Passwordless.id - first screenshots

dagnelies

Arnaud Dagnelies

Posted on August 23, 2022

Passwordless.id - first screenshots

Introduction

So, first things first, I chose a domain name, yay!

It's https://passwordless.id ...now "id" is quite an unusual ending (it's actually for Indonesia), but I thought it would fit well as a shortening of "identity" since that is what this upcoming app is about.

Passwordless

Authentication using TouchID or FaceID for everyone. Less passwords, more security!

passwordless.id

What is this about? It's about providing a smoother and safer authentication to the masses. How? Using your fingerprint or face to register/login for instance. And of course, it's not sent to the server! If you want to try out and learn more about it, just go to the website, there is a really basic demo and explanations.

What's next?

What I'm developing right now is a "public service" allowing anyone to register/login passwordlessly. It's really easy and more secure (for an in-depth explanation, check the website).

Roughly speaking, websites will redirect to https://passwordless.id if the person is not authenticated. Once authenticated, the user will be redirected back to the original website with access to the user's information.

The screenshots!

Now, please remember that this is all pre-alpha-in-development stuff. It might still change a lot.

The first page you see is the sign in/up form. Since biometric device based login is quite different than traditional password flows, an F.A.Q. section is directly added.

Image description

Once you click on it, you will be prompted for biometrics, unlock pattern or PIN code to verify it's you locally. This comes from the operating system, so this part will look different on Windows/Android/IPhones. In this case it's a sample from my Windows laptop with a German locale.

Image description

And once done, you will arrive at the profile page, which you can edit and save... once the e-mail confirmation link was clicked.

Image description

There, if you don't want to use your own portrait, you can also pick from a gallery!

Image description

And once you are done, come back to where you originally came from.

Image description

...Where you can access the profile and portrait with a simple "GET"!

Image description

Regarding the design and styling, I hesitated a lot... And still do! Should it be more "corporate"? More neutral? Even color agnostic? ... Or more unique, different, personal? Well, in the end, that's what I ended up with.

Even though I'm not yet completely convinced, and it might change in the future, it's "good enough" for now... I guess.

Why not simply use "Sign in with Google/Microsoft/Facebook..."?

That was actually a question posted in a comment of my previous article. I was not able to properly respond at that time since it did not really fit as a comment but I will try my best now.

Developer experience

Actually, I came from a developer POV. The whole OAuth2 thing required to make these authentications work is actually surprisingly complex and really annoying to implement. After all, OAuth2 was not meant for authentication, it is a protocol for authorizing access to APIs. This dancing around the OAuth2 protocol is one of the things that is typically underestimated by developers until they get actually try to use it. Things are now mature and there are a lot of helpful libraries, but the core complexity is still there to deal with.

What I want to offer in exchange is a super dead simple authentication mechanism that is intuitive and trivial for developers to use. A simple "GET" to get the user profile and a simple redirect if the user is not authenticated or requires approval.

Security

From a user's perspective, the benefits are less obvious but still exist.

Since the protocol is based on secret keys stored on the physical device, you can be pretty sure it cannot be hacked/phished/scammed. There is no password to steal and you would have to steal the user's device to access its account.

Wait! What if I lose my device or want to access it from somewhere else? Well, you are still able to register new devices via phone, confirming it through another registered device, even plain e-mail if you judge safe enough, with or without additional security checks, etc. It is up to the user to chose its own protection level.

Of course, if the phone/computer belongs to someone else, you may also simply request a temporary session by similar means instead of authorizing the device itself.

Privacy

You may not want Google, Microsoft, Facebook (etc) to know everything you are doing and all the websites you have signed in with them. They are known for their extensive tracking and some people dislike it.

Also, there is little room for "filtering" the information going out. For example, you may want them to know your nickname but not your firstname/lastname ...well, you cannot do that. Websites access your whole profile or nothing.

💖 💪 🙅 🚩
dagnelies
Arnaud Dagnelies

Posted on August 23, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related