Feature request: disable user passwords (while allowing logging in with a magic link and social accounts)

[Flimm]

I would like to disable completely user passwords, without requiring that users use a social account. If users do not want to use a social account, they can use a "magic" link sent to their email inbox (or maybe with a passkey in the future).

If I enable SOCIALACCOUNT_ONLY = True, then the ability to log in with a link sent to an email address is disabled completely. But if I disable SOCIALACCOUNT_ONLY, then the user is prompted to choose a password on sign-up, and the email+password login form is shown to the user when logging in.

I'm building a website where users cannot be trusted to choose secure passwords for themselves, or to handle a password manager. But I don't want to lock users into a Google or Facebook account that they may lose access to. If they lose access to their Google or Facebook account, I would like them to be able to log in using just their email account.

I know this would be substantial effort to get this implemented. I'm not sure I am able to contribute a pull request implementing this yet, but I wanted to record the feature request, to get the discussion started at least.

[fabge]

+1

[fabge]

the feature was mentioned in this issue #1472 @pennersr

as the exclusive method for signing in.

Must admit, I would personally advise against that method, as it comes with some security tradeoffs. For example, I could make your life difficult trying to get into your account by overwhelming the system with code requests. You wouldn't be able to login when this method is the exclusive one, with password you still can.

but unfortunately has not been pursued any further. i think this would lift the burden of storing hashed user passwords and the encompassing risks and is a very common pattern nowadays.

i have compiled a list of popular websites which use this exact method - meaning not storing passwords and using codes sent via email.

[pennersr]

@fabge Logging in by code as is shown in your screenshots is supported by allauth. As well as verifying your email address using a code.

[fabge]

what i was getting at was trying to specifically show examples, where websites are not using passwords at all. this is currently not supported by allauth, right? at least i was failing to implement it - meaning users only logging in via magic link or e.g. google auth - without ever specifying a password.

[pennersr]

Currently, you can login without a password, see: settings.ACCOUNT_LOGIN_BY_CODE_ENABLED. Logging in without a password using one of the social providers has been supported for a long time. Though, there is indeed no setting or anything that completely wipes any mention of passwords across the board.

[fabge]

i mean "login" to be the same as "register", i.e. users being presented with a single form element "your email". upon entering, they will be sent an email and the users gets created.

[fabge]

from what i can see, a passwordless registration/signup flow (using regular accounts, not social accounts) is currently not possible, without bending over backwards and digging into the allauth internals. is this something that you'd consider adding as a feature?

[pennersr]

Moved to https://codeberg.org/allauth/django-allauth/issues/3947