Login with mobile / Register with mobile buttons
Hi, how about this idea: like social login buttons but you have a "Login with mobile" or "Register with mobile" button which allows the end-user to login or register with a mobile number and nothing else. It would require a user download an app. My service takes care of the core logic and integrations and offers endpoints for your service. After user has logged in or registered, the user will be redirected back to your service with a signed token (JWT) that contains userid i.e. users mobile phone number.
Trending on Indie Hackers
See also https://en.wikipedia.org/wiki/SQRL for a similar idea (passwordless).
Two things though:
Phone numbers are more volatile than email addresses, as they are recycled by cell phone service providers. Every time you'd change your SIM, you'd need to go through all your logins.
@richardesigns is working on a password-less solution, which may address the same pain points your proposal does.
Hi @ovi, thanks for the tag. Super interested in device authentication but not with a phone number or an app, just using the open source web cryptography api. @jarirajari, take a look at how DID.app is working https://did.app/articles/how-did-works if that helps you. Keen to support and promote adoption of passwordless authentication.
@richardesigns looks very interesting and DID is passwordless that is a problem that I wanted to solve too. I am building an IAM platform and was thinking the passwordless solution would be a way to gain traction. If I see any interest for DID I will point the leads on your site.
There is certainly the idea that passwordless authentication is good for conversion rates and it will be fantastic to get reliable evidence of that. Please feel free to share what you're building with us if you'd like feedback or thoughts on it. How are you thinking of providing your passwordless authentication? May I ask also what framework (if any) you might be using?
Sure. With OpenID Connect as you have because it is somewhat de factor standard which means at least technical people understand how it works. I will implement backend with Java (Spring) because I am familiar with that, or did I understand your question correctly?
Thanks @ovi! The passwordless way is exactly what I try to validate. But I am not sure if that is really a problem. I have identified some potential problems with different types of logins like social login. But in this case I am wondering if anyone is willing to download the app...
It was Richard who educated me on the cons to social logins.
People download auth apps for 2FA, so it's not out of the question.
Isn't this already done by a lot of services? such as AWS Cognito and many more?
Working through the AWS docs this week it became immediately apparent that not every developer will want to or be able to work with them! DID.app is OpenID Connect compatible which means we were able to even write a simple Wordpress integration guide this week and have it set up in less than 10 minutes. The original post about signing in with mobile is interesting because we've been working on device authentication. While the sim and the phone number don't offer security as Ovi points out, the device, should it be sold, erases all keys on a 'factory reset', in fact clearning browsing history does it too. For users that lose a phone, they login to their account at DID.app and untrust any lost or stolen devices.
Actually not. Few services use "login with email" solution. And it seems that there are some e.g. apparently this did aplication that uses email + trusted device solution. I am also exploring the passwordless option which should be great from the UX point of view.
Yea so DID allows you to add passwordless authentication to your website basically. You're right to say it does magic links followed by device authentication.