Prepare for the PgBouncer and IPv4 deprecations on 26th January 2024

Home

Phone Login

Phone Login is a method of authentication that allows users to log in to a website or application without using a password. Instead of entering a password, the user provides another form of authentication through a one-time code sent via SMS.

Benefits

There are several reasons why you might want to add phone login to your applications:

  • Improved user experience: By eliminating the need for users to remember and enter complex passwords, phone login can make it easier and more convenient for users to log in to your application. This can improve the overall user experience and make it more enjoyable for users to interact with your application.

  • Increased security: Phone login can improve the security of your application by reducing the risk of password-related security breaches, such as password reuse and weak passwords. By using alternative forms of authentication, such as one-time codes or biometric factors, you can make it more difficult for unauthorized users to access your application.

  • Reduced support burden: Phone login can also help reduce the support burden for your team by eliminating the need to handle password recovery flows or deal with other password-related issues. This can free up your team to focus on other important tasks and improve the efficiency of your operation.

Set up a provider with Supabase Auth

To use Phone Login, you first need to set up a Phone provider. Supabase supports Phone Login with several communications platforms. Follow the guides below to set up your provider.

Using Phone Login

You can use Phone Login to:

Each of these flows sends the user an SMS containing a six-digit PIN, which you must verify to complete the flow.

Sign up a user with phone number and password

You can use a user's mobile phone number, instead of an email address, when they sign up with a password.

This practice is usually discouraged because phone networks often recycle mobile phone numbers. Anyone receiving a recycled phone number gets access to the original user's account. To mitigate this risk, implement MFA.

To sign up the user, call signUp() with their phone number and password:


_10
const { data, error } = await supabase.auth.signUp({
_10
phone: '+13334445555',
_10
password: 'some-password',
_10
})

The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.

After their phone number is verified, the user can use their phone number and password to sign in with needing to reverify each time:


_10
const { user, error } = await supabase.auth.signInWithPassword({
_10
phone: '+13334445555',
_10
password: 'some-password',
_10
})

Sign in a user with OTP

With OTP, a user can sign in without setting a password on their account. They need to verify their phone number each time they sign in.


_10
const { data, error } = await supabase.auth.signInWithOtp({
_10
phone: '+13334445555',
_10
})

The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.

Update a user's phone number

To update a user's phone number, the user must be logged in. Call updateUser() with their phone number:


_10
const { data, error } = await supabase.auth.updateUser({
_10
phone: '123456789',
_10
})

The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.

Verify a user

To verify the one-time password (OTP) sent to the user's phone number, call verifyOtp() with the phone number and OTP:

You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyOtp:


_10
const {
_10
data: { session },
_10
error,
_10
} = await supabase.auth.verifyOtp({
_10
phone: '+13334445555',
_10
token: '123456',
_10
type: 'sms',
_10
})

If successful the user will now be logged in and you should receive a valid session like:


_10
{
_10
"access_token": "<ACCESS_TOKEN>",
_10
"token_type": "bearer",
_10
"expires_in": 3600,
_10
"refresh_token": "<REFRESH_TOKEN>"
_10
}

The access token can be sent in the Authorization header as a Bearer token for any CRUD operations on supabase-js. See our guide on Row Level Security for more info on restricting access on a user basis.