A video of an iOS implementation is available.
The idea of a user identity is a simple one with a goal to eliminate the requirement of a user entering a password. Any other requirement, including storing, transmitting and hashing should stay the same.
As soon as a software is installed that supports user identities, a user is presented with a screen to identify.
The user enters her email and a new residence identifier is generated 1 both securely persisted on the client. On an iPhone that should be the keychain. A request is sent to the server to approve the new residence.
The server sends an email to the user to verify the new residence. Once the residence has been approved, its identifier and the user email are hashed and persisted. This becomes the residence of the user identity which is used for a future identification.
The now owner of the identity, can use it to sign in remotely to the server and retrieve her data. The user identity along with the residence identifier should be transmitted using a secure channel and compared against the hash stored in the server.
To delete an identity, slide across on an iPhone.
The identity is permanently removed from this residence.
- In the web, a secure client storage doesn't exist.
Well I was really just curious about your thoughts on this. For most of my apps I use the device UDID to authenticate with the server, without asking the user for an email or whatsoever. You're right the abuse case I described is just like any other abuse, and that this is a whole other topic to discuss.
Thanks for the reply!