Skip to content

Instantly share code, notes, and snippets.

@qnoid

qnoid/gist:4052818

Created November 10, 2012 22:45
Show Gist options
  • Save qnoid/4052818 to your computer and use it in GitHub Desktop.
Save qnoid/4052818 to your computer and use it in GitHub Desktop.
Download ZIP
Mockups on user identity
Raw
gistfile1.md

Mockups on user identity

A video of an iOS implementation is available.

User identity

The idea of a user identity is a simple one with a goal to eliminate the requirement of a user entering a password. Any other requirement, including storing, transmitting and hashing should stay the same.

Introduction

As soon as a software is installed that supports user identities, a user is presented with a screen to identify.

Identify

Identify

The user enters her email and a new residence identifier is generated 1 both securely persisted on the client. On an iPhone that should be the keychain. A request is sent to the server to approve the new residence.

The server sends an email to the user to verify the new residence. Once the residence has been approved, its identifier and the user email are hashed and persisted. This becomes the residence of the user identity which is used for a future identification.

Email

Sign in

The now owner of the identity, can use it to sign in remotely to the server and retrieve her data. The user identity along with the residence identifier should be transmitted using a secure channel and compared against the hash stored in the server.

Signin

Deleting an identity

To delete an identity, slide across on an iPhone.

Delete

The identity is permanently removed from this residence.

Loose ends

  1. In the web, a secure client storage doesn't exist.

Footnotes

  1. The most simple form of the residence identifier can be a UUID.

@qnoid
Copy link
Author

qnoid commented Mar 11, 2013

You are welcome Sam. (@samvermette)

Don't have experience in handling spam but don't see how this is any different from any other use case.

In any case, don't even see how effective spam can be since there is no control of the email content. Other than to annoy people in an effort to hurt your brand.

If someone was to abuse your service, would expect them to do it at an HTTP level, rather from within the app.
Dealing with spam is another topic altogether though. (identifying heuristics, blocking IPs)

If you still feel uncomfortable with the idea, I guess a simple CAPTCA in the app will do the trick?

By the way, there is now an iOS implementation with a lot more info on the subject. Also, a website that plan to list any apps using the above method. If you go ahead an implement it, let me know and will put your app up.

Thanks for your feedback.

@samvermette
Copy link

Well I was really just curious about your thoughts on this. For most of my apps I use the device UDID to authenticate with the server, without asking the user for an email or whatsoever. You're right the abuse case I described is just like any other abuse, and that this is a whole other topic to discuss.

Thanks for the reply!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment