A simpler mobile OpenID workflow?
Chris Messina posted today about the problems with current OpenID work-flows for mobile users. In spite of a long list of chores I was intending to complete today I had a bit of an experiment with an approach to solving this.
The main problem I wanted to solve was to allow a user to prove their identity without having to enter a password. Most mobile devices lack physical alphanumeric keyboards, and without that it's very hard to fill out password fields.
My initial approach was to offer an OpenID URL for phone numbers and use an SMS message containing a one-time password to verify that the person attempting to log in had access to that mobile phone. Unfortunately there's no free web service for sending SMSes, so did the next best thing and built it on top of Twitter.
I began with JanRain's PHP Standalone OpenID Server and hacked it to pieces. I removed the requirement for registration - it transparently adds accounts as you use it. It doesn't use password authentication, it sends a Twitter direct message with a one-time token to verify identity. I removed the OpenID Simple Registration support since the server has no idea about the user's profile information - it might be possible in the future to put that back in, pulling the data over from the user's twitter profile.
The server seems to work okay for the couple of services I tried it with. If there's interest in this I might continue to develop it. Right now it's up at http://twauth.ianloic.com/. It might be broken, it might go away at any point, it likely has security holes. Have a play and let me know what you think.
What I really want is a variation on this. I want to be able to use this simple single-use-token authentication when I'm on a mobile device and use a more traditional system the rest of the time. Magnolia allows me to associate multiple OpenID identities with my account so it's easy there, but most services have a one-to-one relationship between identities and accounts.
About
Here's my résumé, if you were curious.
Similar Posts
- OpenID Usability Non-solutions
- OpenID for the mathematically challenged
- A brighter future for mobile applications?
- Users’ names and usernames
- The Sidekick ID and the iPhone
Pages
Recent Posts
- Detecting advanced CSS features
- Implementing Information Retrieval Systems
- Flipy, a new Python library for Flickr
- Give me convenience
- jQuery selector escaping
January 14th, 2008 - 07:08
Totally awesome. You should imho add a link to this explanatory blog post to the twauth.ianloic.com page though.
January 14th, 2008 - 12:03
Nice. OpenID ought to be easier for enduser on any kind of device. This is also a philosophy behind id7r.com, which proves user identity via email address. More encouraged to see more people are thinking/heading in the same direction
January 14th, 2008 - 15:02
Very cute idea.
January 14th, 2008 - 15:17
This is really awesome… and vaguely like OAuth…?
Anyway, I think you’re on to something here, but we just need a shorter URL…
January 14th, 2008 - 15:43
A really nice project?
What about launching twitterid.com with this project, get a fancy layout and import the persona from twitter user info?
January 14th, 2008 - 15:54
(sorry for double post)
And a rel=”me” in the identity page would be so nice for XFN importing
January 14th, 2008 - 23:36
@Marshall, good idea – I’ve added a link
@John, I hadn’t heard about id7r.com before, but that’s pretty much what I had been thinking about. I’m glad there are other folks out there hacking on similar things.
@Alcides, I’m not sure if I want to make it a fully “launched” project – then I’d feel obliged to maintain it. I might though, but I do need to think of a niftier name. And there’s a lot to be done cleaning up the identity page – beginning with a rel=”me” to the associated Twitter page.
January 15th, 2008 - 06:37
“I want to be able to use this simple single-use-token authentication when I’m on a mobile device and use a more traditional system the rest of the time.”
Since we’re obliged to use urls why not take advantage of it, m.twauth.com/username for mobile or twauth.com/username for the classic method.
January 15th, 2008 - 08:35
Heh whoops, missed the
“Magnolia allows me to associate multiple OpenID identities with my account so it’s easy there, but most services have a one-to-one relationship between identities and accounts.”
Anyways, it wouldn’t be THAT bad to offer the user a choice, or would it?
mockup: http://tinyurl.com/2vr8dz
January 15th, 2008 - 16:34
Interesting. thanks.
January 16th, 2008 - 16:54
@Chris & Ian, just let you know that tiny.Id7r.com can create shorter OpenID URL as an “alias” to original one. So a possible use here
January 17th, 2008 - 20:36
I have passwordless at myopenid with an SSL cert
January 18th, 2008 - 15:32
What is the context of this situation:
“The main problem I wanted to solve was to allow a user to prove their identity without having to enter a password. Most mobile devices lack physical alphanumeric keyboards, and without that it’s very hard to fill out password fields.
My initial approach was to offer an OpenID URL for phone numbers and use an SMS message containing a one-time password to verify that the person attempting to log in had access to that mobile phone.”
In what way in the user needed to identify themselves? Are you referring to a simple phone lock, or email access, or what?
It seems that you are intent on using OpenID and this is probably the right way to go, but why can’t you authorize through the phone’s browser, similar to using the login on a PC? It should set the cookie token, and authorize that browser to be recognized as your OpenID.
Even with some older phones that have nonstandard browsers, any phone that can run Java decently can use the Opera browser for a web-based login. What is the advantage to a SMS over typing into the browser (as long as you only have do either 1 time)?
January 18th, 2008 - 18:08
@bob
“What is the advantage to a SMS over typing into the browser (as long as you only have do either 1 time)?”
Security, those credentials will only be valid for that time you login, and you don’t have to memorize anything other than you OpenID Identifier.
March 17th, 2008 - 02:43
it would b better to certify once logged in at the internet gateway hrough operators.maybe they can use their business card on mobile to get certified.
what really will help is to do the authentication at the gateway then at every login.
possibiliy maybe just a code.