Chris Messina posted today about the problems with current OpenID work-flows for mobile users. In spite of a long list of chores I was intending to complete today I had a bit of an experiment with an approach to solving this.
The main problem I wanted to solve was to allow a user to prove their identity without having to enter a password. Most mobile devices lack physical alphanumeric keyboards, and without that it’s very hard to fill out password fields.
My initial approach was to offer an OpenID URL for phone numbers and use an SMS message containing a one-time password to verify that the person attempting to log in had access to that mobile phone. Unfortunately there’s no free web service for sending SMSes, so did the next best thing and built it on top of Twitter.
I began with JanRain’s PHP Standalone OpenID Server and hacked it to pieces. I removed the requirement for registration – it transparently adds accounts as you use it. It doesn’t use password authentication, it sends a Twitter direct message with a one-time token to verify identity. I removed the OpenID Simple Registration support since the server has no idea about the user’s profile information – it might be possible in the future to put that back in, pulling the data over from the user’s twitter profile.
The server seems to work okay for the couple of services I tried it with. If there’s interest in this I might continue to develop it. Right now it’s up at http://twauth.ianloic.com/. It might be broken, it might go away at any point, it likely has security holes. Have a play and let me know what you think.
What I really want is a variation on this. I want to be able to use this simple single-use-token authentication when I’m on a mobile device and use a more traditional system the rest of the time. Magnolia allows me to associate multiple OpenID identities with my account so it’s easy there, but most services have a one-to-one relationship between identities and accounts.