Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add an example/tutorial for passwordless with SMS?

See original GitHub issue

Summary of proposed feature

I’d like to use NextAuth to add passwordless authentication to an app using SMS rather than email to deliver the tokens:

overriding generateVerificationToken to create a shorter token that a user can feasibly type
override sendVerificationRequest to use Twilio or similar to send an SMS message with the token
create a page where the user can type the token, similar to entering a 2FA code

It would be good to have an official tutorial or example showing how to implement this securely. I might be able to contribute one in the future.

Purpose of proposed feature Some groups of users, particularly those with poor digital skills, will find it easier to verify their identity with an SMS rather than an email.

Sometimes (for example, a community group of volunteers) an organiser may only have phone numbers for the users, rather than email addresses.

Detail about proposed feature A detailed description of how the proposal might work (if you have one).

Potential problems Not sure about the security impact of shortening the tokens.

Additional context Related to these three issues: https://github.com/nextauthjs/next-auth/issues/159 https://github.com/nextauthjs/next-auth/issues/709 https://github.com/nextauthjs/next-auth/issues/414

Particularly this response: https://github.com/nextauthjs/next-auth/issues/709#issuecomment-784077142

Please indicate if you are willing and able to help implement the proposed feature. Yes!

Issue Analytics

State:
Created 3 years ago
Reactions:18
Comments:6 (2 by maintainers)

Top GitHub Comments

2reactions

mtt87commented, Jul 5, 2021

@jhackett1 👋 I found this issue by looking at a PR that possibly address this functionality.

I work for https://tru.id/ and we are building a better way to authenticate users rather than using insecure SMS OTP. We are currently building an internal prototype that could easily integrate with next-auth as oAuth provider that uses our technology, then I would love to create a guide or add tru.ID as an available provider.

Some groups of users, particularly those with poor digital skills, will find it easier to verify their identity with an SMS rather than an email.

You would definitely love our solution as people don’t need to input anything and the verification is happening in the background invisibly.

If you are curious or have any questions feel free to ping me mattia.asti AT tru.id 😄

1reaction

ndom91commented, Nov 27, 2022

any progress on SMS authentication?

SMS Authentication can be done through our “Credentials” provider and a third party SMS service like Twilio.

I found this blog post where a user modifies our “Email” provider a bit to achieve a similiar flow by sending a 6 digit code via Email that the user has to input. You would just have to replace the email part with some API calls to Twilio, for example, to send the SMS. See: https://www.ramielcreations.com/nexth-auth-magic-code

EDIT: Also see Balazs’s example code for this here: https://github.com/nextauthjs/next-auth/issues/4965#issuecomment-1189094806