Brian Hebert:
OK. New one. User scans a QR code to a page. The user enters their phone number. The system checks to see if the phone number exists in our database. If it does, it sends an sms code to their phone. The code is entered on the same page. The system check to see if the code matches stored. At this point, I need to login in the user. I have the id from the user table stored in the worker table of the database. How do I authenticate at this point instead of entering email and password?
Delfs:
how long do you want to keep the user logged in for?
will login survive refresh,?
Chris Conger:
Love this work flow for authentication. Is it possible to do including surviving refresh?
Brian Hebert:
I want to keep them logged in as if they logged on the regular way. My employer wants to simplify it as much as possible.
Delfs:
So, there is not official way to authenticate a BF user programatically from FMS but you can emulate it sort of via a cookie.
I will defer the solution to tomorrows Friday Live 
Brian Hebert:
Ok. Well, just so you know, I’m seeing a trend where there is no password. A code is sent each time you log in. So it is the password per login rather than having a password that can be stolen and used. You might want to figure that into a future update.
Delfs:
That sounds more like 2 factor auth which is different.
But if you are referring to a single factor auth where you generate a token and that token is used to login, That is only popular in use cases where the user is not in the application often.
There is currently OAuth where you can do this already in BF so no need to build in as we have.
The work flow really depends on the usage of the app. The ability for the user to forget or screw things up etc.
Perhaps you can look at using OAuth and then have any combo of auth you want.
Delfs:
you can prob start here https://auth0.com/resources/whitepapers/passwordless-authentication
Brian Hebert:
It’s single auth. No sustaining password is typed in. The code sent is the password. I’ve seen this in systems I had to use.
Delfs:
yes but probably infrequent use, so as noted above it depends on your use case.
Delfs:
and more on implementation: https://auth0.com/docs/authenticate/login/auth0-universal-login/passwordless-login
Brian Hebert:
Well we have temporary employees that need to enter their time for a week and might not need access for a while, at which time they have forgotten their password and have to reset. I’m not going to sit here and argue policy with you, I just trying to find out how I can accomplish the task.
Delfs:
Brian, I am not arguing, until now I have given you the factors to consider as well as several avenues to move forward.
Delfs:
This FL also goes over OAuth
https://youtu.be/n_gv-fCIPvE?t=3237
@Brian Hebert