Authorization without authorization: do not collect personal data
In an era of total data drain by Internet giants and criminal prosecution in the digital environment, users are afraid to leave any information about themselves. Especially, if we are talking about a VPN service, where the user does not want to enter his personal data even during registration, and to provide access to the service on various platforms, you need to quickly and without unnecessary information. We created our GuruVPN service under the motto “Popular VPN”, so it was very important to make the most simple and anonymous way to install and verify users.
In this article we want to share our experience in the implementation of user authorization systems on various platforms. This unique solution allowed us not to collect or store personal user data. Totally.
At the first stage, our team decided that the application will have a classic authorization / registration system: Email or phone, so that the user can subscribe and pay for a subscription from one device and activate access on all devices.
We chose the format, started writing documentation, but at some point the question arose: how to combine subscription data in the App Store and Google Play so that you can synchronize them on both platforms? Moreover, to do this in such a way as to establish a general subscription term, and besides, the output does not contradict our positioning “not to collect user data”.
Therefore, we began to develop a system that would correspond to the following points:
')
And our team found a unique format - a system of temporary tokens was developed for authorization on desktops.
What is the secret of such a decision?
The user needs to install the application on his smartphone, safely and quickly pay for the subscription, and using a QR code in one step, authorize it on another device. No credentials, login and re-purchase access.
Thus, we managed to implement a very simple, and most importantly, an anonymous user authorization scheme in the system, which allows, without unnecessary steps, to provide access to the application on different platforms with a single subscription.
We will not dwell on the process of introducing in-app purchases in detail; they have already written a lot about Habré.
At the first stage, the receipt and subscription status on the server are checked, the request parameters are checked. Upon successful verification, the subscription status and session token are returned to the application.
After validation of the check, the algorithm is launched:
The authorization process is very simple and fast: on average, installing and authorizing an application on the desktop takes only a couple of minutes and requires minimal effort from the user. In the project, as planned, it turned out to implement a system of embedded purchases in a cross-platform format, while maintaining the complete anonymity of user data, which is a very important fact for a VPN service. And what is important, we were able to implement the process in such a way that it fully complies with the spirit of the project - “application for the people”.
In this article we want to share our experience in the implementation of user authorization systems on various platforms. This unique solution allowed us not to collect or store personal user data. Totally.
Prehistory
At the first stage, our team decided that the application will have a classic authorization / registration system: Email or phone, so that the user can subscribe and pay for a subscription from one device and activate access on all devices.
We chose the format, started writing documentation, but at some point the question arose: how to combine subscription data in the App Store and Google Play so that you can synchronize them on both platforms? Moreover, to do this in such a way as to establish a general subscription term, and besides, the output does not contradict our positioning “not to collect user data”.
Therefore, we began to develop a system that would correspond to the following points:
')
- did not collect and did not store personal data of users
- allowed to realize the idea of auto-renewable subscription on a multi-platform basis
And our team found a unique format - a system of temporary tokens was developed for authorization on desktops.
Authorization
What is the secret of such a decision?
The user needs to install the application on his smartphone, safely and quickly pay for the subscription, and using a QR code in one step, authorize it on another device. No credentials, login and re-purchase access.
How it works for the user
- After downloading the program on the desktop, the authorization screen will appear, in which the QR code is displayed.
- Download and launch mobile app from App Store / Google Play with in-app subscription
- Scan or enter the authorization code in the mobile application
- After successful authorization, you are waiting for the connection control screen to load.
- Select a country to connect to and click "Connect"
- After receiving permissions, the VPN connection will be established
How it works in reality
- During the initial authorization, the desktop application requests a temporary token;
- The database automatically generates a temporary token and is given to the dextup application. For maximum data security, the lifetime of our token is 15 minutes;
- Desktop application displays a QR code and an open token for a mobile application on the main screen;
- The mobile application scans the QR code and recognizes the code entered manually by the user and sends it to the API request to generate confirmation of the user's device;
- The desktop application requests permission from the server of the user to which the token is attached, if the binding exists - the API gives the id and the token for authorization without any problems.
Thus, we managed to implement a very simple, and most importantly, an anonymous user authorization scheme in the system, which allows, without unnecessary steps, to provide access to the application on different platforms with a single subscription.
How it works in the mobile app store. For example, in the App Store
We will not dwell on the process of introducing in-app purchases in detail; they have already written a lot about Habré.
At the first stage, the receipt and subscription status on the server are checked, the request parameters are checked. Upon successful verification, the subscription status and session token are returned to the application.
After validation of the check, the algorithm is launched:
Result
The authorization process is very simple and fast: on average, installing and authorizing an application on the desktop takes only a couple of minutes and requires minimal effort from the user. In the project, as planned, it turned out to implement a system of embedded purchases in a cross-platform format, while maintaining the complete anonymity of user data, which is a very important fact for a VPN service. And what is important, we were able to implement the process in such a way that it fully complies with the spirit of the project - “application for the people”.
Source: https://habr.com/ru/post/426079/
All Articles