Passwordless login

Passwordless login allows users to authenticate without using traditional passwords. This guide shows how to enable and configure passwordless authentication methods in your Ory project.

Enabling passkeys

Passkeys are a secure and convenient way to authenticate users without passwords. They use public key cryptography and are supported by most modern browsers.

Ory Console

To enable Passkeys:

1. Log in to your Ory Console
2. Select your workspace and project
3. Navigate to the Authentication tab
4. Click on Passwordless login in the sidebar
5. Toggle "Enable Passkey authentication" to on
6. Configure the Display Name (what users see when prompted to authenticate)
7. Click "Save"

https://console.ory.sh/projects/<id>/passwordless

Ory CLI

To enable the passkey strategy using the Ory CLI, run the following command:

ory patch identity-config <your-project-id> \
--add '/selfservice/methods/passkey/enabled=true' \
--add '/selfservice/methods/passkey/config/rp/display_name="My Display Name"'

What users will see

Users will see a browser prompt to use a passkey:

https://console.ory.sh/projects/<id>/passwordless

Enabling one-time codes

One-time codes (OTC) provide a secure authentication method where codes are sent directly to the user's email.

To enable one-time codes:

1. In the Passwordless login section
2. Toggle "Enable one-time code passwordless" to on
3. Click "Save"

https://console.ory.sh/projects/<id>/passwordless

Users will receive a one-time code via email when they attempt to sign in.

What users will see

When using one-time codes, users will:

1. Enter their email address
2. Receive a code via email
3. Enter the code to complete authentication

https://console.ory.sh/projects/<id>/passwordless

Enabling WebAuthn

warning

Prefer passkeys over WebAuthn when possible. This is documented for legacy reasons.

WebAuthn is a standard for hardware-based authentication using security keys or built-in platform authenticators.

Ory Console

To enable WebAuthn:

1. In the Passwordless login section
2. Toggle "Enable WebAuthn passwordless authentication" to on
3. Configure the Display Name
4. Click "Save"

https://console.ory.sh/projects/<id>/passwordless

Ory CLI

To enable WebAuthn using the Ory CLI, run the following command:

ory patch identity-config <your-project-id> \
--add '/selfservice/methods/webauthn/enabled=true' \
--add '/selfservice/methods/webauthn/config/passwordless=false' \
--add '/selfservice/methods/webauthn/config/rp/display_name="My Display Name"'

What users will see

With WebAuthn enabled, users will be prompted to:

1. Insert a security key, or
2. Use their device's built-in authenticator (fingerprint, face recognition)

https://console.ory.sh/projects/<id>/passwordless