Passwordless signin via email link

That’s not the actual “forgot password” flow though. It goes:

  1. press “forgot password” button on login page
  2. press “submit” button
  3. get email
  4. create new password
  5. log in

The feature here is essentially about removing the (4) create new password step.

Here’s a scenario I quite often find myself in:

I’m on a new computer. One of the few passwords I can remember is that of my email, which is also protected with 2FA. However, on any site that doesn’t support social logins, I’m using a password manager so I can use long, secure passwords. But I’m not always on a device/browser where I’m allowed to use my password manager.

In these cases, an “email login link” would be strongly preferable to a password reset, since the problem isn’t that I’ve forgotten my password; I never actually knew my password in the first place. If I change my password, that won’t match whatever my password manager has got stored.


Is this project idea still available for GSoC? I am interested to take this up!

Yep, it’s still on the table. However I think this task would probably have to be one of several #pr-welcome tasks, since I doubt it’d take 3 months to figure this one out.

1 Like

Sir, Is this topic still available and can I start working on it?

Yep, this is still available. But keep in mind that since this change has security implications, it’ll probably be a pretty slow-moving process as we need to review every code change very carefully. As already mentioned, it should be done in conjunction with a couple other tasks.

Also, this isn’t a good “warmup task”. Better look through #starter-task for that. Save “Passwordless signin (+others)” for your SoC proposal.


I am starting with some starter tasks and will have my GSoC application/proposal on this topic.
Thank You for your guidance.


Eh, I feel the rush to implement this feature. Up for grabs?


heh, sure go for it!


I added this to 2.0 and am assigning this to @tgxworld to look at. We have a PR for this by @fantasticfears that just needs a bit of refining


May I ask some security experts here:
Is this procedure less or more secure than the default PW way?

Just as an side aspect, I’d like to mention:

  1. What if an attacker catches the plain text mail and login (maybe automatically?) - in first place to get control over the account.
  2. He would try to change the mail adress to make an account recovery - at least for the moment - impossible.
  3. Now he/she has time to get everything she/he wants to know.

I would say for any corporate Discorse usage, it could become pretty dangerous.

So, I would suggest:

  • to disable some settings like changing the mail adress for at least x minutes.
  • offer some kind of 2FA in addition (optimal)
  • make sure, if someone from ouside the country (better: some location radius over x kilometers/miles, relatively to the last 1-3 locations, the admin and user itselfs will become immediately notified over the geo location, IP and time… (like Apple does)

… so there is a small chance to prevent / stop illegitimate access, in case there is something suspicious.

I think as a minimum when we pull in this feature it would be default off.

In a 2fa scenario you would need magic link + 2fa which I think gives plenty of security and allows you to forget a password.


This is the same threat level & attack vector as intercepting your password reset link, which is already a default feature.


Why do we need TLS/SSL encrypted web sites and passowrds at all, if there is no intend to fix this? Why are you hashing the PW before sending it to the server, if the mechanism to bypass it, is so easy?

I really think, it shouldn’t be that easy to hijack user accounts in seconds. Even for bank account access via ATM, you need at least the data on the card and a pin. It a petty, that mail encryption is that kind of complicated for inexperienced users nowadays.

Hmm :thinking: makes no sense for me

Which is why what you really want is 2fa, which is coming next year


Make sure to use WebAuthn (the api that supports “More than just U2F”) when implementing, it will also support things like fingerprint sensors.

(and also android safetynet which is a big scam to punish people for rooting their devices)

I don’t believe Discourse does this.

There’s plenty of reasons why content integrity and authenticity are important, aside from the confidentiality of login, but I’m sure you already knew that.


Thank you @fantasticfears for lying the ground work here! I made some changes as to how error messages are displayed and made the rate limits more aggressive for the new routes.

As per @sam’s request, the feature is also off by default and can be enabled via enable_local_logins_via_email site setting.


Maybe this feature could be integrated in a more visible place as it’s very useful:

I suggest if there could be a button here saying Login with email
Something like this one:


Will invites use this (if enabled)? Does that mean it will be possible to send invites even if password-based authentication is enabled? That would be awesome! I really want to get rid of password-based logins and invites are the one thing holding me back.


we are working on this


This feature is complete and shipping.