Facebook takes a step closer to a world where we don’t have to remember passwords. With the new Account Kit SDK, app developers and site owners can let users log in without passwords.
Account Kit, introduced at Facebook’s F8 developer conference, simplifies account registration and login processes on iOS and Android apps, websites, and Web apps. On an Account Kit-enabled site or app, the user would provide the mobile number to receive an SMS confirmation code or an email address to receive a message with a one-time link. There is no need to create -- and remember -- a username and password combination because authentication is handled via SMS or email.
“Using email and phone number authentication doesn't require a Facebook account, and is the ideal alternative to a social login,” the company said in a post on the Facebook for Developers page.
Begone, usernames and passwords!
Account Kit addresses several user management challenges. Developers don’t have to get into the identity business of registering new users, storing passwords, and handling authentication. In turn, users won’t have to create weak passwords they can (or cannot) remember.
Facebook currently offers developers a social authentication system that lets users log in to third-party sites with their Facebook credentials. Many developers adopted Social login, but it required users to already have Facebook accounts and be willing to link their social networking credentials to the third-party application. There are plenty of reasons why a user may not want to do so.
Account Kit bypasses both issues and simplifies authentication by using email or mobile (which the user has) to verify the user.
Authenticate users with a token
Account Kit, which uses Facebook’s API and current infrastructure to authenticate users, provides long-lived sessions and easy account management for users. Developers don’t have to create a separate workflow to handle new registrations because the SDK verifies the email address to determine if the user exists during the login process. An authentication credential associated with the user is available after a successful login.
Account Kit creates a database for the app that is populated with a list of phone numbers, email addresses, and app-specific account identifiers whenever someone logs in. When someone initiates a login request, the Account Kit API is called with either a phone number or email address. The SDK verifies the SMS confirmation code and monitors the status of the confirmation email. In cases of SMS failure, the API would let users whose phone numbers are linked to valid Facebook accounts to authenticate via the Facebook notifications feature.
Account Kit has two types of access tokens -- user access tokens and app access tokens -- that provide temporary and secure access to Account Kit APIs. User access tokens, obtained through the mobile SDK, validate the identity of a user when making server API calls. App access tokens make server calls on behalf of the application and works for account management operations, such as accessing a list of all users.
With the SDK, the client app receives a user access token containing the account identifier once the person has been successfully authenticated.
“In your app’s dashboard, there is a switch labeled Enable Client Access Token Flow. When that switch is on, your client application will (after a successful login) directly receive a long-lived access token, which it is then responsible for securely passing to your server to be used in API calls,” the developer’s guide for Account Kit says.
An alternative method sends the client app an authorization code, which is passed to the application server and exchanged for the user access token. The user access token resides on the server and is used to authenticate server-to-server calls.
Developers can use the SDK to build and customize the login interface.
- The iOS SDK provides customizable view controllers to manage the flow, so developers simply need to present the view controller to get started.
- The Android SDK provides an activity, so the developer only needs to start the activity. There are two intent codes: successful login or failed login.
- The JS SDK provides a login API to manage the login flaw, so developers can call accountkit.login.
“You can use the Account Kit Graph API to retrieve and verify user access tokens, access basic account information, and delete accounts,” Facebook said.