NamoID Docs

Sign-in methods

NamoID's hosted login renders the sign-in methods you enable for the selected environment. First-party methods are toggled from the environment's Authentication tab, and external identity providers are enabled from the environment's Identity providers page. Every method ends in the same place: a standard OIDC authorization code your app exchanges for tokens.

Available methods

MethodWhat the user doesNotes
Email OTPEnters email, receives a one-time codeCodes are server-generated, single-use, and expire in 5 minutes
PasswordEmail + passwordStrength-checked on set; bcrypt-hashed; reset via email
PasskeyTouch ID / Face ID / security keyPhishing-resistant WebAuthn; see Passkeys
External provider"Continue with Google / GitHub / …"Federates to the external IdP you configured, then issues a NamoID token

When more than one method is enabled, the hosted login presents a compact method chooser. Passkey and external-provider options render as additional buttons when configured.

Choosing methods

  • Lowest-friction consumer apps: email OTP, optionally with passkeys offered after first sign-in for fast returning logins.
  • Apps users expect a password for: enable password, and strongly consider layering MFA on top.
  • Security-sensitive apps: prefer passkeys (inherently two-factor) or require MFA enrollment.

One-time codes

Email OTP uses a server-generated numeric code with a short TTL (5 minutes) and a limited number of verification attempts. Attempt counters are tracked so a brute-force guess on a code is rate-limited and locked out. Code sends are themselves rate-limited per target and per IP to defend against OTP-flood abuse. See Rate limits.

Multi-factor

Password and OTP sign-ins can require a second factor. NamoID supports TOTP authenticator apps and one-time backup codes. A passkey satisfies both factors in a single ceremony. See Multi-factor authentication.

Account recovery

  • Forgot password triggers an emailed reset link that lets the user set a new password; the old sessions can be revoked.
  • Lost MFA device is recovered with a backup code; see MFA.

Sign-up controls

Whether new users can self-register is governed by the environment's access mode: closed, open, allowlist, or domain allowlist. The waitlist toggle can override those modes and queue new sign-up attempts for manual approval. These controls are set per environment alongside the sign-in methods.