Story
I am developing an app that will be used from desktop and mobile browser (NodeJS, JS, HTML, CSS). I am also planning to wrap it with phonegap or react native to make it a downloadable/installable mobile app later.
Users can sign up with username and password. But the user account will be activated only after user's thumb fingerprint validation. This is to avoid duplicate/ghost accounts bring created.
Note
Fingerprints are not good passwords. So I am only planning to use them to activate account. After an account is activated users will login using usual username and password.
Queries
How to get user's thumb fingerprint or a unique token that represents fingerprint in HTML, JS, CSS?
Is there anything else that will stop duplicate/ghost account other than fingerprint?
Related
I am developing a web-app that uses Firebase (web client JavaScript). For authentication, I am trying to implement sendSignInLinkToEmail to sign in a user. But, I’m facing an issue.
Suppose the user is trying to login on his desktop and uses his phone for verification, I want to redirect him to the dashboard on the desktop after verification. How can I do this?
Ref: https://firebase.google.com/docs/auth/web/email-link-auth
const actionCodeSettings = { url: 'dashboardURL', handleCodeInApp: true }
This redirects to the dashboardURL on the phone (device used for verification), but I want to redirect on the desktop (device that initiated the login flow).
Firebase Authentication does not natively support this. You'll be logged in on the device where you open the link. You'll have to build this functionality yourself and a simpler approach would be to use Cloud Functions and Realtime Database.
The flow would be like:
User clicks on "send link" and is redirected to a page that listens for updates in realtime database at a key (randomly generated session ID depending on your requirements).
When a logs in on another device, call a Cloud Function that generates a custom token for signing in and then emit it the first device via realtime database.
Log the user in with signInWithCustomToken().
This is just a simplified version of a system that might use websockets, session Ids and additional factors for security. You can also use Firebase Anonymous authentication to ensure only that user can this token using security rules.
I'm working on a Wix website where users can connect their social media accounts and have data from them displayed on their profile pages.
Currently, the form just asks them to input their social media URLs. Obviously, this is a problem, as there's no way for to verify that these accounts actually belong to them. How can I have them sign in to their social accounts to have them verify that they own the accounts from within the sign-up form?
Currently I'm having them connect their YouTube, Twitch, Instagram, and TikTok accounts. I imagine there's some kind of OAuth solution, but I just don’t know what. It is critical to the function of the site that we are 100% sure the connected accounts are correct.
You don't do it in Velo unless you have a very specific reason.
The Wix ADI natively supports it (refer to here).
And as for other things like TikTok, that can be done by writing Node.js backend code:
Does anyone have any thoughts on how to build a user profile system on a site that is so secure that there's absolutely no way to figure out that person's identity; while also allowing them to reset their password?
Don't want their email
Don't want a phone number for SMS
Don't want to use the social media platforms to authenticate
Cannot use secret questions because they forget their own answers
Cannot use a TOTP app on a cell phone because people lose/break their phones (and some still don't have a cellphone)
Cannot use a cookie on their device because it isn't universal across phone/laptop/tablet, and they break their devices
Cannot fingerprint their browser agent, ip, etc, because the users access the site from multiple systems, from multiple different IP's. There are also multiple users logging in from the same home computer.
Cannot issue them a physical token because cost, and, they'd lose them
Has anyone figured out an identity broker system that isn't associated with big social media? The user could register their identity stuff with the 3rd-party broker, and the broker just gives me a key to identify them? That is free for everyone to use? Kind of like the GPG key ecosystem...
Looking for ideas. How can I register an account for you, but no matter how hard I try, I never have any data that I could use to Google you?
Hello to the whole community. :)
I am currently working on integrating moodle for an e-learning platform. I have implemented most of the functionalities using web services (Javascript Client). But, unfortunately, I find that the web authentication service does not exist.
I said to myself, for authentication at the level of my system without redirecting the user to moodle from the information in the moodle database, I retrieve the password from the login and I test with the data entered by the user but the concern is that the core_user_get_users and core_user_get_users_by_fields functions do not send me the password (encrypted) but just the other information.
Need your help !!
core_user_get_users and core_user_get_users_by_fields are, quite correctly, incapable of sending the user's password, because Moodle itself doesn't know what the user's passwords are.
Moodle only stores a one-way hash of the user's passwords - each time a user logs in, the hash of the password they entered is compared with that in the database and the user is allowed in, if they match. By design, it is very difficult (and time consuming) to start with the hashed password in the Moodle database and figure out the user's password.
If you need a mechanism for logging a user in to Moodle from your system, without them having to enter a password, then you should consider using a Moodle authentication plugin that supports Single Sign On - the standard Moodle authentication plugins are listed at: https://docs.moodle.org/en/Authentication, but you may find that there is a 3rd-party authentication plugin that helps you at: https://moodle.org/plugins/?q=type:auth (https://moodle.org/plugins/auth_saml2 is often a good place to start).
I'm recreating Yik Yak mobile application as a web application in process of learning Meteor framework. But that app is completely anonymous without user accounts, but still you can upvote or downvote post only once. How to make this work ?
What you want will probably require more than just JavaScript, and some back-end code (with the language of your choice).
If it's a website, you can try to identify a user by the IP/MAC address of his/her computer. But the problem is that it is not going to be reliable (e.g.: users could hide behind fake addresses, or multiple users could use the same IP). You can read about some methods on this question (PHP).
If it's a mobile application, use the unique device ID (but again, that will require more than plain JavaScript).
On Android: Settings.Secure#ANDROID_ID (read more on this question)
On iPhone: [UIDevice currentDevice] uniqueIdentifier (read more on this question)
On Windows Phone: DeviceExtendedProperties.GetValue("DeviceUniqueId") (read more on this question)
If you are using Cordova/PhoneGap to create a web app, you can use the device.uuid to get a unique identifier (read more here)
With the unique device ID (UDID), you can identify what device voted, without knowing who is the owner of that device and without forcing your users to create an account/log in.