Link. This is an awesome post on SoundCloud Engineering Blog.
The method to setup is simple. The main take away from this article is how to handle the security issue. The points mentioned below will make sense once you have gone through the above link –
1. Show user the details in UI before granting access(like google).
2. Have a wide range of possible code so that a attacker can burn up the codes and at the same time have a rate limit.
3. When a user requests for a code, send back an authentication code so that an attacker can’t just lookup for random code and get access.
4. Need to have check that the user that generated the code and using the code are authentic. Like both the request, to generate the code and to grant access are on the same IP.
5. We should use information from the device at time of granting access. Like ‘Anil’s XBOX’ wants to access your account. These information help to check fake cases where the code was randomly generated by an attacker and sent to a user.
6. We could use QR code instead of asking the user to type the code. This basically depends as to whether your users have a way to read those QR code.
This kind of design is common in many application, eg. Watsapp Web. Instead of generating a id for the user to type in they use a QR code.