Design: Web Login Via Mobile

Link. This is an awesome post on SoundCloud Engineering Blog.
The method to setup is simple. The main take away from this article is how to handle the security issue. The points mentioned below will make sense once you have gone through the above link
1. Show user the details in UI before granting access(like google).
2. Have a wide range of possible code so that a attacker can burn up the codes and at the same time have a rate limit.
3. When a user requests for a code, send back an authentication code  so that an attacker can’t just lookup for random code and get access.
4. Need to have check that the user that generated the code and using the code are authentic. Like both the request, to generate the code and to grant access are on the same IP.
5. We should use information from the device at time of granting access. Like ‘Anil’s XBOX’ wants to access your account. These information help to check fake cases where the code was randomly generated by an attacker and sent to a user.
6. We could use QR code instead of asking the user to type the code. This basically depends as to whether your users have a way to read those QR code.

This kind of design is common in many application, eg. Watsapp Web. Instead of generating a id for the user to type in they use a QR code. 

 

 

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s