Linking a phone to an account and authorization by scanning a QR code

  • Tutorial
Hi, Habr!
Today I was visited by the idea of ​​alternative authorization on sites using account-linked mobile devices.
Why is this needed?
Well, for example, if the user is too lazy to drive passwords either for use in two-factor authorization, or for password recovery, etc.
Actually, I did not think about the ways to use this mechanism in production. The main goal is implementation, and then we'll see.

Bit of theory


What should it look like?

To bind and authorize, just scan the corresponding QR codes with your device:
1. On the bind page
2. On the authorization page

What to attach to?

A little “google”, I realized with sadness that there is no way to learn from the web private (unique) information about the device. Neither IMEI, nor serial number, nothing like that.
All that remains is the following:
1. A long-lived cookie that will live in the device’s browser.
2. IP addresses
3. User agent

Unfortunately, with such data, you can’t count on long-term binding of the device to your account.

Binding mechanism

1. Generate a link and generate a QR code
2. The device scans the code and clicks the link
3. All kinds of information about the device is collected and compliance is maintained (device = user)
4. We hang a cookie on the device.
5. At this time, the browser “listens” to the special link and, as soon as a positive response is received, displays a message about successful linking to the user.

Authorization mechanism

1. Generate a link and generate a QR code
2. The device scans the code and follows the link
3. We collect data about the device and look for it in the database
4. If the device is found, then open a session for the user in the browser
5. At this time, the browser “listens” a special link and as soon as a positive response is received (in this case, it’s a cookie and a redirect to the desired page), the user logs in.

Source code


I won’t give listings in the post. If you are interested, please go to the github repository .

In conclusion, I want to add. I would very much like to receive an adequate feedback on improving the mechanism and possible use cases.
Do not scold much for the quality of the code, everything was written from scratch “on the knee”.

PS User agent and IP devices are stored in the database, but are not used for authorization. Left for the future.

UPD : As the minute appears, I will post a working version of the script for those who want to test.
UPD2 : Updated repository. I posted the script on the server for those who want to test here

Also popular now: