Signup with phone number and OTP

[bil-ash]

Summary

I would like to able to signup users with mobile number and OTP instead of email address and password. Someone please confirm if it is possible. If yes, please inform about the files which will need to be changed

[ssmucny]

Support for OTP is already in Misskey. After creating an account, go to Settings > Security > Two-Factor Authentication. It is up to the instance administrator to require (or not) an email on signup. Using a phone number with SMS for the OTP is not supported currently.

[tamaina]

Signup, so I guess bli-ash wants to take the method of generating and uploading the OTP shared secret key on the user side.

Authentication by phone number is probably an implementation of Amazon SNS, but an implementation that can only be used by AWS would not be very desirable. In addition, I personally don't like SMS authentication.

Why does @bil-ash not want to use passwords in the first place?

Translated with www.DeepL.com/Translator (free version)

---

Signupなので、OTP共有秘密鍵をユーザー側で生成してアップロードする方法をとりたいということではないでしょうか。

電話番号での認証はAmazon SNSとかのAPIの実装なんだろうけど、AWSだけしか使えない実装はあまり好ましくないだろう。個人的にSMS認証は好きではない。

そもそもどうして @bil-ash はパスワードを使いたくないのですか？

[bil-ash]

At first I would like to clarify that I do not need two-factor authentication, only sign-up using phone number facility.

I would like to deploy misskey for a small(non-technical background) group and for my target group of users the most intuitive way of signing up is phone authentication or single sign-on using google/facebook/twitter. I prefer phone auth with OTP and web authentication.

Is the following situation possible for sign-up?
1.User enters the phone number and a username is generated from it(using a specified algorithm). For example, phone number +countryCode 9876543210 is converted into acegik@mymisskey.site
2. OTP is sent to user(using amazon SNES/Firebase/twilio or anything else) and user enters the OTP
3. In place of password, the user enters web authentication credentials(password/pin/biometric), and this (navigator.credentials.create) serves as password.

So for sign-ins after that user will enter their phone number and web auth credentials(most probably biometric for phone and password for desktop).
Befor step 1 above, device web authentication support can be checked and in the absence (old browser/no device lock) we can fall back to username and password sign-up.

[tamaina]

I don't think phone number signup will be implemented immediately or not on the Misskey side, but if you are able to program it, what about the idea of using an invitation code? (Are you aware that you can make the instance invitation-only?)

How to disable new user registration (= to be invitation-only):

1. Access to /admin/settings (Control Panel → General)
2. Toggle off Enable new user registration
3. Save

During disabling new user registration, registration is available by using the invite code issued by admin.

How to get an invite code:

You can get the invite code from the top of the Control Panel, or if you want to automate it, you can create an application using API:

1. Log in as admin or moderator user.
2. Get the admin token by JSON.parse(localStorage.getItem('account')).token from the browser console (!!!!!NEVER BE PUBLISHED!!!!!!).
3. POST https://example.com/api/admin/invite with body { "i": "token" }.
4. Get code property from returned json.

[tamaina]

3. In place of password, the user enters web authentication credentials(password/pin/biometric), and this (navigator.credentials.create) serves as password.

No, Misskey requires a password for signup.
However, it is possible to set up password-less login by using a security key or biometric authentication.

[tamaina]

As a personal opinion, I dislike relying on phone numbers, email or other service IDs for Misskey logins.

[Candinya]

SMS doesn't like eMail SMTP, it has neither a common API call format nor a famous (and free) provider, which means combining with any paid SMS API may cause commercial controversies. If you really want to restrict user with phone numbers, what about setting up a new management server for requirements like account registration and password reset. Misskey has an open API system which can be accessed from your.instance.ltd/api-doc and is very developers friendly, it's easy to develop a peripheral project like this rather than modifying the codes itself.

[bil-ash]

I don't think phone number signup will be implemented immediately or not on the Misskey side, but if you are able to program it, what about the idea of using an invitation code? (Are you aware that you can make the instance invitation-only?)

How to disable new user registration (= to be invitation-only):

1. Access to /admin/settings (Control Panel → General)
2. Toggle off Enable new user registration
3. Save

During disabling new user registration, registration is available by using the invite code issued by admin.

How to get an invite code:

You can get the invite code from the top of the Control Panel, or if you want to automate it, you can create an application using API:

1. Log in as admin or moderator user.
2. Get the admin token by JSON.parse(localStorage.getItem('account')).token from the browser console (!!!!!NEVER BE PUBLISHED!!!!!!).
3. POST https://example.com/api/admin/invite with body { "i": "token" }.
4. Get code property from returned json.

Ok. so I will try to implement something similar using the steps mentioned above. And since I have to implement it myself, I will close the issue now and open one later with the results