Get all the available features with up to 10,000 users for free until July 31, 2020. Standard SMS & WhatsApp rates apply.
Need more than 100,000 users? Contact our team for a custom pricing plan.
Overages per user per month
Passwordless Login using the FIDO protocol
OAuth 2.0 Tokens
SMS Verification *SMS Rates Apply
WhatsApp Verification *WhatsApp Rates Apply
To use Cotter, you need to register a user ID or your user's email or phone number. Each unique user ID, email, and phone number counts as 1 unique user. You might have a user ID that also has a verified email. To avoid duplicate counting between a user ID and their email, you should associate the user's ID with their email and phone numbers when registering the user to Cotter.
Cotter follows the FIDO Protocol to enable Passwordless Login. Cotter's SDK will generate a public and private key inside the user's phone, store the private key in the device's secure storage, and send the public key to Cotter's server.
To login, Cotter's SDK will use the private key to sign a challenge and send the challenge to Cotter. Cotter will then verify the challenge with the user's public key.
If you have a website and an app:
When a user login to your website, Cotter will show a prompt asking the user to approve the login from their device. Cotter will then send a push notification to your app and ask the user to "Approve" or "Deny" the login request. If approved, the user will be logged in to your website.
If you only have a website:
Since there is no app to approve logins, you can use Cotter's Web SDK to authenticate users by sending a Magic Link or a One-Time Password to your user's email or phone number. The Web SDK automatically handles sending the code or link and verifying it, you only need to embed the form. (Soon, you can use WebAuthn to log in users using biometrics straight from the browser)
Cotter doesn't rely on SMS to authenticate users because SMS OTP is susceptible to social engineering such as scamming and SIM jacking which leads to account takeovers. On top of that, sending SMS on every login request is expensive, and the SMS delivery rate is always an issue and may block users from accessing their accounts.
Cotter relies on the user's device to authenticate users. This means that an attacker would need to have the user's physical device and being able to open the device to access a user's account.
Cotter provides several recovery methods that you can choose based on your required security level.
Option 1: Fallback to email or SMS OTP
If you enable this feature, your users can choose to authenticate with a verification code instead of approving logins from a trusted device. The user then will have the option to trust their current device and will be able to log in automatically from that device.
Option 2: Revoke devices and manually enroll from the dashboard
Users should contact your team to report that they lost their device. If your team has verified the user and ready to grant access to the user's device, you can access the dashboard to revoke all currently registered devices and allow the user to trust their current device to be able to log in automatically afterward.