Support Topics Documentation Slack YouTube Blog

We need password less auth

“You can’t breach/leak something that doesn’t exist!”

Hello devs!,
I have suggestion but I don’t know where to send/post, that’s why I post here.

As I stated above “you…”.
I would like to suggest the password less auth. to be added in your feature.

And for those people/dev that successfully achieve this method using backendless.
Please help me achieving this…

REGARDS,
YHAL

Are you referring to something like biometrics or some kind of two factor authentication? I found this whitepaper from Microsoft about password-less authentication. For biometrics, that may be hard considering the majority of desktop computers don’t have any kind of thumbprint scanning or webcam face scanning abilities.

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2KEup

For a third party two-factor authentication, you’d need the majority of users to be ok with downloading an additional application to verify their account and I’m not sure if that is feasible. Here is Microsoft’s example of an auth app:

I know that the publishing site, Medium, implemented an email-only login system that sends you a login token every time you want to access the site. That introduces a bit of friction that some people might not want to deal with.

https://blog.medium.com/signing-in-to-medium-by-email-aacc21134fcd

Perhaps instead of email, having the ability to log in with your phone number and using a text code? Looks like Auth0 has this capability of texting and code-confirming.

@Brewhouse_Digital
Oh… sorry for not clarifying. I want to achieve is to not use any password… just an email/username and after clicking/logging in the server send one time Link to login.
In Firebase it calls “passwordless” login.

Since user id in users table is unique and random, why don‘t you use it instead of the password? First time when user registers, you create user, and return user id along with other informations, then the id will be cached in the user device, and when the user perform sensitive action, send user id along the request (device -> backendless), and check if he‘s allowed to do that action( if data related to that id are okay)

You should be careful that you don‘t send user row to any other person except for the one who has its id…but you still need a way to retrieve that id when it‘s not cached in user device

I‘m not sure how good is this way. I‘m not an expert in authentication and security field.

Hi everyone @John_Aerial_Azcune @Brewhouse_Digital @Hassan_Kanso

We already have that implemented. In the Business Logic, in Backendless.UserService.login method you can pass user’s objectId as the first argument (though you have to use your Code Runner API key). Is that what you seek?

Regards, Igor

1 Like

Do you mean: if I press button upon filling up the username/email, it will send link for saying “click to Ok to login”…

This is how I see it:

  1. User enters his identity and clicks Submit button.
  2. You retrieve a user object with that identity and remember its objectId as userToLoginId
  3. You generate a token as userLoginToken
  4. Then you put token-userId pair to cache with a timeout, for example, 5 hours [doc: https://backendless.com/docs/js/ut_putting_data_into_cache_js.html]
  5. Generate a link to a Business Logic Service with a token at the end. This service must check if token exists in cache, if positive - extract userToLoginId from cache and then login the user by invoking Backendless.UserService.login(userToLoginId).
  6. Send this link to wherever you want. When the user clicks it from the same device, he will be logged in your app
1 Like

@Igor_Bogunkov
Tnx for your response!!

just a follow up question…
Now I already implement passwordless login,
My question is:
“HOW CAN I IMPLEMENT PASSWORDLESS REGISTRATION?” Is it possible to do this?

Hi, @John_Aerial_Azcune

The “Password” column is mandatory and is not deleted from the “Users” table. As an option, I would suggest you create your own table for users. Where you add and select as mandatory only those columns that you consider necessary. This may solve your problem.

Regards,
Marina

@Marina.Rudenko
Tnx for your response…
Yeah I already think that possibility so I searched in advanced… but Im hoping if there are already implemented in backendless that I skipped in reading docs so that’s why I ask in this forum…

BTW…
tnx! and I’ve a lot of fun and things that I learned while discussing this

Happy coding with Backendless!

Regards,
Marina

Tnx…
@Marina.Rudenko

right now I’m confused…
Can you give me sample structure or workflow on how to achieve.
On where to start,
Or Do I really need to make my own authentication?
Thanks in advance.
Regards,
YHAL

@John_Aerial_Azcune Firstly you need to create a table in Data section. And then using our Business Logic Codeless system you can add logic to this table.
Why you don’t need password? How does your users perform authorization? I mean how they retrieve user-token if they can’t perform login operation with password?

Regards,
Marina

@Marina.Rudenko
As I stated above.
That is the main goal/reason why I want to authenticate/register/login the users/my account.
That means you can’t access my data unless you have my email/phone Number/other authentication that will receive the one time login/register link.

REGARDS,
YHAL

I can offer you next steps:

  1. Create a custom table of users with fields name, email, phone, confirmed (boolean), registrationToken.
  2. The user enters his name and mail or phone, clicks the “Submit” button. We create an entry in users with confirmed=false and generated registrationToken. We add the same registrationToken to our cache in pairs with the created user.objectId.
  3. We send an e-mail to the user saying that you were logged in, click on the link. This link should contain the registrationToken.
  4. Users follow a link, registrationToken is extracted from the link, checked in the token in the cache, if the same, is the user by token. This user is set the status confirmed, also he is logged to the app Backendless.UserService.setCurrentUser(user)
  5. Using our business logic, you can add a timer that will clear users with confirmed = false and createdAt which are older than a certain period of time.

Regards,
Marina

@Marina.Rudenko

Tnx…
This help me a lot…
I’m a type of guy who “YOU DO THE IDEA, I’LL DO THE CODE”…
cause if I think of an idea, my mind wander around even this piece will not help to my code…
Hahahahah…
Thank you for your time…
And sorry for consuming your time.
BEST REGARDS,
YHAL
:hugs::hugs::hugs:

EDIT 1:
now I foresight the biggest hole/problem in this…
“THE SECURITY RULES” hahahaha…silly me…
I guess I’ll make a new thread for this,right?