Introduction

A login method where no need to remember or enter a password.
Authentication relies on something the user has (device, email, phone) or is (biometrics).

Method	How it works	Example
Email Magic Link	Server sends a one-time link via email → user clicks to login	Slack, Medium
SMS OTP / TOTP	One-time code sent via SMS or authenticator app	WhatsApp, banking apps
WebAuthn / FIDO2	Public-key cryptography + device	Windows Hello, Apple Touch ID, YubiKey
Push Notification	Approve login on registered device	Duo, Auth0 push login

User registers device (e.g., phone, security key)
- Device generates public/private key pair
Public key sent to server, private key stays on device
Login request:
- Server sends challenge to device
- Device signs challenge using private key
- Server verifies signature using stored public key
Authentication successful → server issues session / token

// must be a trusted device