Signup Flow

PasswordLessAuth.

The Signup Flow allows users to create an account and register their first device. This device will be univocally identified by a private-public key pair, and the email address will be used for authentication and for authorization of future device registration for the same account.

The process starts when the user opens the application for the first time, and chooses to register a new account.

At that moment, an asymmetric private-public key-pair is generated in the device. The private key should be stored securely so that it only can be accessed (for signature and verification purposes) by the user’s device. In strict mode, the the biometric sensor is used to authenticate the user.

A POST /pwless/signup request is sent from the user’s device to the authentication service. The request includes the user’s email, the public key that was just generated (including information about the format of the public key, specifically the type of the key, its length and the OPENSSL digest algorithm used), and optionally a random security nonce and information about the device.

This security nonce is signed by the authentication service and sent back to the users so they can verify the signature and rest assured that they are communicating with the right service. It must be a random string between 48 and 64 characters.

The authentication service checks that the user (identified by the email address) doesn’t already exist in the database, and creates a user entry in the user’s table, alongside with an entry in the keys table, including the public key sent by the user, a randomly generated login_key and an access_token. These keys should be strings between 48 and 64 characters in length.

If everything works correctly, the authentication service returns an OK response (201 ideally, or 200). If a security token has been delivered and accepted in the registration request, the server also signs this security nonce and returns an OK response including it. Otherwise, a bad request (400) is sent back to the user.

Request and Response

Request: POST /pwless/signup
{
   “email”: “user@emailserver.com”,
   “key_data”: “Ab4ka82dkl29G9aj29231ak3”,
   “security_nonce”: “a87as78QY2N9A8EydS6AS2”,
   “device_info”: “Apple’s iPhone 5C”,
   “key_type”: “ec”,
   “key_length”: 256,
   “signature_algorithm”: “ecdsa-with-SHA1”
}

Response: 201 Created
{
   “success”: true, 
   “code”: “success”,
   “user”: { “id”: 23482732, “email”: “user@emailserver.com” },
   “key”: { “id”: 382739283, “key_type”: “ec”, “key_length”: 256, ... },
   “security_nonce_signed”: “17a97a6w9v46aw97aw87bsjhava8ba0a76hc”
}
						
Back to Flows

Want to know more? Join our newsletter.

Find us on Facebook

We are also on Twitter

Oh, and on Github too