Last post Jun 30, 2017 09:14 AM by Albertk89
Jun 30, 2017 04:56 AM|Albertk89|LINK
I would like to use JWT for webapi but would like to find out if there is a way not to use the traditional username and password for login.
My idea is to use a generated PIN number to replace username and password. the pin will be sent via SMS, the user just need to key in their phone number in a web page.
Can this be done or is there a better way to do this?
Jun 30, 2017 08:41 AM|Dmitry Sikorsky|LINK
This is not so difficult to implement. Look. You can get the phone number from the user and generate the PIN number and save is somewhere as related to the phone number. I mean, in the DB you could have 2 columns: phone number, PIN. Maybe you also may have
Expiration field to make the PIN to be only valid for some short time span.
After you created that record you could wait for the auth request. If it comes with the correct PIN value you can generate the token as always in the JWT. So it is really small change of the regular process.
Jun 30, 2017 09:06 AM|Albertk89|LINK
Is there some sort of example code that I can try? That would be a great help. I am still trying to get my head around the JWT implementation. Thank you.
Jun 30, 2017 09:11 AM|Dmitry Sikorsky|LINK
You could take a look at https://stackoverflow.com/questions/34905754/using-bearer-jwt-authorization-without-identity
// Validate the user credentials.
// Note: to mitigate brute force attacks, you SHOULD strongly consider
// applying a key derivation function like PBKDF2 to slow down
// the password validation process. You SHOULD also consider
// using a time-constant comparer to prevent timing attacks.
if (request.Username != "email@example.com" ||
request.Password != "P@ssw0rd")
I think this might be replaced with the PIN checking.
Jun 30, 2017 09:14 AM|Albertk89|LINK
Thanks. Will take a look.