View Categories

Choosing the right passwordless mode for your site

7 min read

Applies to: Pro
Location: VentraConnect → Passwordless Mode

VentraConnect lets you decide how aggressively you phase out passwords on your site.

Instead of only adding new login buttons, Passwordless Mode controls:

  • Whether users can still log in with a password on supported forms.

  • Where passwordless options (Social Login, Magic Link, Email OTP) are shown.

  • What “safety nets” are in place so you don’t lock yourself out as an admin.

There are three modes:

  1. Off – Passwordless is optional, passwords still work everywhere.

  2. Recommended – Passwordless is preferred; normal users are blocked from using passwords, but admins keep a safe password path.

  3. Strict – Passwordless only on supported forms; passwords are fully blocked for normal users.

This article explains what each mode does and when to use it.

1. Requirements

Before changing Passwordless Mode:

  • VentraConnect Pro is installed and active.

  • You’ve already enabled at least one passwordless method:

    • Social Login (Free/Pro), and/or

    • Magic Link (Pro), and/or

    • Email OTP (Pro).

  • You’re comfortable logging into the site via at least one of those methods.

You can find the setting under:

VentraConnect → Passwordless Mode

2. How Passwordless Mode works

Passwordless Mode affects supported login / registration / checkout forms, including:

  • WordPress core login and registration (wp-login.php, wp-register.php where enabled).

  • WooCommerce login, registration, and checkout (if Woo integration is turned on).

  • Membership & community plugin logins (MemberPress, Paid Memberships Pro, Ultimate Member, BuddyPress/BuddyBoss) when enabled.

  • LMS logins (LearnDash, LearnPress, LifterLMS) when enabled.

  • Comments login (if you’ve enabled Social, Magic Link, or OTP on comments).

For each of these areas, VentraConnect decides:

  • Should the username + password fields still be visible?

  • Should password logins be accepted or blocked on the server?

  • Which passwordless buttons should be shown?

You always keep a safe admin fallback path via wp-login.php, even in Strict mode – see the “Safety nets” section below.

3. Mode 1 – Off (passwordless is optional)

Summary: Passwordless is available, but passwords still work as normal.

In Off mode:

  • Forms:

    • Standard username/email + password fields remain visible on all supported forms.

    • Social Login / Magic Link / Email OTP buttons appear wherever you’ve enabled them.

  • Behaviour:

    • Password logins are not blocked.

    • Users can log in with either a traditional password or any available passwordless method.

  • Admins:

    • Site admins and super admin still log in normally with username + password on wp-login.php (or via passwordless if they prefer).

Best for:

  • First-time setups and initial testing.

  • Sites where you just want to offer alternatives (e.g. “Continue with Google”) without changing existing behaviour.

  • Teams that want to trial Magic Link / OTP before enforcing anything.

4. Mode 2 – Recommended (passwordless preferred, still safe for admins)

Summary: Best balance of security and “don’t lock myself out”.

In Recommended mode:

  • Forms:

    • On supported forms, users see both:

      • Username/email + password fields, and

      • Passwordless buttons (Social, Magic Link, OTP) where enabled.

  • Behaviour for normal users:

    • When a normal user submits a password login on a supported form:

      • The login is blocked at the server level.

      • The user sees a clear message like:

        “Password login is disabled on this form. Please log in with Social Login, Magic Link, or Email OTP.”

    • Passwordless logins continue to work normally.

  • Behaviour for admins:

    • Site admins / super admin can still log in with username + password on wp-login.php.

    • This gives you a guaranteed way back in, even if passwordless configuration is broken somewhere else.

What this actually achieves:

  • Users are gently forced to use passwordless on front-end / user-facing forms.

  • You still have a private password path for admin access.

  • You reduce the number of real passwords your users type, without risking a total lockout.

Best for:

  • Most production sites that want stronger security without drama.

  • Stores, memberships, and LMS setups where your team can support passwordless if something goes wrong, but still wants a backdoor.

5. Mode 3 – Strict (passwordless only, with emergency access)

Summary: Maximum enforcement: users have no password path on supported forms.

In Strict mode:

  • Forms:

    • On supported login/registration/checkout forms:

      • Traditional username/password fields are hidden for normal users.

      • Only passwordless options (Social, Magic Link, OTP) are displayed.

  • Behaviour for normal users:

    • Password-based logins are fully blocked on supported forms.

    • There is no working password path for normal users; they must use passwordless methods.

  • Behaviour for admins:

    • You still retain an internal “break glass” emergency path:

      • Admins can log in via wp-login.php using a password, or

      • Use a dedicated “Emergency access for site owners” flow (if enabled).

    • This is designed purely for recovery / misconfiguration cases.

What this actually achieves:

  • On all supported forms, passwords are effectively phased out for users.

  • Every login uses Social Login, Magic Link, or Email OTP.

  • Attack surface from password reuse, weak passwords, and credential stuffing is greatly reduced.

Best for:

  • High-risk sites (sensitive data, high-value accounts).

  • Teams who are fully comfortable with passwordless flows and have tested them thoroughly.

  • Deployments where compliance/security strictly discourages password-based logins.

6. Readiness & safety nets

VentraConnect includes a built-in readiness check and safety nets so you don’t accidentally lock yourself or users out.

Readiness panel

In VentraConnect → Passwordless Mode, you’ll see:

  • A Passwordless readiness panel that shows:

    • Which methods are enabled (Social, Magic Link, OTP).

    • Which login areas (WordPress, WooCommerce, membership, LMS, comments) are ready for stricter modes.

  • If some areas are not ready (e.g. no methods active on WooCommerce yet), the panel warns you before switching to Recommended or Strict.

Per-form control

Passwordless Mode only affects:

  • Supported forms where VentraConnect has been explicitly enabled (WordPress, Woo, membership, LMS, comments).

You can choose, for each integration:

  • Whether passwordless buttons appear on:

    • Login forms

    • Registration / signup forms

    • Checkout / enrollment forms

  • This means you can be strict on shopping/learning areas, but looser elsewhere if needed.

Emergency access for site owners

Even in Strict mode, you keep:

  • A guaranteed admin login path via wp-login.php, and/or

  • A dedicated “Emergency access for site owners” flow from the Passwordless Mode screen.

Use these if:

  • You misconfigure an integration and lock out passwordless on a certain form.

  • Your mail delivery temporarily fails and Magic Link / OTP emails stop arriving.

7. Which mode should I use?

Here’s the short version.

Start with: Off

Use Off when:

  • You’ve just installed VentraConnect Pro.

  • You’re still configuring providers, Magic Link templates, or OTP behaviour.

  • You’re not ready to field support requests about passwordless yet.

Goal: Prove everything works, gather feedback, and build trust.

Move to: Recommended

Switch to Recommended when:

  • You’ve tested Social, Magic Link, and/or OTP on:

    • WordPress login

    • WooCommerce login/checkout (if used)

    • Membership / LMS logins (if used)

  • You’re comfortable that these flows are stable for real users.

  • You want to actually reduce password usage, not just offer alternatives.

Goal: Normal users stop using passwords on front-end forms; admins keep a safe password path.

Consider: Strict

Only move to Strict when:

  • You’ve been running in Recommended mode without issues.

  • You’ve verified:

    • At least one passwordless method is available on every important login surface.

    • Your team knows how to help users who lose access to their email/social account.

  • You’re OK with passwordless being the only login method for users on supported forms.

Goal: Treat passwords as a last-resort recovery tool, not a primary login path.

8. Troubleshooting

“Users say they can’t log in with their password anymore.”

Check:

  1. Passwordless Mode – if set to Recommended or Strict, this is expected behaviour.

  2. Confirm that at least one passwordless method is visible on the form they’re using.

  3. If you want to allow passwords again, temporarily switch back to Off.

“Admins are worried about getting locked out.”

Reassure them:

  • In both Recommended and Strict:

    • Admins can still log in via wp-login.php with username + password.

  • You can always:

    • Switch Passwordless Mode back to Off from the admin dashboard, or

    • Use the emergency access flow documented in the Passwordless Mode screen.

Updated on January 25, 2026

What are your Feelings

  • Happy
  • Normal
  • Sad

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *

Let’s Review Your Site