Idea for a passwordless authentication based on a whatsapp/sms code - looking for feedback

Hey all!

I want to create a passwordless signup system, based on a Whatsapp code that will be sent for the user in the signup process, and a new WhatsApp code that will be sent everytime the user logs in again

After reading about this topic around the forum I think I have an idea that might work, but I want to make sure I’m not missing any relevant consideration that might cause a security issue

The idea:
The signup form will include only two fields: an email field and a phone number field
image

  1. After filling both fields the user will recieve a one time code by WhatsApp
  2. The user will fill the code. If the code is correct the signup button will be clickable and signup will sign the user’s email adress as the email input, and the password also as the email input
    image

The Log in form will look pretty much the same:
image

Login process:

  1. Every time the user wants to log into the system they will fill in their email and phone number

  2. If the email and phone number are registered to the same user the user will recieve a whatsapp code

  3. If the user fill the correct code - the system will enable clicking on the login button (while automatically filling the email’s input as the passwrod)
    image

Issues:
There is an issue here with being able to sign up with fictional emails, or other people’s emails, but as we want to have a super simple signup, and planning to communicate only by WhatsApp - this is something I believe won’t be a problem. Phone number verification is the need much more than email verification.

Am I missing any other security issue or any other problem with this form a signup/login system? Would appreciate any thoughts on this

Thanks a lot!!!

password should be random unguessable strings, or at least they should try.
If an account password is the account email then any random person can login to any random account in your app. It only takes the right request to bubble’s endpoint.

Bubble provides secure signup with password and other providers. If you care about security you should use that. If you want to verify a phone number, do it after a standard account creation with email and password, with a real password.

2 Likes

Thanks for the reply

So you say that even if I do not provide a password input at all, still people will be able to log in with a request to bubble endpoint? How would one do that?

And another idea comes to mind

I can add a random text to the password, so the password will be [user’s email+random text]. I can save that random text to the user in the system. that way the password will not be something a user can guess by knowing another person’s email

This way even if a person is sending a request to bubble’s endpoint, he/she will not be able to know the password to send

Do you still think this will be problematic?

If the user does not know the password how will you perform the login? Where you will store the password securely? Besides, there are all the common issues of using a messaging app as a single factor auth. It is not secure.

My advice is to use the secure auth methods that bubble provides or connect a third party service in the secure ways that bubble provides. Everything else is very likely a bad idea.

Thanks for the reply!

I will check out auth0

About the data visibility when the user is logged out, I’m not sure I understand, how would the “password” or any other data be visible? @NigelG

the password will be either visible to anyone, and of course is not good, or it will be visible to the logged in user, but every user starts as logged out so you will not be able to see it and use it in your workflows.

Ok I understand now, thanks!