Linking the phone to the account and authorization by scanning the QR code
Hi, Habr!
Today I was visited by the idea of alternative authorization on sites using mobile devices linked to the account.
Why do you need it?
Well, for example, if the user is too lazy to type passwords either for use in two-factor authentication, or for password recovery, etc.
Actually, I did not think about the ways of applying this mechanism in production. The main goal is implementation, and then we'll see.
For binding and authorization, it is enough to scan the corresponding QR codes with your device:
1. On the binding page
2. On the login page
A little "googling", sadly realized that there is no possibility from the web to find out the private (unique) information about the device. Neither you IMEI, nor the serial number, nothing like that.
Only the following remains:
1. Durable cookie that will live in the device's browser.
2. IP addresses
3. User Agent
Unfortunately, with such data on the long-term binding of the device to the account can not count.
')
1. We generate the link and form the QR code
2. The device scans the code and follows the link
3. Gather all sorts of information about the device and maintain the correspondence (device = user)
4. We hang a cookie on the device.
5. At this time, the browser "listens" to a special link and, as soon as a positive response is received, it displays to the user a message about successful binding.
1. We generate the link and form the QR code
2. The device scans the code and follows the link
3. Collect data about the device and look for it in the database
4. If the device is found, then open the session for the user in the browser
5. At this time, the browser "listens" to a special link and as soon as a positive response is received (in this case, the cookie and redirect to the desired page), the user is authorized.
Listings in the post will not bring anyone interested, please go to the repository on github .
At the end I want to add. I would very much like to receive an adequate feedback to improve the mechanism and possible use scenarios.
Do not scold for the quality of the code, everything was written from scratch “on the knee”.
PS User agent and IP devices are saved to the database, but are not used for authorization. Left for the future.
UPD : As a minute, I will lay out a working version of the script for those who want to test.
UPD2 : Updated repository. I uploaded a script to the server for those who want to test here.
Today I was visited by the idea of alternative authorization on sites using mobile devices linked to the account.
Why do you need it?
Well, for example, if the user is too lazy to type passwords either for use in two-factor authentication, or for password recovery, etc.
Actually, I did not think about the ways of applying this mechanism in production. The main goal is implementation, and then we'll see.
Some theory
What should it look like?
For binding and authorization, it is enough to scan the corresponding QR codes with your device:
1. On the binding page
2. On the login page
What to become attached to?
A little "googling", sadly realized that there is no possibility from the web to find out the private (unique) information about the device. Neither you IMEI, nor the serial number, nothing like that.
Only the following remains:
1. Durable cookie that will live in the device's browser.
2. IP addresses
3. User Agent
Unfortunately, with such data on the long-term binding of the device to the account can not count.
')
Binding mechanism
1. We generate the link and form the QR code
2. The device scans the code and follows the link
3. Gather all sorts of information about the device and maintain the correspondence (device = user)
4. We hang a cookie on the device.
5. At this time, the browser "listens" to a special link and, as soon as a positive response is received, it displays to the user a message about successful binding.
Authorization mechanism
1. We generate the link and form the QR code
2. The device scans the code and follows the link
3. Collect data about the device and look for it in the database
4. If the device is found, then open the session for the user in the browser
5. At this time, the browser "listens" to a special link and as soon as a positive response is received (in this case, the cookie and redirect to the desired page), the user is authorized.
Sources
Listings in the post will not bring anyone interested, please go to the repository on github .
At the end I want to add. I would very much like to receive an adequate feedback to improve the mechanism and possible use scenarios.
Do not scold for the quality of the code, everything was written from scratch “on the knee”.
PS User agent and IP devices are saved to the database, but are not used for authorization. Left for the future.
UPD : As a minute, I will lay out a working version of the script for those who want to test.
UPD2 : Updated repository. I uploaded a script to the server for those who want to test here.
Source: https://habr.com/ru/post/184186/
All Articles