Discourse communities can now let users log in using a short emailed code instead of a magic link, offering a passwordless login flow which feels familiar to many other SaaS platforms and works alongside your existing second-factor setup.
In this topic, we’ll review the major changes and share how you can start using this today.
What’s changed
When this feature is enabled, members see a simpler flow:
A few details worth knowing: codes are valid for 10 minutes, expire after 5 failed attempts, and can only be redeemed once.
Turning on one-time login codes in your community
For now, this is considered an experimental change! Before rolling it out more widely, we’re welcoming your feedback to help us make improvements.
To turn this on, head to the Upcoming changes page in your admin area (/admin/config/upcoming-changes) and find the Enable local logins via code item. Update the Enabled for… field to opt your site in to this new design:
Before enabling, confirm that both enable_local_logins and enable_local_logins_via_email are also true as the feature cannot be turned on without them. If you’re using DiscourseConnect (enable_discourse_connect), this feature cannot be enabled.
Once the change is enabled, the code login path appears automatically.
What do you think?
Over to you: we’d love to hear what you think of this new feature. What do you like and dislike; what is working well, and what could be improved?
This new flow removes the current “generate email, type username, generate password, save” strategy that my password manager has pushed me into and forces you to type the email first before everything. I don’t have an issue with the email code thing (and in fact almost prefer it, especially if the code is included in the email subject) but I strongly oppose removing the other account data boxes. If I were a user with zero technical background I would also see myself not handing out my email to a box with no info like this because it isn’t a common design. Before this becomes a permanent thing, it’d be great if that was added back.
Email codes, AKA “magic links”, are decent, but nudging users towards passkeys makes the experience way, way better.
To start, websites using magic links can make passkeys an optional, opt-in feature for the customers who have complained about how their magic links work today. To ensure it doesn’t cause any problems, as a sort of soft launch, they could make the feature 100% opt-in.
Slightly later on, once the people running the website are convinced that passkeys really help with the user experience issues around magic links, they can prompt users to add passkeys after signing in, once every 90 days or so, or whenever they sign-in using the cross-device sign-in feature of passkeys. The framing of such a prompt can be something like this for users on Apple devices: Want to avoid having to check your email next time? Set up a passkey to use Face ID or Touch ID to sign in quickly and securely.