phoneNumber and deviceId alternative to email / password authentication

[allpwrfulroot]

Twilio or similar SMS service required to authenticate the phone (analogous to email verification links or codes). But much faster route than email for auth on mobile apps.

How apps used on multiple devices would have to adapt is up for debate, and thoughts are welcome.

Could be the start of a 2FA scheme as well, with verified emails able to regain access to new devices. Again, there are a couple of ways that could work and some thought should be given as to which method would be best?

[kbrandwijk]

I love the idea of using this type of Authentication. Facebook AccountKit is an alternative that takes away the need for an external SMS provider, keeping track of phone numbers, etc. It might also make it easier to use across projects. However, the one thing missing from it is that it is not linked to a device. This is a big plus in this example.

[allpwrfulroot]

I'm using React Native with Expo, which isn't really compatible with AccountKit at the moment (at least not seamlessly). And ironically for a Facebook stack adopter, Facebook's Graph-related tools feel just a bit creepy (my app would just add to their personal data gathering empire). Keeping an eye on how that develops, though.

[marktani]

I like the example, thanks! I am not quite sure how Twilio ties into this. Also, where is the device id coming from?

What would be the possible additions to make this example more distinct from the email/pw example?

[allpwrfulroot]

Sure! Actually, phone number verification could be open-ended similar to email verification is right now. Twilio (or other similar service like Amazon SNS) can send a text message with a verification code to a phone, which a user can then input and get confirmed. Whether or not a developer would want to integrate the full Authy or similar token-dispensing service would also be up to them; either way, a confirmation via text would be followed by a login request to Graph.cool with a phone number and a device ID.

The device ID would have to be figured out based on device type and platform, and could really be any available unique identifier. In my case, with React Native on Expo (mobile only, no tablets), it's a super simple call.

UPDATE: I double checked, and the deviceId I'm playing with is not actually the "real" device ID. Although it would work, it's probably not up to any kind of standard. I'll probably go with a hack of the email / password setup for my current project and have to revisit later.

Again, very open to modifications. It feels like a bit of a hack, and yet it would be so similar to the standard email methods that I can't see why not?

[kbrandwijk]

My 2 cents: there's account registration and verification.

• If you register using a phone number, you need a way to verify the phone number. This can be done using any call/sms provider, like Twilio.
• If you register using a deviceId, the way to verify this would be using a push notification to the device.
• If you register using an email address, you need an email verification.

Then there's login and login verification.

• Login can be using any authentication method available.
• If you need additional verification, you need some form on 2FA. This can be SMS/phone call/Authenticator/email with one time code/etc.

As far as I can see, this example focuses on user registration using deviceId/phone number, and verification of that phone number using an SMS provider.