We’re pleased to announce FusionAuth 1.59.0, “The Identity Ibex.” This release addresses one of our most-requested features. This version introduces phone numbers as a first-class identity type and passwordless SMS authentication.
The Problem We’re Solving
Not every one of your potential users has an email address readily available, and many people prefer the convenience of phone-based authentication.
Maybe you’re building apps for global markets where phone numbers are more accessible than email, developing consumer applications where users expect SMS-based flows, or creating services for populations that primarily use mobile devices. In each of these cases, not supporting phone numbers as an identifier can be a barrier to user adoption.
Phone-First Authentication
Version 1.59.0 introduces phone number as a first-class identity type, enabling new authentication flows that will let you put mobile users first.
What You Can Now Do
Phone-Only User Registration
- Users can register using only their phone number with no email required
- Useful for global applications, mobile-first experiences, and markets where phone adoption exceeds email usage
- Streamlines onboarding for users who don’t have or don’t want to provide email addresses
SMS Passwordless Authentication
- Send secure, one-time codes via SMS to log a user in
- Users authenticate with just their phone number and an SMS code
- Reduces password fatigue while lowering login friction
Flexible Identity Management
- Users can have phone numbers as their sole identifier
- Mix and match email and phone authentication
- One user accessing your application can use SMS login, while another can use the more traditional email login
- Support for users who want both email and phone options
How It Works
Phone authentication in FusionAuth follows the same security principles as our email workflows:
- Registration: Users provide their phone number during registration
- Verification: FusionAuth sends an SMS with a verification code
- Authentication: Users can log in using passwordless SMS flows
- Recovery: Account recovery can happen via SMS instead of email
All existing FusionAuth features (MFA, user management, advanced threat detection) work with phone-based identities.
API Integration
Phone authentication is fully supported through our APIs, so you can integrate it into your existing workflows and automation. Check out our updated API documentation for detailed implementation guides.
Additional Improvements in 1.59.0
Beyond the phone authentication features, this release includes security improvements and quality of life updates:
Security Enhancements
- Cross-Site Scripting Protection: Additional safeguards against XSS attacks
- Injection Attack Prevention: Protections against malicious injection attempts
- Generic Messenger Error Handling: Better user feedback when message delivery fails
User Experience Improvements
- Optional Passwords: Users can now exist without passwords, supporting passwordless-only and federated-only authentication
- JWT Flexibility: The value of the exp claim can now be decreased (but not increased) in JWT Populate lambdas, allowing for more complicated token expiration rules
- Longer Password Hash Support: Increased password hash limit from 255 to 2048 characters for easier imports
Developer Experience
- Error Handling: More descriptive error messages for invalid API inputs
- Event Logging: Failed message delivery now generates event logs for troubleshooting
- Scope Availability: The scope claim is now available in JWT Populate lambdas
Technical Notes
This release includes significant architectural changes to support phone numbers as first-class identity types. The database schema includes substantial changes to accommodate phone-based workflows while maintaining backward compatibility with existing email-based systems.
Database Migration Notes:
- Large installations may experience several minutes of downtime during migration
- For Kubernetes deployments, configure startup probes to accommodate migration time
Theme Updates Required: If you’re using custom themes, you’ll need to update them to support users without passwords. The changes enable proper rendering of authentication flows for passwordless-only users.
What’s Next
Phone-first authentication provides a foundation for mobile-first identity management. This sets the stage for future enhancements like regional SMS provider optimizations, advanced phone number validation, and additional phone-based authentication options.
Get Started Today
Whether you’re launching a new application or enhancing an existing one, phone authentication can help you reach more users and reduce authentication friction.
Ready to implement phone authentication? Download FusionAuth 1.59.0 and explore phone-based authentication flows.
For complete technical details and migration notes, check out the full release notes.
Thanks for using FusionAuth! Have questions about implementing phone authentication? Our community forum and documentation are great places to get started.
