Live demo

Creating a passwordless login system

Passwords are a shared-secret liability. This demo shows a modern passwordless flow that uses email OTP to establish identity and WebAuthn passkeys to authenticate.

Private keys stay on-device and are bound to your relying party (`rpId`), which gives stronger phishing resistance than password-based login.

Presentation: Creating a Passwordless User System.

Source code: Passwordless Login Demo.

Sign upLogin

Email OTP establishes identity

Start with username + email, then verify a one-time code. This creates the account identity without introducing a password.

Passkeys authenticate

Passkeys are browser-native public/private key auth (think SSH keys for the web) with biometrics or a device PIN.

Demo boundaries

This project intentionally skips production hardening such as rate limiting and real email delivery.