Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

devenjahnke's avatar

Password + Passwordless Login in One Application

So I am building an application for a client who manages events that are staffed by volunteers from local non-profit organizations. There are four user roles (volunteer, organization manager, stand manager, and administrator) in the system of which one user can belong to many. I am using the spatie/laravel-permission package to manage these.

The challenge that I'm facing is that I would like to require a different method of authentication based on the user's role. More specifically:

  • I would like to authenticate users with the "volunteer" role attempting to access volunteer related content via a password-less email link using the grosv/laravel-passwordless-login package.

  • Whereas, I would like to authenticate users with the "organization manager", "stand manager", and "administrator" roles attempting to access their role's respective content via email and password using the Laravel Fortify package.

The reasoning behind this request from the client is to reduce the friction of the volunteer registration process, as their current system requires users to create an account to register, resulting in reduced registration completion rates and issues with returning volunteers forgetting their passwords and having to go through the trouble of resetting it.

While I have contemplated creating a dedicated Volunteer model separate from the User model, I feel this would only be pushing the issue to another part of the application rather than truly resolving it.

My current thoughts are as follows:

  • As the majority of users will be volunteers who do not require a password, extract the password column to its own table to avoid making the password column nullable.

  • When a user with a role that requires a password attempts to access content for their respective role, authenticate them (via a guard or middleware?) and require them to set a password if one does not already exist for their user account.

I'm lost however as to how I should manage the authentication state for the different authentication methods. For example, if a user has been accessing volunteer specific content that has only required them to authenticate via the password-less method and then attempts to access say administrator content that requires a password, how do I differentiate between the two "levels" of authentication?

All help that can be offered is greatly appreciated. Thanks!

0 likes
1 reply
Snapey's avatar

you might take some ideas from here

https://talltips.novate.co.uk/laravel/passwordless-login

thats part of a similar function i did elsewhere where i had a mix

in the users tables i added a flag for passwordless login (a simple boolean)

users that are added as passwordless are created with this flag set and a totally random password so that lts still there but not used

on the login page i hide the password field until the user enters their email address and then livewire looks up the user and if they are passwordless then it shows them the login button, else it shows the password field. Livewire is not used to actually log the user in.

In the controller, again check the email and if the user that has the email address matching the input has the passwordless flag set then fire off the email, otherwise check username and password as normal

Please or to participate in this conversation.