style

    .customLink img {
        width: 0.8em;
        height: 0.8em;
        vertical-align: center;
        padding-left: 2px;
        font-weight: 600;
    }
    .customLink a {
      color: #6981FF !important;
      font-weight: 500;
      line-height: 30px;
    }
    .customLink a:hover {
      color: #6981FF !important;
    }

    table th:nth-child(1)  {
      width: 30%
    }

# Authentication & authorization overview

Build frictionless and secure authentication experiences for your users across all their devices and channels.

- Use **journeys** to create identity experiences with easy-to-use graphical interface and Mosaic SDK.
- Use an **OIDC-based approach** to authentication if you're interested in the classic OIDC integrations initiated from the browser, such as Mosaic's hosted login experience.
- Use **backend-initiated approach** to implement integrations leveraging [Backend Authentication APIs](/openapi/user/backend-one-time-login.openapi).


## Biometric authentication

Based on the [FIDO2 WebAuthn](https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn/) standard, biometric login is secure, consistent, and convenient for your customers. Launch fast with a fully hosted experience, or use our APIs/SDKs with your custom UI.

On mobile devices, consider implementing authentication with device sensors, such as Face ID or fingerprint.

div
| Authentication method | OIDC-based | Backend-initiated | Journey-based |
|  --- | --- | --- | --- |
| Log in with passkeys (WebAuthn) | Not supported | [Guides](/guides/webauthn/key_concepts) | [Guide](/guides/orchestration/journeys/authenticate_passkeys) |
| Log in with mobile biometrics | Not supported | [Guides](/guides/user/be_auth_biometrics_android) | [Guide](/guides/orchestration/journeys/authenticate_mobile_biometrics) |
| Log in with facial biometrics | Not supported | Not supported | [Guide](/guides/user/auth_face) |


## One-time login

Log in users using a one-time code sent to their phone or email, or magic link sent to their email. This passwordless option allows users to log in to a device that doesn't support WebAuthn biometrics, or a device that doesn't belong to them.

div
| Authentication method | OIDC-based | Backend-initiated | Journey-based |
|  --- | --- | --- | --- |
| Email magic link | [Guide](/guides/user/auth_email_magic_link) | [Guide](/guides/user/be_auth_email_magic_link) | Not supported |
| Email OTP | [Guide](/guides/user/auth_email_otp) | [Guide](/guides/user/be_auth_email_otp) | [Guide](/guides/orchestration/journeys/authenticate_email_otp) |
| SMS OTP | [Guide](/guides/user/auth_sms_otp) | [Guide](/guides/user/be_auth_sms_otp) | [Guide](/guides/orchestration/journeys/authenticate_sms_otp) |


## Time-based passcodes

Log in users using time-based one-time passcodes (TOTP) generated by authenticator apps like Google Authenticator or Twilio Authy.

div
| Authentication method | OIDC-based | Backend-initiated | Journey-based |
|  --- | --- | --- | --- |
| Log in with TOTP | Not supported | [Guide](/guides/user/be_auth_totp) | [Guide](/guides/orchestration/journeys/authenticate_totp) |


## Push notifications

Log in users with push notifications sent to their trusted device.

div
| Authentication method | OIDC-based | Backend-initiated | Journey-based |
|  --- | --- | --- | --- |
| Log in with push notifications | Not supported | Not supported | [Guide](/guides/user/auth_web_to_mobile) |


## Social login

Social login allows customers to quickly authenticate with their existing social media accounts. Add this into your app to provide a fast and easy way for your customers to sign up, and minimize friction at checkout.

div
| Authentication method | OIDC-based | Backend-initiated | Journey-based |
|  --- | --- | --- | --- |
| Log in with Apple | [Guide](/guides/user/auth_apple) | [Guide](/guides/user/be_auth_apple) | Not supported |
| Log in with Google | [Guide](/guides/user/auth_google) | [Guide](/guides/user/be_auth_google) | Not supported |
| Log in with Facebook | [Guide](/guides/user/auth_facebook) | [Guide](/guides/user/be_auth_facebook) | Not supported |
| Log in with LINE | [Guide](/guides/user/auth_line) | Not supported | Not supported |
| Log in with Tiktok | Not supported | [Guide](/guides/user/be_auth_tiktok) | Not supported |


## Password login

Password login allows you to authenticate users with a username and password, so you can smoothly migrate your customers from passwords to a passwordless solution.

div
| Authentication method | OIDC-based | Backend-initiated | Journey-based |
|  --- | --- | --- | --- |
| Log in with passwords | [Guide](/guides/user/auth_passwords) | [Guide](/guides/user/be_auth_passwords) | [Guide](/guides/orchestration/journeys/authenticate_password) |


## PIN code

Allow users to authenticate using a PIN they register within the app. This method leverages native device security and is supported through the Mobile SDK.

div
| Authentication method | OIDC-based | Backend-initiated | Journey-based |
|  --- | --- | --- | --- |
| Log in with PIN code | Not supported | TBD | [Guide](/guides/user/auth_pin) |