2👍
✅
The provider you’re using is called the password provider. As its name implies it is heavily dependent on the user having (and knowing) a password. Since you are looking for passwordless authentication, I’d recommend against using the email+password provider as the basis.
Instead consider implementing a custom authentication provider. While this involves a few more components, it is not as difficult as you may think. You’ll need to run trusted code, which you can do either on a server you already have, or on Cloud Functions. In either of those cases, you’ll use one of the Admin SDKs to implement the sensitive parts of the authentication flow.
A quick list of steps that I think you’ll need:
- Create an endpoint (e.g. a HTTP triggered Cloud Function) for the user to request an authentication email.
- Implement the code for this endpoint to:
- Generate a random one-time code in there, which you’re going to send to the user. Firebase Authentication calls this the out-of-band (or OOB) code, since it’s sent to the user on a different medium than your app.
- Store this code and the user’s email address somewhere where only your server-side code can read it, e.g. in the Firebase Database or Cloud Firestore.
- Send an email to the user, with the code or a link to a page that includes the code and their email address.
- Create an endpoint (e.g. again a HTTP function, or web page) where the user enters (e.g. by clicking on a link in the email) the OOB code and their email address.
- Compare the code the user entered, to the one you stored before.
- If the codes match, generate a custom token for the user and send it to them.
- The user/app now signs into Firebase with the custom token.
Source:stackexchange.com