Login to the site using Telegram
Today, on the Internet, almost all sites use an ancient and time-tested registration / authorization scheme by email. This scheme has always worked perfectly and continues to work to this day, but it makes the Internet user dependent on postal services, and in my opinion, has several disadvantages.
Unfortunately, there is no equally popular, simple, and convenient alternative, both in terms of implementation and use. There are all sorts of "open access technologies", they are somewhat more convenient, but they also require an email address, and also have several disadvantages!
As an alternative / addition to this oldest method, I want to offer a look at the authorization method using modern instant messengers. Registration in the form in which it is used everywhere disappears.
At the moment, Telegram is suitable for this task in all respects. But not only he. With the same success you can make a bot for other instant messengers. The scheme is very simple!
A user visiting a site on which he does not have an account will have to add a bot of this site to his Telegram and request access from him (for example, by clicking on the “Give me password” button). For those who do not use Telegram and do not understand, What button is it talking about, I attach the screen:
As an example, I implemented a one-time password scheme that looks like this:
The bot generates a one-time password to log on to your request.
To enter the site, you need to fill in only one field - "password"
In this scheme, the generated password will always be unique and will belong to only one Telegram user, the password will also be valid for a limited time, and after login it will be destroyed.
Using this scheme, we do not need to wait for the letter and go through the registration procedure. Just do not need to remember any passwords. We will always remind him caring bot.
The convenience of this approach lies in the fact that Telegram is available on all platforms, and there is no need to search for a bot, you just need to follow the link indicated on the authorization form. How it looks live can be viewed here: https://x07.herokuapp.com/login
Of course, this scheme can be made more practical, reliable and safe.
To enhance security and shorten passwords, you can make the bot a little smarter, and if the bot suspects something, it will ask to send it to your location (Telegram supports it), and then the backend will analyze what you sent and where the input comes from to the website.
In case if Telegram is not at hand, or if Telegram is not available, or you just do not want to go there every time, then you can create a field with a permanent password in the database, which you can always enter. At the same time, a caring bot can be taught to notify you of any access to the site, if you have not requested a password from it.
Plus, you can also add a name that is used in the Telegram or any other fields at your discretion, even though the same email.
As a protection against simple brute force, you can not screw the captcha (which is not possible to disassemble), as is done on most sites, but teach the bot to send you a notification asking you to confirm the input.
You can come up with a huge number of implementation options.
Advantages of this approach:
Cons, where do without them ...
What do you think of it? Will you implement this method of authorization in your projects?
Convenience
- As a rule, now every Internet user has several email addresses (personal, work, the one he forgot, etc.). It is desirable that all addresses have different passwords of 8 characters. Over time, passwords are forgotten, especially when the password is stored in the browser and when entering the mail it is filled automatically.
- I think many people have come across a situation where, having entered a resource, in order to obtain the necessary information, it was necessary to go through a humiliating registration procedure and confirm your email by logging into your email and click on a terrible link consisting of obscure characters. After that, the box begins to pour all sorts of trash in the form of a subscription to which you agreed to register, and maybe even regular spam.
- It is also desirable to use different passwords on each resource. In the case when a user cannot access his favorite resource, you have to perform the next password recovery procedure: go into the mail (remember the password from the email if you log in, for example, from the workplace) look for a letter, follow the recovery \ confirmation links, and again come up with a new password for the site. Which then again will be successfully forgotten.
') - The mailbox turns into a dump of notifications, promotions, offers, other advertising from the resources on which you are registered. Among this, you can not notice an important letter, for example. Yes, it even just distracts!
Security
- Irresponsible approach to the use of the mailbox may cause a password leak from him.
- Phishing emails can cause a password leak from a resource under which a rotten email is disguised.
- email is like a passport on the Internet: it is possible to collect certain information from open sources and use it for various purposes.
- Having access to email, you can get access to all resources on which the user sits and to other email addresses
- Mail services and advertising companies know everything about your life.
Unfortunately, there is no equally popular, simple, and convenient alternative, both in terms of implementation and use. There are all sorts of "open access technologies", they are somewhat more convenient, but they also require an email address, and also have several disadvantages!
Closer to the point
As an alternative / addition to this oldest method, I want to offer a look at the authorization method using modern instant messengers. Registration in the form in which it is used everywhere disappears.
At the moment, Telegram is suitable for this task in all respects. But not only he. With the same success you can make a bot for other instant messengers. The scheme is very simple!
A user visiting a site on which he does not have an account will have to add a bot of this site to his Telegram and request access from him (for example, by clicking on the “Give me password” button). For those who do not use Telegram and do not understand, What button is it talking about, I attach the screen:
As an example, I implemented a one-time password scheme that looks like this:
The bot generates a one-time password to log on to your request.
To enter the site, you need to fill in only one field - "password"
In this scheme, the generated password will always be unique and will belong to only one Telegram user, the password will also be valid for a limited time, and after login it will be destroyed.
Using this scheme, we do not need to wait for the letter and go through the registration procedure. Just do not need to remember any passwords. We will always remind him caring bot.
The convenience of this approach lies in the fact that Telegram is available on all platforms, and there is no need to search for a bot, you just need to follow the link indicated on the authorization form. How it looks live can be viewed here: https://x07.herokuapp.com/login
Of course, this scheme can be made more practical, reliable and safe.
To enhance security and shorten passwords, you can make the bot a little smarter, and if the bot suspects something, it will ask to send it to your location (Telegram supports it), and then the backend will analyze what you sent and where the input comes from to the website.
In case if Telegram is not at hand, or if Telegram is not available, or you just do not want to go there every time, then you can create a field with a permanent password in the database, which you can always enter. At the same time, a caring bot can be taught to notify you of any access to the site, if you have not requested a password from it.
Plus, you can also add a name that is used in the Telegram or any other fields at your discretion, even though the same email.
As a protection against simple brute force, you can not screw the captcha (which is not possible to disassemble), as is done on most sites, but teach the bot to send you a notification asking you to confirm the input.
You can come up with a huge number of implementation options.
Advantages of this approach:
- You do not need to go through a long and demeaning registration procedure on the site, and then climb into the mailbox and look for a letter there either with a password or with reference to registration confirmation.
- No need to remember the password, the password is always generated new on request!
- Safer than email!
- Telegram is actively developing and working stably!
- Password can not be stolen without taking possession of a mobile phone
- Access to the Telegram via the web is also difficult to obtain as to the user's mobile phone.
- Telegram is available on all platforms.
- With this approach, your site becomes more accessible to users.
- For resources that require your phone number in order to increase protection against security accounts, you will not need to enter a phone number, since Telegram is already attached to a mobile phone number. Some people are scared off registering on a mobile phone.
- Your phone number is always kept secret and is not available to site owners.
Cons, where do without them ...
- You can also send spam through bots
- What is happening on the Telegram servers is unknown, it can also collect and analyze your data (maybe this is not a minus)
- With a large number of users will increase the load on the server where the bot will live
- To some extent, there is a dependence on Telegram.
- Telegram can change or expand its API, which can allow sites to extract more information about you, or vice versa to make this scheme not viable.
What do you think of it? Will you implement this method of authorization in your projects?
Source: https://habr.com/ru/post/321682/
All Articles