How Passwordless Sign-In Works — One Code Covers Login + WhatsApp Verification

WALLAWHATS uses one 6-digit code for both sign-in and WhatsApp verification. Here is the flow, why it is secure, and how it compares to password auth.

Nacho Collby Updated: 10 min read
WALLAWHATS uses one 6-digit code for both sign-in and WhatsApp verification. Here is the flow, why it is secure, and how it compares to password auth.

Every password you’ve ever created is a small liability sitting in a database somewhere — yours or someone else’s. Reused passwords, weak passwords, phished passwords: most account takeovers still start with a credential, not a zero-day. WALLAWHATS sidesteps the whole category by not having passwords in the first place. Sign-in and WhatsApp verification are handled by the same mechanism: a single 6-digit code sent to a destination you control.

That’s not just a UX shortcut. It means the moment you create an account, you’ve also proven you own the phone number or inbox that alerts about X (Twitter) posts will land in seconds later.

Sign-in screen with email entry for the passwordless OTP flow

What “passwordless” actually means here

Passwordless authentication isn’t a new idea — banks have used SMS codes for years, and most password managers now nudge you toward magic links. What’s different about WALLAWHATS’s implementation is that the same one-time code that lets you into your account also verifies the destination that will receive your alerts. There’s no separate “confirm your phone number” step buried in settings after signup. Ownership and delivery-readiness are established in a single motion.

Concretely:

  1. You enter an email address or a WhatsApp number on the sign-in screen.
  2. WALLAWHATS generates a 6-digit numeric code and sends it to that destination.
  3. You type the code back into the app within a short expiry window.
  4. On success, you’re logged in — and if the destination was a phone number, it’s now a verified channel ready to receive alerts.

No password to choose, remember, rotate, or leak. No “forgot password” flow, because there was never a password to forget.

The mechanics: Cognito Custom Auth, not a bolt-on OTP library

Under the hood, this runs on AWS Cognito’s Custom Authentication flow — not a third-party OTP add-on layered on top of a traditional username/password pool. Three Lambda triggers cooperate to make this work:

  • PreSignUp auto-confirms new users the first time they attempt to sign in with a destination that hasn’t been seen before. There’s no separate “create account” form; signing in with a new email or number is account creation.
  • CreateAuthChallenge generates the 6-digit code, persists it server-side with a short TTL, and dispatches it to the destination — via WhatsApp if you entered a phone number, via email otherwise.
  • VerifyAuthChallengeResponse checks the code you typed against what was issued, rejecting expired or mismatched attempts and rate-limiting retries.

Because this all runs inside Cognito’s managed auth state machine, the standard guarantees apply: tokens are short-lived, refresh flows are handled by the same infrastructure securing the rest of the platform, and there’s no custom session-token code to audit for the usual bugs (predictable IDs, insufficient entropy, missing expiry checks) that plague homegrown “just email them a code” implementations.

Why the same code covers two jobs

Most services treat “prove who you are” and “prove you can receive messages here” as two separate steps — sign up with a password, then separately verify your phone number for notifications. WALLAWHATS collapses them because, for an alerts product, they’re the same question asked twice.

If WALLAWHATS is going to deliver a WhatsApp message to a number, it needs to know two things: that the number is real and reachable, and that the person signing in actually controls it. A 6-digit code sent to that exact number and typed back correctly answers both at once. There’s no scenario where you’re “logged in” but your WhatsApp destination is unverified, because the login was the verification.

The same logic applies to email. Sign in with an email address, receive a code there, type it back — you’re now logged in, and that inbox is a confirmed destination for email alerts (which, on every plan, include a rendered snapshot of each tweet alongside the text).

Why this is more secure than it feels

Passwordless auth sounds like it should be less secure — no password, no vault. In practice it closes off several of the most common ways real accounts get compromised:

  • No credential stuffing. There’s no reused password from a breached site for an attacker to try against your WALLAWHATS login, because there’s no password to steal in the first place.
  • No password-reset attack surface. A huge share of account takeovers happen through the “forgot password” flow — an attacker who controls your inbox resets your password everywhere. Removing passwords removes that flow entirely.
  • Possession-based, not memory-based. The code proves you have access to the phone or inbox right now, not that you memorized (or wrote down, or reused) a secret months ago.
  • Short-lived and single-use. Codes expire quickly and are invalidated after one successful use, unlike a password that stays valid until you manually change it.

The trade-off is that WhatsApp or email delivery becomes part of your login critical path — if you lose access to both, account recovery follows the same verified-destination model rather than a “security questions” fallback that’s historically been the weakest link in password-based systems.

How this compares to traditional password + separate OTP verification

A conventional flow looks like: choose a password, confirm your email via a separate link, then later go into settings and verify a phone number for SMS or push notifications. That’s three separate proof points, three separate places for something to go stale — an unverified phone number sitting in the account for weeks, a password that’s identical to the one used on four other services, an email confirmation link that expired before anyone clicked it.

WALLAWHATS reduces that to one proof point per destination. Add a WhatsApp number, and the code you receive to verify it is the same code that logs you in on that device going forward. There’s no unverified state to leave dangling, because the account and the destination reach “verified” together.

This also means switching or adding a destination is just… signing in with a new one. Want to add a second verified number under a Business or Enterprise plan? Enter it, receive the code, confirm it. No separate “add phone number” form buried three menus deep.

Setting it up: what you’ll actually see

On wallawhats.com/signup, you’re asked for one thing: an email address or a WhatsApp number. That’s the whole form.

  • Enter a WhatsApp number, and the code arrives as a WhatsApp message within seconds — the same channel that will later carry your X alerts.
  • Enter an email, and the code lands in your inbox — useful if you want to log in from a shared or work device without touching your personal WhatsApp, or if you’re setting up email as your alert channel.

Either way, you get a screen asking for the 6-digit code, type it in, and you’re on the dashboard. From there you can add a second channel (say, a WhatsApp number after signing up with email, or vice versa) at any time from the Channels page — each new destination goes through the same one-time-code verification before it can receive alerts. If you’re unsure which type of WhatsApp number to use for this, our Business vs Personal number guide breaks down the trade-offs.

There is no account setting where a phone number sits “added but unverified.” Every destination either completed its own code challenge, or it isn’t attached to your account.

A note on what this is not

To be precise about the security model: this is one-time-code authentication over channels you already trust (WhatsApp, email), not multi-factor authentication in the traditional sense of “password plus a second factor.” There’s a meaningful difference. Traditional MFA adds a second independent proof on top of a password. WALLAWHATS’s model replaces the password with possession of a communication channel — which is a different risk trade-off, not a strictly stronger one in every dimension. It’s the right trade-off for a notification service, where the whole point is that you already need a verified destination to use the product at all; reusing that verification step for login removes friction without removing a meaningful security layer, since there was no password-based layer to begin with.

If you’re choosing between channels for both login and alerts, our email vs WhatsApp comparison covers delivery speed and read-rate trade-offs that apply to sign-in codes too — a WhatsApp code you’ll notice within seconds; an email code competes with your inbox.

Why this matters for an alerts product specifically

For a product whose entire job is “reliably deliver a message to a destination you chose,” the identity and the destination can’t drift apart. If sign-in and channel verification were separate systems, you could end up logged into an account whose WhatsApp number was added years ago, possibly reassigned to someone else by the carrier since, and never re-confirmed. Tying login to a fresh code sent to the destination itself means that risk doesn’t exist by construction — you can’t be logged in via a channel that isn’t currently reachable, because reachability is what got you logged in.

It also means account recovery doesn’t require a support ticket in the common case. Lost your phone? Sign in with your email instead — same flow, same one-time code, and your WhatsApp destination (once you re-verify it on a new device) resumes exactly where it left off.

What happens when a code doesn’t arrive

Any system that hands off delivery to a third-party network — a carrier, WhatsApp’s own infrastructure, an email provider — has to account for the code not showing up instantly. A few practical notes on how this is handled:

  • Expiry is short, and that’s intentional. A code that’s valid for hours is a bigger target than one that’s valid for minutes. If yours expires before you enter it, requesting a new one invalidates the old code immediately.
  • Resend, don’t retype. If a WhatsApp message is delayed by a few seconds (normal during peak send times) or an email lands in a spam folder, the sign-in screen offers a resend action rather than asking you to wait indefinitely for the first attempt.
  • Rate limiting protects both sides. Repeated code requests to the same destination are throttled. This isn’t just an anti-abuse measure for WALLAWHATS — it also keeps a single account from accidentally hammering WhatsApp’s or an email provider’s delivery systems if something upstream is retried aggressively.
  • Switch channels if one is unreachable. If your phone has no signal but you’re at your laptop, sign in with email instead — it’s a completely independent path to the same account, not a fallback that depends on the WhatsApp attempt failing first.

None of this is unique to WALLAWHATS; it’s the same operational reality any OTP-based system has to design around. The difference is that because the code is also your channel verification, a successful sign-in tells you your alert destination is currently live — which a password never could.

Frequently asked questions

Can I use both WhatsApp and email to sign in? Yes. Each is verified independently the first time you use it, and either one gets you into the same account afterward.

Does a new code invalidate my WhatsApp channel if I don’t finish signing in? No. An unfinished or expired sign-in attempt doesn’t affect an already-verified channel — it only matters for verifying a new destination for the first time.

What if I want to change my phone number later? Add the new number as a channel from the Channels page; it goes through its own one-time code before it can receive alerts. Your old number stays intact until you remove it.

Is this the same as SMS-based two-factor authentication? Not quite. Traditional SMS 2FA is a second factor layered on top of a password. Here, the code is the entire authentication mechanism — there’s no password underneath it to add a second factor to.

Getting started

Passwordless sign-in isn’t a separate feature to configure — it’s simply how logging into WALLAWHATS works, on every plan from Free upward. If you haven’t set up alerts yet, the walkthrough in our getting-started guide covers the full path from first sign-in to your first WhatsApp alert.

Never miss an important post again. Create a free account — 1 WhatsApp number, real-time alerts, no credit card required.

Nacho Coll

About the author

Founder & Engineer at WallaWhats

Nacho founded WallaWhats so you get the alerts that matter without depending on X's algorithm to surface them — pick the accounts you care about and get a WhatsApp for every post the moment it goes live, in order, nothing throttled or buried. Writes about real-time notification systems, social-signal monitoring, and serverless delivery pipelines from the operator side of the wire.

Back to Blog

Related Posts

View All Posts »