A simpler mobile OpenID workflow?

Chris Messina posted today about the problems with current OpenID work-flows for mobile users. In spite of a long list of chores I was intending to complete today I had a bit of an experiment with an approach to solving this.

The main problem I wanted to solve was to allow a user to prove their identity without having to enter a password. Most mobile devices lack physical alphanumeric keyboards, and without that it’s very hard to fill out password fields.

My initial approach was to offer an OpenID URL for phone numbers and use an SMS message containing a one-time password to verify that the person attempting to log in had access to that mobile phone. Unfortunately there’s no free web service for sending SMSes, so did the next best thing and built it on top of Twitter.

I began with JanRain’s PHP Standalone OpenID Server and hacked it to pieces. I removed the requirement for registration – it transparently adds accounts as you use it. It doesn’t use password authentication, it sends a Twitter direct message with a one-time token to verify identity. I removed the OpenID Simple Registration support since the server has no idea about the user’s profile information – it might be possible in the future to put that back in, pulling the data over from the user’s twitter profile.

The server seems to work okay for the couple of services I tried it with. If there’s interest in this I might continue to develop it. Right now it’s up at http://twauth.ianloic.com/. It might be broken, it might go away at any point, it likely has security holes. Have a play and let me know what you think.

What I really want is a variation on this. I want to be able to use this simple single-use-token authentication when I’m on a mobile device and use a more traditional system the rest of the time. Magnolia allows me to associate multiple OpenID identities with my account so it’s easy there, but most services have a one-to-one relationship between identities and accounts.

25 replies on “A simpler mobile OpenID workflow?”

  1. Totally awesome. You should imho add a link to this explanatory blog post to the twauth.ianloic.com page though.

  2. Nice. OpenID ought to be easier for enduser on any kind of device. This is also a philosophy behind id7r.com, which proves user identity via email address. More encouraged to see more people are thinking/heading in the same direction 😉

  3. @Marshall, good idea – I’ve added a link

    @John, I hadn’t heard about id7r.com before, but that’s pretty much what I had been thinking about. I’m glad there are other folks out there hacking on similar things.

    @Alcides, I’m not sure if I want to make it a fully “launched” project – then I’d feel obliged to maintain it. I might though, but I do need to think of a niftier name. And there’s a lot to be done cleaning up the identity page – beginning with a rel=”me” to the associated Twitter page.

  4. “I want to be able to use this simple single-use-token authentication when Iâ€m on a mobile device and use a more traditional system the rest of the time.”

    Since we’re obliged to use urls why not take advantage of it, m.twauth.com/username for mobile or twauth.com/username for the classic method.

  5. Heh whoops, missed the

    “Magnolia allows me to associate multiple OpenID identities with my account so itâ€s easy there, but most services have a one-to-one relationship between identities and accounts.”

    Anyways, it wouldn’t be THAT bad to offer the user a choice, or would it?

    mockup: http://tinyurl.com/2vr8dz

  6. What is the context of this situation:
    “The main problem I wanted to solve was to allow a user to prove their identity without having to enter a password. Most mobile devices lack physical alphanumeric keyboards, and without that itâ€s very hard to fill out password fields.

    My initial approach was to offer an OpenID URL for phone numbers and use an SMS message containing a one-time password to verify that the person attempting to log in had access to that mobile phone.”
    In what way in the user needed to identify themselves? Are you referring to a simple phone lock, or email access, or what?
    It seems that you are intent on using OpenID and this is probably the right way to go, but why can’t you authorize through the phone’s browser, similar to using the login on a PC? It should set the cookie token, and authorize that browser to be recognized as your OpenID.
    Even with some older phones that have nonstandard browsers, any phone that can run Java decently can use the Opera browser for a web-based login. What is the advantage to a SMS over typing into the browser (as long as you only have do either 1 time)?

  7. @bob

    “What is the advantage to a SMS over typing into the browser (as long as you only have do either 1 time)?”

    Security, those credentials will only be valid for that time you login, and you don’t have to memorize anything other than you OpenID Identifier.

  8. it would b better to certify once logged in at the internet gateway hrough operators.maybe they can use their business card on mobile to get certified.
    what really will help is to do the authentication at the gateway then at every login.
    possibiliy maybe just a code.

Comments are closed.