2

We are having an app running and identify our users using Facebook Login. Unfortunately Facebook Login isn't the best way to log in to an app and our users want something different. So, we're trying to discuss a new way of logging into our app. We came up with a "passwordless" login solution which is basically a web-thing and not yet very common in smartphone apps.

One idea is to let the user enter his username and email on registration and save this to our web service. The user gets an email with his login credentials or a link with a token that identifies him within the app. The problem might be that email is the wrong medium for an app login confirmation.

A second idea is to generate a local token and use this as "password" which is synced across the users devices via e.g. iCloud. This way we have no clue if the user is actually "real".

Our third idea is a bit of a mix where the user only needs a password when he want's to login on an different device.

So, what do you think could be the best way to implement such a mechanism into a cross-platform smartphone app?

Have we completely missed something important?

I would appreciate productive suggestions.

dibi
  • 3,257
  • 4
  • 24
  • 31
  • Why do you not just use a "remember password" function? – PKlumpp Jun 10 '14 at 14:07
  • @ZerO we don't want passwords. passwords are a possible security risk. people enter very bad passwords to remember them. Furthermore it's a higher hurdle for the users to register. We want a very lightweight and fast way to enter our app. – dibi Jun 10 '14 at 14:14
  • 1
    That's a good question and I strongly share your desire for passwordles authentication. See my answer to the same question here: http://stackoverflow.com/questions/12575989/how-to-create-a-password-less-login-for-mobile-app/26678919#26678919 or read about it here: http://www.drzon.net/passwordless-login-in-mobile-apps/ – Michael Oct 31 '14 at 16:15

2 Answers2

3

I think your first option is the best despite what you say about email being a bad medium.

If you don't somehow tie the session to an email, the user will have nothing to restore such session in the future that doesn't resemble a password. Also, it would make it trivial to impersonate someone else's mail. You need mail in the equation, otherwise you'd just send a token on the service response as if it were a login call.

Fernando Mazzon
  • 3,562
  • 1
  • 19
  • 21
  • Sounds conclusive, but not satisfactory. Perhaps because I'm a fan of the second option. Do you have any cons on this point besides that account restoring thing? I mean because it is stored into the users cloud he couldn't loose it. – dibi Jun 10 '14 at 17:44
  • Can you please elaborate on how the second option's flow would work? – Fernando Mazzon Jun 10 '14 at 18:26
  • I think of it like this: - The user registers by entering his name and email address - The app generates a token that is stored locally in the users iCloud key/value-storage (think android has something similar) - These credentials are sent to our web service and the user doesn't see this token and its synced between his devices. – dibi Jun 10 '14 at 18:36
  • Ok, makes more sense now. It's probably better if you first hit the service and save a token it returns instead of generating it in the device. These are the holes i can think of: How do you support a user having the same account on his android and iOS devices? What good is it to have the user's email address if it's not validated? – Fernando Mazzon Jun 10 '14 at 18:50
  • yep, you're right. A unvalidated email address is nonsense. And the problem with iOS <--> Android transition is tricky too. So thank you for your hints and making things clear to me. I think we'll better do it the first way. – dibi Jun 10 '14 at 19:52
1

What about a optical solution like face recognition using the front camera or something like that?

I know some notebook manufacturers using them to log in into windows.

Another way would be simple one way codes (something like TANs) you could send to your users phone/email/...

EvilFonti
  • 11
  • 1