drfpasswordless: Passwordless Auth for Django Rest Framework.

drfpasswordless is an open source package for building passwordless logins quickly into your app’s django-rest-framework backend. I made it because I was inspired by the login flows on Square Cash (where I formerly worked) and Medium, both of which use paswordless-style logins. drfpasswordless makes it really easy to send a 6-digit login token to an SMS Inbox or Email Address, which the user can then respond with to get login credentials. My package is used by organizations like UNICEF, and I’ve used it in a few of my apps as well.

How does passwordless login work?

If you’ve ever entered a 6-digit token sent to your phone, or clicked a “magic link” sent to your email address, you’ve used a passwordless login system. Especially on mobile apps, it’s a becoming the standard way to log in, and makes it very convenient for users to sign in without needing to remember a password.

Why is passwordless okay?

Passwordless logins work under the assumption that access to a certain SMS inbox or email address means you are (probably) the owner of the account belonging to that address. This is the same way password reset links work: since only you have access to [email protected], we can assume whoever clicks the password reset link in that inbox is most likely [email protected].

How does drfpasswordless work?

There are many flavors of passwordless login, but drfpasswordless focuses on asking users to prove a token we sent to their inbox. In the future we’d like to consider magic links (click a link to login– just like password reset), but it isn’t a priority yet.

Our Basic Flow:

1. A user enters an email address or phone number– let’s pretend it’s [email protected].
2. We send a randomly-generated 6-digit token to that address which will expire in 15 minutes. Let’s pretend the token is 712952.
3. If user can respond with 712952 + [email protected] within 15 minutes, we’ll give them what’s called a Bearer Token that proves they are logged in as [email protected].
4. If we haven’t seen them before, we can optionally register them for a new account.
5. We then invalidate the token so it can’t be used again (though it was going to expire after 15 minutes, anyways).

Features:

• We return django-rest-framework authentication tokens by default, but you could just as easily return a JWT or whatever you want to use to authenticate your user.
• All of the templates, expiries, and messages are totally customizable.
• We can optionally flag email addresses or mobile numbers as verified when they confirm a token.
• We can optionally register users we haven’t seen before, if you want to go totally passwordless.
• We support demo users for iOS App Store testing.

See the full featureset on our Github Readme.

What are some of the tradeoffs when going passwordless?

Everything comes with tradeoffs. The biggest threat to passwordless login systems is getting your SMS inbox or email address compromised. This is definitely becoming more and more common, especially in sim-jacking attacks where attackers take over your phone number to impersonate you.

However, you’ll have a hard time convincing me that this is more common than having your password leaked (and if you do find a source that says sim-jacking is more common than a password compromise, please send it as you’ll blow my mind). Regardless, if you’re working on something very high-security like banking software, you probably want to rely on more robust, multi-factor systems like two-factor-auth and not just passwords or tokens alone.

Closing Remarks

So, there you go. drfpasswordless is a quick and easy way to add passwordless logins to your app’s backend if you’re using django-rest-framework. You can check the package out on Github. If you end up using it in any production applications, or have any suggestions for improvement feel free to hit me up via a Github Issue, email or Twitter.