Add Device Flow

PasswordLessAuth.

This flow allows the users to register more devices (with their associated keys) for their accounts.

Users of mobile applications or SaaS usually access their apps from multiple devices, probably even simultaneously. PasswordLessAuth has been designed with this principle in mind, while being as agnostic as possible of the underlying technology or concrete implementation.

Each user can have multiple devices, which are associated with at least one asymmetric key pair, so each public key stored in the authentication service effectively can be traced back to a user’s device.

A user is supposed to be able to add new keys (and thus, new devices) anytime. As there is no password to rely on, registration of additional devices is performed by using a previously trusted device, that was registered and authenticated successfully by the same user. There are several ways of achieving this, but the recommended, standard way in which PasswordLessAuth implements it is by means of a security code that is sent to the previously registered user’s email account. This flow has been designed to achieve precisely that.

The flow starts with the call to POST /pwless/signup like in the regular Signup Flow. However, this time, the authentication service checks the email that was sent in the request and realizes that it belongs to an already registered user. Then, a security code is generated and sent to the user’s email. This code needs to follow three principles:

- It has to be different for every response of /register, and difficult to guess.

- It has to be randomly or pseudo-randomly generated.

- It needs to be easy to type by a user in a smartphone or mobile device application.

With these principles in mind, PasswordLessAuth recommends using a string of 6-10 characters in length using english words plus numbers, such as mouse132 or 3171table. The authentication service responds with the following response:

Response: 200 OK
{
   “success”: true,
   “code”: “code_validation_required”,
   “security_nonce_signed”: “aef6vhs786fva9s86”
}
						

The recommended UI/UX behavior is presenting a input field to the user to enter the code that was sent to the registered email address. The user then needs to check the email that was just sent by the authentication service, and enter the code in the application, which performs a POST /pwless/devices request to the authentication service.

If the security code is validated by the authentication service, a new entry in the devices table is created for the user, and gets associated the new public key and a login key. A new security code is generated and associated to the user before sending the response.

Request and Response

POST /pwless/devices
{
   “email”: “user@emailserver.com”,
   “key_data”: “Ab4ka82dkl29G9aj29231ak3”,
   “device_info”: “Samsung Galaxy S6 SM-G920F”,
   “key_type”: “rsa”,
   “key_length”: 2048,
   “signature_algorithm”: “SHA1”
   “security_code”: “horse291”,
}
Response: 200 OK
{
   “success”: true, 
   “code”: “success”,
   “user”: { “id”: 23482732, “email”: “user@emailserver.com” },
   “key”: { 
      “id”: 278349, 
      “user_id”: 723867,
      “key_type”: “rsa”,
      “signature_algorithm”: “SHA1”, 
      “key_length”: 2048 
   }
}
Back to Flows

Want to know more? Join our newsletter.

Find us on Facebook

We are also on Twitter

Oh, and on Github too