My passwordless authentication approach


I implemented a passwordless authentication with a good UX in mind. But I am not a security expert so I am asking for your advice.

This is the authentication flow:

  1. User types in email address
  2. client send email to API
  3. API creates User if not exists
  4. API generates a short living jwt with a UUID and saves the user id and session id as claims
  5. token id and session id get saved to db with a confirmed flag
  6. API sends this token to the email address
  7. User clicks the link on any device of choice
  8. if token is valid and the claims match the data in the db the confirmed flag is set to true and a last_login field is set to the token’s iat (not really sure know if I need that ^^)
  9. Meanwhile the client where the user logged in polls for confirmation and updates session if login was confirmed