Day 13

Signing in with phone-first authentication

So it turns out that when you’re doing a phone-first sign-up process, there’s quite a bit to think about when it comes to signing in. Or at least there is when I’m doing it, which might just be me letting things get out of hand.

When a visitor signs up, I’m creating a few different records to keep track of things. A device record is automatically generated when someone comes to the site in a new browser. If they’re returning, then we look at a cookie saved in their browser to identify them. To verify the visitor, we use a phone record: to track their number and verify them in the “real” world with a text message. For first timers, a user record is created. This record is anonymous at first and just ties things together between a phone and the browser or browsers it belongs to.

So when a guest signs out and signs back in, we hit their phone number with a text message again to make sure it’s still legit. We’ve already confirmed the phone number, so to keep track of what’s going on for anything after the first time, I’m creating a signin record, so a guest can sign in multiple times. Each signin is tied to a user and a device.

Now that I’m getting deeper into things, I think a better way is to also connect the phone record to the signin. I’ll move the unique tokens I was using to confirm the phone number to the signin records instead and that way I can use the same process for both the initial sign up phase and future sign in phases.

After I make this change, either process will look like this:

  • Confirm the signin, based on the unique token sent by text.
  • Confirm the related phone, if necessary.
  • Mark the device associated with the signin as authenticated.
  • Upgrade the user from “visitor” to “guest” if it’s their first time signing in.

What am I missing? I’d love to hear your thoughts.

Hopefully having things highly separated will prove to be helpful long-term, rather than painful. It’s a lot to think about in some ways, but there’s some logical separation that helps keep things clear and keeps my controllers and models smaller.