Email One-Time Passcodes (OTP) overview
Email OTP is a secure, seamless passwordless authentication option.
When a user logs in via Stytch's Email OTP product, Stytch generates a one-time passcode and sends it to the user's email address. The user authenticates their identity by retreiving the code from the email and providing it back to your application, at which point Stytch verifies whether or not the code is correct.
API objects and endpoints
API Resources | Description |
|---|---|
A top-level tenant that groups members, auth settings, roles, and other identity configurations. | |
Represents an authenticated user who is a member of a specific Organization. | |
A collection of Email OTP endpoints for login and signup. | |
A managed session that tracks a Member's logged-in state using JWTs or session tokens. |
How it works
In Stytch's B2B product there are two different versions of the Email OTP authentication flow:
- Discovery Authentication: used for self-serve Organization creation or login prior to knowing the Organization context
- Organization-specific Authentication: used when you already know the Organization that the user is trying to log into
Both flows support Email OTP. However, the Discovery flow involves one additional step to surface the user's "discovered Organizations" that they are eligible to log into and also allows self-serve Organization creation.
Learn more about Discovery vs. Organization-specific authentication in our B2B Basics Overview.
Benefits of Email OTP in B2B
Reduces risk of password breaches
Even in corporate environments, users notoriously use easy-to-crack passwords and reuse easy-to-remember passwords across multiple sites. By offering an email-based login method instead of passwords, you reduce the risk that user accounts will be compromised via data breaches at other companies.
Provides strong guarantee of email ownership
In B2B applications where access to an Organization is tied to corporate email addresses, verifying that the user currently has active ownership over that email is a much stronger guarantee of identity than an email + password combination, which a user could retain after leaving the company.
Provider agnostic
Email OTP is a great complementary option to other popular passwordless login methods like Google or Microsoft OAuth, as it does not depend on the user having an account with a specific email provider.