Going passwordless

It's a story for another time, but what you know as The Play Valet is the third major version of our app. When we put this final version together, one thing we knew was that we wanted to build a relationship with our users: we needed to let them sign into the app.

Rather than with a username and password, though, we decided to use "passwordless authentication". Here's what it is, and why we chose it.

New phone, who dis?

The goal of "authentication" or "signing in" or "logging in" or whatever your favorite software calls it is one thing: allow you, the user, to prove who you are.

A password is one way to do this: you decide on a secret, and share that secret with the application. If you return with that same secret, you must be the same person. Conversely, if you don't know the right secret, you must not be the same person.

Unless you forgot your password like literally every person ever. In that case we can no longer rely on our shared secret, but we need another way to prove who you are.

As a silly aside, consider the D&D spell "Mending": it's free to cast, being a cantrip and all, and it repairs a single small break in any object. What if you purposely broke an object—say, an arrow—and passed half of it to some NPC contact? If someone returns with half an arrow and says they know your contact, you cast Mending: if it works, it's the same item. If not, well... 💥

What if instead of something you know, we use something you have? If you signed up with an email address, for example, we could go through a dance like this:

• The software decides on a secret this time, and sends it to you (usually in the form of some giant link).
• You provide that secret (usually by clicking said link), so we know it's you.
• You provide a replacement secret (your new password), and everyone moves on.

This is exactly what happens any time you click a "Forgot password?" link.

Get to the point, Schoon.

Okay, okay. OKAY. 😤

What if we skip all of these "shared secrets", and just use that giant link?

Put another way, if clicking a link is good enough to reset my password, why isn't clicking that link good enough to sign in from the beginning?

That's "passwordless authentication".

Is it better?

Mostly.

Depending on your email provider, signing in from an email can take a couple minutes, as opposed to a password you can immediately provide from memory.

That downside aside it is safer and more secure, and we're not the only ones saying that.

Given the capability, we want to do the best we can to keep you, our users, safe and secure. This may be "just" an app for board games, but we know how much trust it takes to install an app on your phone, and we don't take that lightly. ❤️

Coda: Technical details

If you don't want to know exactly how our system works, don't keep reading.

You've been warned.

So, what happens when you enter your email into The Play Valet?

1. The app sends your email to our API server, along with the OS you're logging in from.
2. The server generates a single-use password, or OTP, and uses that as the key to associate your account in Redis. We also ensure Redis expires this key shortly if it goes unused.
3. The server sends that same OTP, embedded in an OS-specific link, embedded in an email, to the original address. (Because it's email, the server actually uses a third party for this.)
4. Once you click on the link in your email, the OS should open the link in the Play Valet app, instead of your general web browser.
5. The app sends the OTP from that link back to the server.
6. The server discards the original OTP, and generates a more durable secret. At this point the server knows it's you, so it responds with that secret token immediately.
7. From now on, that secret is used with each request to our API, and we know it came from you! 🎉