Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwordless login support #121

Closed
pygeek opened this issue Jul 30, 2015 · 4 comments
Closed

Passwordless login support #121

pygeek opened this issue Jul 30, 2015 · 4 comments
Labels
support Questions, discussions, and general support

Comments

@pygeek
Copy link
Contributor

pygeek commented Jul 30, 2015

It seems that this project lacks support for a passwordless login scheme. T would be helpful to know if a passwordless login scheme is within the scope of this project, and whether any considerations have been made to support this feature in the near future.
@ldesplat ldesplat added the support Questions, discussions, and general support label Jul 30, 2015
@ldesplat
Copy link
Contributor

I am composing an answer to your questions but until I can formulate it properly, would you like to elaborate on why you think it would fit in bell's scope? I know that's the question you asked but I would like to hear your opinion on it.

@ldesplat
Copy link
Contributor

Types of passwordless systems that I am aware of

  1. Public/Private Key - ie. Client Authentication in SSL or SSH Key based authentication
  2. OTP - You generate a token on your phone or trusted device. I know it stands for One Time Password :)
  3. Service sends a token typically to your email or through SMS
  4. Not very related here but visual or behavioral recognition

I believe you may be talking about number 3 so let's concentrate on that for now.

Thoughts

Bell is a third party login plugin for hapi.

This is from the first sentence of our README and what is important is that we are a login plugin, but also specific to third parties. This is why I believe Bell never implemented a local strategy for your own username/password system like there is in Passport.

Bell has been very focused on OAuth 1 & 2 but proposals like Active Directory login or SAML fit very easily as we're authenticating with a third party service in all these cases. But, with no. 3 it seems like we are not dealing with any third parties except potentially for sending the token across.

Because of what I just described and because I don't see any standards describing how to make it secure I would say that it is not within the scope of Bell.

Now, with that said maybe there is a way to generalize this or come up with an interesting API where Bell could do a little bit of work. Maybe it could be generalized with the act of refresh tokens in OAuth 2. Also interesting is to look at https://passwordless.net/ or other implementations like it (in any language). Maybe there is a way to generalize the concept with no 1.

@ldesplat
Copy link
Contributor

ldesplat commented Aug 9, 2015

Closing this issue for now. If you have any comments to add please feel free to do so and I will reopen it.

@ldesplat ldesplat closed this as completed Aug 9, 2015
@lock
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
support Questions, discussions, and general support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pygeek @ldesplat