Passwordless system worth considering?

[Topazan]

I was thinking about how facebook games handle all their authentication through facebook itself, and was wondering if you could take it a step further.  What if logins worked the same way as email verification?  

Ok, that might be too slow and inconvenient, but what about logging in through instant messaging?  You message the game's bot, and it replies with a unique login link.  For security purposes, only the most recent link works, and only once.

You could even give players multiple options for authentication: facebook, email, IM, maybe even the pm system in other online games.  One advantage of this is you're outsourcing the authentication process, so you don't have to worry about the "stolen database" scenario that people like to discuss here.  Also, registration would be slightly simplified, all you'd need to do is im the bot with the username you want, or maybe not even that if the game is set up a certain way.

I don't know, most of you will probably say it's not necessary, and maybe it isn't, but it might be nice to have this option in addition to the regular username/password.  

EDIT:  Actually, an IM bot integrated with the game could have all sorts of uses.  It could be set to notify people when a timer's up, or something happens in game that affects them.  You could even let them undertake some actions through IM.  People often have IM clients on their cell phones, or they can receive text messages from IM services, so they'll be able to access the game at all times.

It probably wouldn't be good as the only means of authentication though.  If one of the networks shuts down, or makes changes that make your bot stop working, a lot of people would lose their accounts.  But even if you had to have a username/password as a backup, it could still be nice to allow IM authentication.

[dsheroh]

From a tech standpoint, it's definitely possible, given that it's not really all that different from existing password-reset schemes based on providing the user with one-time login credentials via a (relatively) trusted alternate channel (usually email to the registered account address).

From a user standpoint, it sounds like a fair bit of hassle to have to go to the game, request a login token, log on to email/IM/whatever, retrieve the token, go back to the game, enter the token, and (finally!) get access to the game.  Especially if you decide to be like so many BBG designers and use insanely short session expiration times which force users to log in multiple times a day.


I've spent about a year on the twitter-dev mailing list and one of the recurring themes I've seen there (especially around the time of the Basic Auth deprecation) has been "my users want to log in with username/password; they say using Twitter OAuth is too complicated".  Unless you can come up with a solution which is easier for the average user than OAuth and requires less effort than OAuth for the user (keeping in mind that Twitter OAuth is basically "click the 'login with Twitter' link, click 'Allow' on Twitter's OAuth page, and you're done"), the average user will not accept it.

[Chris]

No.

(that's the first post where I feel that my answer fully and accurately conveyed what I wanted to say )

[Topazan]

From a user standpoint, it sounds like a fair bit of hassle to have to go to the game, request a login token, log on to email/IM/whatever, retrieve the token, go back to the game, enter the token, and (finally!) get access to the game.  Especially if you decide to be like so many BBG designers and use insanely short session expiration times which force users to log in multiple times a day.

Well, what I was envisioning was setting up an IM bot.  The user would just have to message the bot, which would reply with a link containing the token as GET data.

Maybe I'm wrong to assume this, but I thought that most people who use IM regularly would be logged in all the time.  So that leaves two steps.  Message the bot, click on the link.

Never heard of OAuth, I'll read up on it.

Chris-  Well, you may not like this particular idea, but keep in mind those wildly successful facebook games are passwordless.

[Chris]

Chris-  Well, you may not like this particular idea, but keep in mind those wildly successful facebook games are passwordless.

What if they do not use/hate FB or simply do not want their wall to be spammed?

[Topazan]

Chris-  Well, you may not like this particular idea, but keep in mind those wildly successful facebook games are passwordless.

What if they do not use/hate FB or simply do not want their wall to be spammed?

They log on through an IM bot? 

I'm not sure why you're asking this, as far as I know most of the most popular facebook games do not provide an alternative means of authentication.

[Chris]

Chris-  Well, you may not like this particular idea, but keep in mind those wildly successful facebook games are passwordless.

What if they do not use/hate FB or simply do not want their wall to be spammed?

They log on through an IM bot? 

I assume you mean some kind of Instant Messenger? But which one? Do you want to implement all most popular IMs worldwide?
OK, I know you mean Microsoft Instant Messanger, sorry to disappoint you, basicly no one knows what IM is in Poland, I only know because I hang out with foreigners.

Second, FB is not so popular in some countries... Do you want to include NK.pl for Polish users? What about French most popular social network (I think they should have one since they loathe English language). Or Bulgarian?

I'm not sure why you're asking this, as far as I know most of the most popular facebook games do not provide an alternative means of authentication.

But these are FB only games.

You know FB and Google seems strong for you if you are English. But around the world they are in decline right now, in some countries these are not as popular as national social networks/search engines.
You would say that if your game is 100% in English you don't care, but that's not true. There is a huge percentage of "foreigners" who know English but do not use the global services but national ones. They would play your game but not if they have to install some "IM" whatever it might be

[Topazan]

Chris-  Well, you may not like this particular idea, but keep in mind those wildly successful facebook games are passwordless.

What if they do not use/hate FB or simply do not want their wall to be spammed?

They log on through an IM bot? 

I assume you mean some kind of Instant Messenger? But which one? Do you want to implement all most popular IMs worldwide?
OK, I know you mean Microsoft Instant Messanger, sorry to disappoint you, basicly no one knows what IM is in Poland, I only know because I hang out with foreigners.

Second, FB is not so popular in some countries... Do you want to include NK.pl for Polish users? What about French most popular social network (I think they should have one since they loathe English language). Or Bulgarian?

I'm not sure why you're asking this, as far as I know most of the most popular facebook games do not provide an alternative means of authentication.

But these are FB only games.

You know FB and Google seems strong for you if you are English. But around the world they are in decline right now, in some countries these are not as popular as national social networks/search engines.
You would say that if your game is 100% in English you don't care, but that's not true. There is a huge percentage of "foreigners" who know English but do not use the global services but national ones. They would play your game but not if they have to install some "IM" whatever it might be

Actually, I didn't mean to specify a certain instant messenger.  If I was going to implement this, it would ideally use XMPP with transports to talk to other networks, including your Polish GaduGadu.    A multi-protocol service like www.imified.com is another option, but much more limited.  In fairness, I've never tried either before, so they may not work the way I think they do.

It's a fair point that you can't accommodate everyone in the world, but you can still have a decent sized audience.  If others really want to play your game, they can sign up for one of the services you support.  Besides, there's always the option of having this in addition to the traditional system.

[Chris]

Actually, I didn't mean to specify a certain instant messenger.  If I was going to implement this, it would ideally use XMPP with transports to talk to other networks, including your Polish GaduGadu.   

Wow!!! Drop details after you investigate this further. If this include even GG then it must be really powerful.

It's a fair point that you can't accommodate everyone in the world

You can, you just need to make a register page which asks for login and password

Besides, there's always the option of having this in addition to the traditional system.

Which brings us back to square one. A traditional system with additional ConnectToFacebook button

[Topazan]

Wow!!! Drop details after you investigate this further. If this include even GG then it must be really powerful.

Well, a cursory google search seems to indicate that there are XMPP transports for GG.  The pidgin client (http://www.pidgin.im/) also seems to support it, so that means the protocol must already be known to the public.

You can, you just need to make a register page which asks for login and password

Oh yeah?    What if their government has a system like China's and they block your site?  What if they use a browser that doesn't support the http protocol?  What about people who don't have computers?  Ok, I'm just being silly.

Which brings us back to square one. A traditional system with additional ConnectToFacebook button  

Well, true, that wouldn't be a technically be a passwordless system.  What if we pretend I named this thread "Using a chatbot as a means of authentication"?

[Topazan]

Well, I've done a little more research, including downloading an XMPP client and registering with a server that offered transports.  There are a lot of servers that offer a wide variety of transports: http://www.jabberes.org/servers/.  Setting up one's own server is also an option.

The bot itself would just be a custom XMPP client.  There are libraries in several different languages to do that, so I'm hoping that it isn't too complicated.

The way it works as a client is you register a username and password from the network you're trying to access with the transport.  After that, you can communicate with people on that network, who will see you as the user who's name and password you registered with the transport.  Facebook and Google chat already use the XMPP protocol, so you can connect to them without a transport.

I think this might be feasible after all.  I'll have to try experimenting with it sometime.

[Chris]

You can, you just need to make a register page which asks for login and password

Oh yeah?    What if their government has a system like China's and they block your site?  What if they use a browser that doesn't support the http protocol?  What about people who don't have computers?  Ok, I'm just being silly.

Make a boardgame game version and send it via mail

The way it works as a client is you register a username and password from the network you're trying to access with the transport.  After that, you can communicate with people on that network, who will see you as the user who's name and password you registered with the transport.  Facebook and Google chat already use the XMPP protocol, so you can connect to them without a transport.

Some more info? I would love to try something that would let me integrate with Facebook without the need of using their crappy SDK
Ideally Facebook + Twitter + MySpace...

[Topazan]

What else do you want to know?  Keeping in mind I only recently started researching this in depth.   The server I tried (jabber.hot-chilli.net) has transports for both MySpace and Twitter.  This only lets you tap into the live chat feature as if you were a user, although it may work differently with Twitter.  I don't know what kind of integration you had in mind.

As far as XMPP, my understanding is that it's an open protocol for instant messaging.  It used to be called Jabber.  Like email, there's no official service provider.  Anyone can create their own client or server, and users can communicate with anyone using the same standards on any server.  The transports that allow it to interface with other messenger services are usually hacks that may or may not be condoned by the companies that run the networks.  (Facebook is obviously ok with it, because their chat is already done through XMPP as mentioned earlier.)

I hear the main clients are Gajim and Psi.  I used Gajim.

Make a boardgame game version and send it via mail 

    Makes sense to me.

Really, registering for a chat service, especially XMPP, isn't more difficult than registering for a game.  You could make it even more convenient by making that the entire registration process.  Their screen name already identifies the players, and if you don't want to use that in the game, you can assign them a random name temporarily and give them the option to change it later.  The novelty of using a bot to log in could either work for or against it.

[Chris]

Basic integration. Just "connect with facebook/twitter" button and it is used instead of register/login. Can that thing do it?

The only alternative capable doing this is RPX-now, but I don't like them for some reason...

[Topazan]

Well, it's not designed for that.  It probably can't without my crazy idea of having a bot send a login key each time,  You might be able to see who's online if they friend you first, but I don't think you could connect that to their IP.

EDIT: To clarify, my idea was that the user would message the bot when they want to log in.  The bot responds with a link containing a UID as GET data, and clicking the link logs the player in.  That, I think, would be within the capabilities of this system.

Just out of curiosity, what didn't you like about Facebook's SDK?  When I tried it it seemed to handle logins satisfactorily.

[Chris]

EDIT: To clarify, my idea was that the user would message the bot when they want to log in.  The bot responds with a link containing a UID as GET data, and clicking the link logs the player in.  That, I think, would be within the capabilities of this system.

I recommend blue potion. It is said it can restore not only mana but also sanity points

Just out of curiosity, what didn't you like about Facebook's SDK?  When I tried it it seemed to handle logins satisfactorily.

Because I always have luck of finding an outdated or not working version/tutorial/etc (even official FB dev wiki shows errors to me...). So I don't when I made an error and when the source of information was at fault
Please, drop me some links to anything related to FB integration that you believe is not outdated or you used and it worked...

[Topazan]

Sorry about the delay, been busy.

I found this somewhat useful.  Here's briefly what you need to do for the kind of integration you talked about (my php may be rusty):

Code: [Select]


<?php include_once 'facebook.php';
$fb = new facebook(array(
                         'appId'  => $yourAppId,
                         'secret' => $yourAppSecret,
                         'cookie' => true,));
if ($fb->getSession() == null) {
  $url = $fb->getLoginUrl(array(
                                      'canvas' => 1,
               'fbconnect' => 0
                                      ));
  echo "<a href=\"".$url."\">Login with facebook!</a>";
 }
 else {
   $userId = $fb->getUser();
   echo "You are logged in with facebook!";
   //query your database for $userId, then login or register accordingly        
 }
?>I also referenced this while writing the example, and I tested this so apparently it works.

As for the XMPP bot idea, it's unorthodox for sure, but I don't see why it wouldn't work.  I'll experiment with it when I have some time and finish my current project.

[Chris]

Got it working, thanks. Seems the tutorial I used was wrong or FB changed one variable (I could have sworn that the code was working 3 months ago...)

As for the XMPP bot idea, it's unorthodox for sure, but I don't see why it wouldn't work.  I'll experiment with it when I have some time and finish my current project.

The thing is, you want to have the register/login part as unorthodox as possible. Players are familiar with it, if you change it you will confuse them, which is deadly at the pre register stage (leave originality for inside the game). The only case when it could work is for players who never used login/register thing... but they are extremely hard to convert anyway

[Topazan]

Got it working, thanks. Seems the tutorial I used was wrong or FB changed one variable (I could have sworn that the code was working 3 months ago...)

Glad to hear it.  Always frustrating when things like that happen.

As for the XMPP bot idea, it's unorthodox for sure, but I don't see why it wouldn't work.  I'll experiment with it when I have some time and finish my current project.

The thing is, you want to have the register/login part as unorthodox as possible. Players are familiar with it, if you change it you will confuse them, which is deadly at the pre register stage (leave originality for inside the game). The only case when it could work is for players who never used login/register thing... but they are extremely hard to convert anyway

Well, we'll see I guess.  I kind of think it would give it cool "secret club" kind of vibe.  For regular uses of instant messaging, it would be a little more convenient.