PwdLess

A platform-agnostic passwordless authentication server that's a joy to use.

What is PwdLess?

PwdLess is a free, open-source authentication server that allows you to register/login users without a password. This is achieved by sending a "magic link" containing a nonce, possibly in the form of a URL. Once the user opens the link (or manually types the nonce into your app), a JWT is generated for the user, authenticating their identity. PwdLess operates without a database (cache only) and only requires simple configuration to run. This makes it platform-agnostic so you can easily integrate it into any tech-stack.

How it works

1. Users provide their email address & are sent a nonce
A user provides their email address to your website (ie. JS client). In turn, it makes an API call to PwdLess's `/auth/sendNonce?identifier=USER_EMAIL`. This will cause PwdLess to send the email a nonce. The email server settings are easily configurable.
2. The user opens the nonce URL or enters the nonce into your app
Once your website receives the nonce the user received (by letting the user enter it manually or through query strings), you will begin requesting a JWT for the user. To do this, your website makes an API call to PwdLess's `/auth/nonceToToken?nonce=SUPPLIED_NONCE`. PwdLess will then respond with a signed JWT containing the user's email address.
3. You use the JWT to authenticate the user into your APIs
Since it is not possible to change the contents of a signed JWT (given that you validate it in your APIs), you can now be certain of the user's identity & proceed by including the JWT in the authorization header of all subsequent requests made by your website.

Features

star Platform-Agnostic
PwdLess doesn't care about your tech stack. As long as you speak HTTP, everything is fine (think of it as a microservice). This means you can use PwdLess with Node, Ruby, PHP, Django, or even mobile and desktop projects flawlessly.
star Low Overhead
Using authentication with no passwords provides low overhead for both you and your users. As a developer, you don't have to store passwords or even worry about user authentication at all (since PwdLess takes care of that for you!). You users also won't have to remember yet another password for using your site, providing a frictionless experience.
star Configuration-Only
PwdLess only requires configuration to run. No need to go through the code, or change anything else. This makes it really fast and easy to setup.
star No Database
PwdLess doesn't use a database internally so you don't have to manage "yet another database". You store your user information however you want.
star Modular Architecture
PwdLess's source code is very modular and works on top of an IoC container, so if you want to change anything that's not configurable (for example, using SMS instead of email), it's as easy as creating a class that implements an interface.
star Free & Open Source
PwdLess is free and open source under the permissive MIT license, so you have nothing to lose by trying it out!

Get PwdLess

PwdLess is free and open source. You can either download a build or download the source from GitHub. PwdLess is written in ASP.NET Core 1.0.1, so it works across all major operating systems. By default, PwdLess uses ASP.NET Core's `IDistributedCache` to store the nonces/tokens in-memory. Almost any other cache can be used (such as Redis) since it is provided through dependency injection.

Suport PwdLess

If PwdLess was useful to you or has saved you some time, please consider dontaing to help me keep maintaining PwdLess as a free forever service. Thank you!


About

PwdLess is created by Biarity. Have a look at my blog's about section for more information.
Donate
If PwdLess was useful to you or has saved you some time, please consider dontaing to help me keep maintaining PwdLess as a free forever service. Thank you!


FAQ

Can I use this with NodeJs, Django, RoR, Suave, Laravel, or any non-C# web framework?
Absolutely! PwdLess is built to be platform-agnostic so you can use it with any language, framework, database, or operating system you want. You won't have to worry about maintaining any C# code since PwdLess is obtained as an executable that you just run to start a server; interacting with PwdLess internals is not necessary for customizing it since it is fully configurable through environment variables or an external file.
What if a user's email is compromised?
Email is a single point of failure for almost all authentication systems, including the traditional email-password systems. This is because of password reset functionality in which an attacker can just reset your password by having access to your email. In fact, by using PwdLess you are eliminating a point of failure (passwords)!
How come no database is used?
PwdLess only authenticates users, with the end goal of providing them an access token that proves who they are. Once the access token has been issued, your client should make the necessary API calls to your database API solution (ie. if new user, store the user and prompt for extra details, else retrieve user data). This means PwdLess doesn't need to interact with any database & you're free to use any solution you want.
Can I use other logins (Facebook, Twitter, GitHub, Email/Password, etc.) alongside PwdLess?
Yes! PwdLess is fully independent of the rest of your tech stack, so using other login schemes should require 0 modification to PwdLess.


Download