs (1) (2) .

Note: The sources don't explicitly mention a "magic link" option where users click a link in the email instead of ent

Ask Inkeep•10/9/25, 3:11 PM

ering a code. The documented method requires users to enter the OTP code they receive via email (1) (4) .

Ask Inkeep•10/9/25, 3:11 PM

To learn more, see the sources I considered:

[1] ZITADEL Default Settings
[2] Features .
[3] Login users into your application with a hosted login UI
[4] Add One-Time Password (OTP) Email

Ask Inkeep•10/9/25, 3:11 PM

Feel free to tag @Ask Inkeep with additional questions.

Rajat•10/10/25, 12:20 PM

hey @csgoexpert thanks for your question and welcome to the server.
There are various ways to setup/invite users and login with OTP. You can read about it here
https://zitadel.com/docs/guides/integrate/onboarding/end-users#manually-addinvite-users

BUT that being said, I am confused if you want to have a login always with email-code-only login flow where users enter their email, receive a temporary code via email, and then enter that code to authenticate through zitadel's hosted login?. Or is it just when a new users tries logging in for the first time?.

There's no way to JUST use SMS as login as such, you can add a passkey to make it passwordless. I will check with my team tho(maybe I will get back Monday with more info) but for now, pls give the above doc, a read and lmk if that helped.
Thanks

Rajat•10/10/25, 12:23 PM

something like this I believe

Rajat•10/10/25, 12:23 PM

this was a new user created on login

csgoexpertOP•10/10/25, 1:15 PM

@Rajat I want users to login all the time via the email code

Ccsgoexpert @Rajat I want users to login all the time via the email code

Rajat•10/13/25, 10:44 AM

hey @csgoexpert No, zitadel doesn’t support “email code as the only (first-factor) login” Email OTP exists as a verification/MFA factor, not as a standalone primary sign-in method. You can enforce Email OTP as second factor via the login policy, but users still need a primary method (password, passkey, or IDP).

re4lim_18603•10/22/25, 9:12 AM

Hey there!
I'm looking for exactly the same thing, but with an additional requirement: SMS support. So the temporary code could be received either via email (if the user enters their email) or via SMS (if they enter their phone number).

Also, from the response given to the @csgoexpert , I understand this isn't currently possible, but I'm wondering @Rajat if there are any plans to implement this in future versions?

Rre4lim_18603 Hey there! I'm looking for exactly the same thing, but with an additional requir...

Rajat•10/22/25, 12:40 PM

hey @re4lim_18603 no plans as such but pls go ahead and open a feature request and someone from the team will get back on it

ysemennikov•11/28/25, 12:14 PM

Hey all, I'm currently looking for the same thing as @re4lim_18603 does. It seems like the feature request already exists - https://github.com/zitadel/zitadel/issues/8996. Just added a comment there. So I'm looking forward for this feature