Facebook takes a step closer to a world where we don't have to remember passwords. With the new Account Kit SDK, app developers and site owners can let users log in without passwords.
Account Kit, introduced at Facebook's F8 developer conference, simplifies account registration and login processes on iOS and Android apps, websites, and Web apps. On an Account Kit-enabled site or app, the user would provide the mobile number to receive an SMS confirmation code or an email address to receive a message with a one-time link. There is no need to create -- and remember -- a username and password combination because authentication is handled via SMS or email.
"Using email and phone number authentication doesn't require a Facebook account, and is the ideal alternative to a social login," the company said in a post on the Facebook for Developers page.
Begone, usernames and passwords!
Account Kit addresses several user management challenges. Developers don't have to get into the identity business of registering new users, storing passwords, and handling authentication. In turn, users won't have to create weak passwords they can (or cannot) remember.
Facebook currently offers developers a social authentication system that lets users log in to third-party sites with their Facebook credentials. Many developers adopted Social login, but it required users to already have Facebook accounts and be willing to link their social networking credentials to the third-party application. There are plenty of reasons why a user may not want to do so.
Account Kit bypasses both issues and simplifies authentication by using email or mobile (which the user has) to verify the user.
Authenticate users with a token
Account Kit, which uses Facebook's API and current infrastructure to authenticate users, provides long-lived sessions and easy account management for users. Developers don't have to create a separate workflow to handle new registrations because the SDK verifies the email address to determine if the user exists during the login process. An authentication credential associated with the user is available after a successful login.
Account Kit creates a database for the app that is populated with a list of phone numbers, email addresses, and app-specific account identifiers whenever someone logs in. When someone initiates a login request, the Account Kit API is called with either a phone number or email address. The SDK verifies the SMS confirmation code and monitors the status of the confirmation email. In cases of SMS failure, the API would let users whose phone numbers are linked to valid Facebook accounts to authenticate via the Facebook notifications feature.
Account Kit has two types of access tokens -- user access tokens and app access tokens -- that provide temporary and secure access to Account Kit APIs. User access tokens, obtained through the mobile SDK, validate the identity of a user when making server API calls. App access tokens make server calls on behalf of the application and works for account management operations, such as accessing a list of all users.
Sign up for CIO Asia eNewsletters.