---
title: "Passwordless"
section: "build-a-backend/auth/concepts"
platforms: ["android", "angular", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
gen: 2
last-updated: "2026-04-24T07:46:51.000Z"
url: "https://docs.amplify.aws/react/build-a-backend/auth/concepts/passwordless/"
---

Amplify supports the use of passwordless authentication flows using the following methods:

- [SMS-based one-time password (SMS OTP)](#sms-otp)
- [Email-based one-time password (Email OTP)](#email-otp)
- [WebAuthn passkey](#webauthn-passkey)

Passwordless authentication removes the security risks and user friction associated with traditional passwords.

> **Warning:** **MFA and passwordless cannot be used together.** Amazon Cognito does not support enabling both MFA and passwordless sign-in (including passkeys, SMS OTP, and email OTP) for the same user. If a user has MFA configured, passwordless sign-in options will not be available. For more details, see the [Amazon Cognito MFA prerequisites](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites).

## Configure passwordless authentication

You can enable passwordless authentication methods directly in your `defineAuth` configuration. Passwordless methods are used alongside traditional password-based authentication, giving users multiple options to sign in.

```ts title="amplify/auth/resource.ts"
import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    email: {
      otpLogin: true // Enable email OTP
    }
  }
});
```

You can enable multiple passwordless methods simultaneously:

```ts title="amplify/auth/resource.ts"
import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    email: {
      otpLogin: true // Enable email OTP
    },
    phone: {
      otpLogin: true // Enable SMS OTP
    },
    webAuthn: true // Enable WebAuthn passkeys
  }
});
```

## SMS OTP

SMS-based authentication uses phone numbers as the identifier and text messages as the verification channel. At a high level end users will perform the following steps to authenticate:

1. User enters their phone number to sign up/sign in
2. They receive a text message with a time-limited code
3. After the user enters their code they are authenticated

### Configure SMS OTP

Enable SMS OTP by setting `otpLogin: true` in your phone login configuration:

```ts title="amplify/auth/resource.ts"
import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    phone: {
      otpLogin: true
    }
  }
});
```

> **Info:** SMS-based one-time password requires your Amazon Cognito user pool to be configured to use Amazon Simple Notification Service (SNS) to send text messages. [Learn how to configure your auth resource with SNS](/[platform]/build-a-backend/auth/moving-to-production/#sms).
> 
> 

[Learn more about using SMS OTP in your application code](/[platform]/frontend/auth/sign-in/#sms-otp).

## Email OTP

Email-based authentication uses email addresses for identification and verification. At a high level end users will perform the following steps to authenticate:

1. User enters their email address to sign up/sign in
2. They receive an email message with a time-limited code
3. After the users enters their code they are authenticated

### Configure Email OTP

Enable Email OTP by setting `otpLogin: true` in your email login configuration:

```ts title="amplify/auth/resource.ts"
import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    email: {
      otpLogin: true
    }
  }
});
```

> **Info:** Email-based one-time password requires your Amazon Cognito user pool to be configured to use Amazon Simple Email Service (SES) to send email messages. [Learn how to configure your auth resource with SES](/[platform]/build-a-backend/auth/moving-to-production/#email).

[Learn more about using email OTP in your application code](/[platform]/frontend/auth/sign-in/#email-otp).

## WebAuthn Passkey

WebAuthn uses biometrics or security keys for authentication, leveraging device-specific security features. At a high level end users will perform the following steps to authenticate:

1. User chooses to register a passkey
2. Their device prompts for biometric/security key verification
3. For future logins, they'll authenticate using the same method

### Configure WebAuthn

Enable WebAuthn passkeys in your auth configuration. The simplest configuration uses automatic relying party ID resolution:

```ts title="amplify/auth/resource.ts"
import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    email: true, // Users need a sign-up method
    webAuthn: true // Automatically resolves relying party ID
  }
});
```

When `webAuthn: true` is used, the relying party ID is automatically resolved:
- In **sandbox** environments: resolves to `localhost`
- In **branch** deployments: resolves to your Amplify app domain (e.g., `[branch].[appId].amplifyapp.com`)

For production environments or custom domains, specify the relying party ID explicitly:

```ts title="amplify/auth/resource.ts"
import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    email: true,
    webAuthn: {
      relyingPartyId: 'example.com',
      userVerification: 'required' // or 'preferred' (default)
    }
  }
});
```

<!-- Platform: android -->
You can read more about how passkeys work in the [Android developer docs](https://developer.android.com/design/ui/mobile/guides/patterns/passkeys).

> **Warning:** Registering a passkey is supported on Android 9 (API level 28) and above.

Using passkeys with Amplify requires following these steps:

1. Deploy a Digital Asset Links file to your website granting the `get_login_creds` permission to your application. See the [Credential Manager documentation](https://developer.android.com/identity/sign-in/credential-manager#add-support-dal) for more details about this file.
1. Configure WebAuthn in your `defineAuth` as shown above, specifying your website domain as the `relyingPartyId`.
1. Use the Amplify Android APIs to first [register a passkey](/[platform]/build-a-backend/auth/manage-users/manage-webauthn-credentials/#associate-webauthn-credentials) and then to [sign in with WebAuthn](/[platform]/frontend/auth/sign-in/#webauthn-passkeys).
<!-- /Platform -->
<!-- Platform: swift -->

<!-- /Platform -->

[Learn more about using WebAuthn passkeys in your application code](/[platform]/frontend/auth/sign-in/#webauthn-passkeys).

### Managing credentials

Passwordless authentication with WebAuthn requires associating one or more credentials with the user's Amazon Cognito account. Amplify provides APIs that integrate with each platform's local authenticator to easily create, view, and delete these credential associations.

[Learn more about managing WebAuthn credentials](/[platform]/build-a-backend/auth/manage-users/manage-webauthn-credentials).

## Passwordless authentication

When you enable passwordless authentication methods, traditional password authentication remains available. This gives users flexibility to choose their preferred authentication method:

```ts title="amplify/auth/resource.ts"
import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    email: {
      otpLogin: true // Email OTP enabled alongside password auth
    }
  }
});
```

In this configuration, users can authenticate using either:
- Email and password (traditional)
- Email OTP (passwordless)

You can enable multiple passwordless methods to give users even more options:

```ts title="amplify/auth/resource.ts"
import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    email: {
      otpLogin: true
    },
    phone: {
      otpLogin: true
    },
    webAuthn: {
      relyingPartyId: 'example.com'
    }
  }
});
```

In this configuration, users can authenticate using:
- Email and password
- Email OTP
- Phone and password
- SMS OTP
- WebAuthn passkeys

> **Info:** When using WebAuthn, users still need a way to initially sign up (email or phone). WebAuthn credentials are then associated with their account for future sign-ins.

## Next steps

- [Learn how to implement passwordless sign-in in your application](/[platform]/frontend/auth/sign-in/)
- [Configure email settings for Email OTP](/[platform]/build-a-backend/auth/moving-to-production/#email)
- [Configure SMS settings for SMS OTP](/[platform]/build-a-backend/auth/moving-to-production/#sms)
- [Manage WebAuthn credentials](/[platform]/build-a-backend/auth/manage-users/manage-webauthn-credentials/)
