Page MenuHomePhabricator

Passwordless login (login with your smartphone)
Closed, ResolvedPublic

Description

The basic idea is the following:

  1. The user opens the login page of a MediaWiki wiki
  2. The user types in their username and clicks on the "login" button (no password typed in)
  3. MediaWiki asks the user to confirm the login by pressing a specific number on their registered smartphone
  4. The user confirms the login by selecting the shown number
  5. The user get's logged in without any further step

The idea is basically "borrowed" from Google's login, which allows you to configure a passwordless login, too (using the above mechanism). The techniques involved here would be:

  • php (for a backend side MediaWiki extension)
  • a bit of JavaScript (for the user-facing interaction when the login was confirmed)
  • an Android app (don't have a Mac or an iPhone, and would prefer to develop for an android device :P), for the interaction on the registered phone
  • probably Firebase Cloud Messaging (FCM), for the communication between the MediaWiki backend and the phone to actually ask for login confirmation

This is kind of a proof of concept task, so I don't expect anything, so anything which is achieved is awesome, to find out how this culd work :D

Event Timeline

Florian created this task.Apr 8 2019, 4:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2019, 4:06 PM

Only for Android phone again? Security feature? Really?

There is not only Android positive MediaWiki users ...

Unfortunately Commons App is at Android only and its makes me unhappy.

Only for Android phone again? Security feature? Really?

@Frettie: Yeah, really. No need for stop energy. Feel free to develop your app for non-Android. Anyone is free to [not] work on what they'd like to work on.

Only for Android phone again? Security feature? Really?

@Frettie: Yeah, really. No need for stop energy. Feel free to develop your app for non-Android. Anyone is free to [not] work on what they'd like to work on.

Andre, this is security feature, so that is not possible to make it free to develop (isnt it?).

But ok, if there is volunteer action only, so lets go.

I'm not sure what you want to imply by "this is a security feature" and what you mean by "free to develop". Feel free to elaborate if you have specific concerns.

First of all: Yes, this would be for Android only, and please see this more or less as a Proof-of-Concept, about a theoretical idea I had. I want to implement this during the hackathon, and for me it means, that it is not locked to a specific vendor and has the possibility to be ported to other devices, too (at least the APIs needed would be open to be used I think).

There is not only Android positive MediaWiki users ...

That's right, and if Apple would allow users without a Mac and iPhone to develop apps for their devices, I would probably be more open here (even if it would make testing very hard if it is only possible in the emulator). But as I only own an Android device, and I'm very happy with it, I do not plan to buy even more overprized mobile devices by my own, sorry if that is not what you expect from unpaid volunteers :(

Tgr awarded a token.May 15 2019, 6:55 PM
Tgr added a subscriber: Tgr.
Tgr added a comment.May 15 2019, 7:03 PM

I would love to see this as a 2FA feature (eg. you want to save Common.js, MediaWiki sends you a phone notification asking whether you are really trying to do that, you tap through - it's a far less painful alternative to going through login / OATH again, which is what we are currently doing as a security check).
Maybe it can be built on the top of T113125: Investigate using service workers to provide real-time Echo notifications in the browser (push notifications)?
Note Wikimedia will probably serve push notifications soon (currently planned for 2020 spring) so maybe time to think about some sort of push service in core.

What's the point of pressing a specific number, BTW? In the case of Google you just need to tap on the notification.

I would love to see this as a 2FA feature (eg. you want to save Common.js, MediaWiki sends you a phone notification asking whether you are really trying to do that, you tap through - it's a far less painful alternative to going through login / OATH again, which is what we are currently doing as a security check).
Maybe it can be built on the top of T113125: Investigate using service workers to provide real-time Echo notifications in the browser (push notifications)?
Note Wikimedia will probably serve push notifications soon (currently planned for 2020 spring) so maybe time to think about some sort of push service in core.

That would be possible with this, yes, and would make things much more easier :)

What's the point of pressing a specific number, BTW? In the case of Google you just need to tap on the notification.

It really depends on how you set it up. There're two possible options:

  • using your smartphone as a second factor: In this case you just have to press "Yes" to confirm your login, however, you need to enter your password beforehand, too
  • using your phone as proof that you are you. In this case, you just type in your username, click on login, tap on "Yes" on your smartphone and then you've to tap the number you're seeing on the screen. Afterwards you're being logged in.

In my current implementation, I didn't do the number stuff, though, as it is secure enough to do it without it for a PoC.

The source code of the extension (build during the hackthon) can actually be found here:
https://github.com/FlorianSW/mediawiki-extension-PassswordlessLogin
The app:
https://github.com/FlorianSW/mediawiki-app-PasswordlessLogin

Florian closed this task as Resolved.May 21 2019, 5:05 PM

I created follow up tasks for this extension under the new PasswordlessLogin tag, so I think this task (as a hackathon task) can be closed :)