Sign-in methods
NamoID's hosted login renders the sign-in methods you enable for the selected environment. First-party methods are toggled from the environment's Authentication tab, and external identity providers are enabled from the environment's Identity providers page. Every method ends in the same place: a standard OIDC authorization code your app exchanges for tokens.
Available methods
| Method | What the user does | Notes |
|---|---|---|
| Email OTP | Enters email, receives a one-time code | Codes are server-generated, single-use, and expire in 5 minutes |
| Password | Email + password | Strength-checked on set; bcrypt-hashed; reset via email |
| Passkey | Touch ID / Face ID / security key | Phishing-resistant WebAuthn; see Passkeys |
| External provider | "Continue with Google / GitHub / …" | Federates to the external IdP you configured, then issues a NamoID token |
When more than one method is enabled, the hosted login presents a compact method chooser. Passkey and external-provider options render as additional buttons when configured.
Choosing methods
- Lowest-friction consumer apps: email OTP, optionally with passkeys offered after first sign-in for fast returning logins.
- Apps users expect a password for: enable password, and strongly consider layering MFA on top.
- Security-sensitive apps: prefer passkeys (inherently two-factor) or require MFA enrollment.
One-time codes
Email OTP uses a server-generated numeric code with a short TTL (5 minutes) and a limited number of verification attempts. Attempt counters are tracked so a brute-force guess on a code is rate-limited and locked out. Code sends are themselves rate-limited per target and per IP to defend against OTP-flood abuse. See Rate limits.
Multi-factor
Password and OTP sign-ins can require a second factor. NamoID supports TOTP authenticator apps and one-time backup codes. A passkey satisfies both factors in a single ceremony. See Multi-factor authentication.
Account recovery
- Forgot password triggers an emailed reset link that lets the user set a new password; the old sessions can be revoked.
- Lost MFA device is recovered with a backup code; see MFA.
Sign-up controls
Whether new users can self-register is governed by the environment's access mode: closed, open, allowlist, or domain allowlist. The waitlist toggle can override those modes and queue new sign-up attempts for manual approval. These controls are set per environment alongside the sign-in methods.