如何创建一个无密码登录的移动应用程序 [英] How to create a password-less login for mobile app
问题描述
我intested建立某种形式的无密码登录的移动应用程序和API之间(假设我可以同时控制)。的动机是不必登录是很烦人的用户和有安全隐患(如:用户会重复使用现有密码),我希望用户能够开始使用该应用程序直接。
I'm intested in building some kind of password-less login between a mobile app and an API (assuming I can control both). The motivation is that having to login is very annoying for users and has security risks (eg. users will reuse existing passwords) and I want the users to be able to get started with the app immediately.
我不知道是否有一些技巧,可以工作。例如:
I'm wondering if there are some techniques that could work. For instance:
- 生成和移动设备上的随机登录/密码和密码的钥匙串存储。
- 在注册使用此登录/密码组合的API。这将返回一个标记。
- 在令牌用于后续调用
的缺点是:
-
如果用户删除应用程序
- 在登录/密码可能会丢失(这也许可以通过iCloud中存储登录减轻 - 但是这将是坏的密码)
- 密码存储在设备上(但是它在钥匙圈)
- Login/passwords can be lost if user deletes app (this could maybe be mitigated by using iCloud to store the login - but that would be bad for the password?)
- Password is stored on the device (however it's in the keychain)
所以我的问题:是这样的可行,是否足够安全?是否有已知的技术来做到这一点?
So my questions: is something like this feasible and secure enough? Are there known techniques to do that?
推荐答案
下面就是我们所做的:
基本上,这个想法是类似于忘记密码pretty的大多数服务提供了:
Basically, the idea is pretty similar to the "forgot password" most services offer:
- 询问用户的电子邮件
- 发送一封电子邮件,激活链接。电子邮件中包含有一个时间标记的deeplink,像
的myapp://登录令牌= ..... - 在用户打开安装程序所在的设备上的电子邮件的 这一点是至关重要的深层链接的工作,但在99%的情况下会发生什么呢。用户点击与deeplink 按钮
- 在用户被重定向回应用程序,你提取上的应用程序的deeplink的令牌,并将其发送到服务器API进行身份验证。认证完成后,创建一个会话的用户,以便他们不会需要重新进行身份验证
- Ask the user for an email
- Send an email with an activation link. The email contains a deeplink with a one time token, something like
myapp://login?token=...... - User opens the email on the device where the app is installed this is crucial for the deep link to work, but it what happens on 99% of the cases anyway. The user clicks the button with the deeplink
- User is redirected back to the app, you extract the token from the deeplink on the app and send it to the server api to authenticate. After authentication is done, create a session for the user so they won't need to authenticate again
好:
- 更安全:用户不必考虑新的密码(这是通常的太简单),并有用户重复使用密码的风险。对于我们的开发者,它提供了一个解决方案,只有一个(简单!)身份验证更容易理解,因此保护路径。此外,我们没有接触任何用户密码/哈希密码。
- 平滑入职流程的用户:如果您pre-输入电子邮件输入领域的登录流量可短至2个按钮的点击,他们在(除非。你想利用他们的名字/其他细节很好,但需要在传统登录额外的输入字段以及)
- More secure: Users don’t have to think of new passwords (which are usually too simple) and there is no risk of users reusing passwords. For us as developers, it offers a solution that has only one (and simple!) path of authentication that is easier to understand and hence to protect. Also, we don’t have to touch any user passwords / hashed passwords.
- Smoother onboarding flow to the user: if you pre-enter the email in the input field the login flow can be as short as 2 button clicks and they're in. (unless you wanna take their name / other details as well but that requires additional input fields in traditional login as well)
少好:)
- 用户可以不使用此流非常好,可能会问,为什么他们不需要密码。我想补充说明的一个小环节为什么我们并不需要密码?
- 如果应用程序被删除或用户注销后,他们将需要使用他们的电子邮件再次登录。这是少的移动应用程序的问题,用户不偶尔注销并在等
我已经实现了这个流进我们的应用程序,你可以看到在这里深入的解释更: http://www.drzon.net/passwordless-login-in-mobile-应用程序/
I've already implemented this flow into our app, you can read a more in depth explanation here: http://www.drzon.net/passwordless-login-in-mobile-apps/
有些更注意事项:
- 要使它更安全,使现有的令牌使用仅一次,并把到期就可以了(好像一个小时)。您也可以随电子邮件地址向服务器发送某种类型的唯一的设备ID扳平令牌到特定的设备。通过这种方式,用户不能简单地将电子邮件转发给其他人,他将其打开,而不是
- 关于深层链接 - 我发现,一些电子邮件提供商阻止使用环节的自定义URL方案如
应用程序://。为了克服这个问题的方法是通过链接指向你的服务器,而不是和重定向有实际的深层链接HTTPS://myserver.com/login令牌= ...--->的myapp://登录令牌= ...
- To make it more secure, make the token available to use one time only and also put an expiration on it (like an hour). You can also tie the token to the specific device by sending the server a unique device id of some kind along with the email address. This way the user can't simply forward the email to another person and he will open it instead
- About the deep link - I found that some email providers block the use of links with custom url schemes like
app://. The way to overcome this is by making the link point to your server instead and redirect there to the actual deep linkhttps://myserver.com/login?token=...--->myapp://login?token=...
Mozilla的写它,以及<一个href="https://hacks.mozilla.org/2014/10/passwordless-authentication-secure-simple-and-fast-to-deploy/"相对=nofollow>这里
Mozilla wrote about it as well here
这篇关于如何创建一个无密码登录的移动应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
