Allow phone numbers as login identifiers

[aeneasr]

Is your feature request related to a problem? Please describe.

We should allow users to use their phone number as the login identifier. This is very popular amongst mobile apps.

Describe the solution you'd like

We should support a format such as format: "phone_number" in the JSON Schema to allow the use of phone numbers.

One difficulty with phone numbers is uniqueness. For example, the following numbers are all pointing to the same SIM card (german phone number):

• 0049123123123123
• +49123123123123
• +49 123 123 123 123
• 0123 123 123 123

[yindia]

@aeneasr can we divide the number into two parts i.e. country code + phone number by doing this we can maintain the uniqueness

[aeneasr]

That's a really good idea! I'm also pretty sure that there's a go library somewhere to help with this

[yindia]

@aeneasr you can check that project it's a implementation of google's libphonenumber

[aeneasr]

Ah nice! Of course Google solved that already :D I also found: https://github.com/nyaruka/phonenumbers

[yindia]

yes this project is forked from above project. Can i pick that one ?

[aeneasr]

Looks like https://github.com/nyaruka/phonenumbers is more active, and resolves issues

[aeneasr]

This issue is scheduled for the v0.0.2 milestone, it needs several other things to be implemented first, so it's not a good issue. I'll try to find another good issue for you now!

[james-caresnap]

it needs several other things to be implemented first

Any chance this feature might get put back on the schedule?

[aeneasr]

We always welcome community contributions towards features such as these but we usually don't change priorities or give out timelines so I can't make any commitments here.

[robbietree8]

If I understand it correctly, what this issue wants to solve is as follows:

1. Allow user register with their's phone number and verification code
2. Allow user login with their's phone number and verification code

It's common that login with phone number and verification code, since there is no need for user to remember their password, but definitely, there is lots of things to consider, e.x.

1. To support phone numbers from different countries
2. Security concerns on verification code, abuse use maybe.

[slavafomin]

Please correct me if I'm wrong — so, it's not possible right now to verify user's phone number with Kratos (via SMS codes) or use it during the registration/login?

[aeneasr]

Yes, this is not possible at the moment! But it's on the roadmap!

[DavidBM]

I'm reading the documentation. For the SMS verification can it be custom implemented by changing the state of the identity programmatically? I guess that can be stored in the traits, but I don't know if there is an internal state for identified to be verified or no (kind of what happens with the email verification flow). And, if there is, if it can be easily changed from the API.

[aeneasr]

Hm, not sure if I follow, could you expand your hypothesis a bit?

[DavidBM]

Yeah, sorry for that.

I see in the documentation the concept of traits, which allows to store some state in an account. On there you can have things like the role of the user and other extra information.

I see that there is a flow that automatically sends an email in order to verify the email. Now, I'm assuming that the account is not "active" until the email is validated by the user. Or, if it is active, at least the email is not validated and that is stored somewhere. So the program communicating with Kratos knows that this account is not yet validated.

The main problem with the SMS is that that validation cannot be implemented in the same way the email is because Kratos doesn't yet implement that identification method. What I was thinking of is, is it possible to have the phone number and delegate the account "activation/verification" to an external service that later updates the account?

I'm assuming many things in here, as I didn't yet see in the docs how unverified accounts work in kratos. I hope I got it right and that it makes sense!

[aeneasr]

Hey yes that's absolutely possible to do externally for now. Keep in mind though that the identity traits can be modified by the user him/herself. We have plans for "protected" fields which can only be changed by admins/system processes/api calls. There's an issue for that, I just can't find it right now!

[albertoforcato]

Any update?

[tima-t]

Do we have any progress or intention to have mobile number registration/login in the near future.
I know that the team is overwhelmed, but just need some visibility as this is a hard requirement for the project I am working on.

[aeneasr]

Best option is to contribute this change. You can see what we are working on by taking a look at the milestones of this projects and its open PRs

[oleksiireshetnik]

Team of project that I'm working on finds Kratos a very good fit for our goals. We want to give it a try, but phone number support is critical feature for us.
For a moment I made a small proof of concept, in which added phone number identifier and extended courier with support of HTTP endpoint. This will allow integrate Kratos with Twillio or other SMS provider.
Will be happy to contribute this change

[vinckr]

Hello @aeneasr , can this be closed as per #1938 phone numbers can now be used as identifiers?

Do we have/need docs for it?

[aeneasr]

Yes, I believe so

[drigz]

FYI: docs still say:

This will be addressed in a future release and is tracked as kratos#137.

https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password#use-case-username-and-password

[vinckr]

Thanks for the headsup drigz 🙌 - will be removed in the next PR :)