Let’s take a look at some of the current login methods:

Login with account and password

Using the account and password is the most traditional login way, can be said to be simple and rough, generally will not appear what problem.

disadvantages

But this method requires users to remember their account numbers and passwords, so there is a memory cost.

To reduce memory costs, users are likely to use the same set of passwords on different platforms. From a security point of view, once the account password of one platform is leaked, it will affect the other platforms used by the user. In addition, since the account has nothing to do with personal identity, it means that the same user can register multiple accounts, that is, malicious registration may occur. To solve these two problems, the ideal situation is to use an account that is strongly associated with the user’s identity. But with what? You can’t use your ID card as your account number. There was no good answer to that question until mobile phone cards forced real-name registration.

Mobile phone number, verification code login

Starting from the real-name system of mobile phone card, mobile phone number has become another proof of identity for us. At present, the login method of using mobile phone number plus verification code has become the mainstream. Compared with inputting account password, it can better verify user identity, prevent malicious registration, and users do not need to remember their account password, increasing security. Now users are used to and accept this login method. Now many products also combine the process of login and registration. If the server finds that the mobile phone number has not been registered when logging in, it will directly use the mobile phone number to register and then log in. The registration process is not felt by the user, which greatly simplifies the registration process.

disadvantages

In this mode, you need to perform a series of operations: Enter the mobile phone number, wait for the verification code, enter the verification code, and click login. The whole process may take more than 20 seconds to complete, and the operation is cumbersome. And it relies on SMS networks, because if you don’t receive SMS messages, you can’t log in. These problems may cause some users to lose out at the registration stage. From a security perspective, there is also the risk of captcha leakage. If someone knows your phone number and steals the captcha, they can also log into your account. But think back, why do we need captchas? The purpose of the verification code is to confirm that the phone number is yours. Is there any other way to authenticate the phone number besides using SMS?

Local number authentication

If you can get the current mobile phone number, you can verify the number entered by the user. However, for security reasons, the client cannot directly obtain the mobile phone number, but the operator can query it through the SIM card data. Now operators have opened up the ability to determine whether the mobile phone number entered by users is consistent with the local number by invoking the operator’s interface after users enter the mobile phone number. In this way, users do not need to wait for a verification code SMS message or enter a verification code, and are not restricted by the SMS network, simplifying the login process. But take it a step further, if the carrier can send the current number directly back to us, rather than just for verification, users won’t even need to fill in their cell phone number. So, there is today’s protagonist one key login.

A key to log in

After obtaining the card number of the current mobile phone, you can directly log in using this number, which is one-click login. The benefits of this login approach are obvious. It can be more convenient and quick to complete the registration and login process, shorten the process which may need 20 seconds to about 2 seconds, and reduce the loss of users in the login process to a large extent. Whether one-click login can be done depends on whether the operators open related services, which is why there was no one-click login in the past, until recently, the three major operators have their own open platforms:

  • Open platform for mobile-Internet capabilities
  • Telecom – Tianyi account open platform
  • To use one-click login for The Open platform of Unicom -WO +, it needs to access the SDK of the operator, and the three operators use the same set of authorization process:

The main steps are as follows:

  • SDK initialization calls the SDK initialization method, passing in the AppKey and AppSecret of the project on the platform.
  • Invoke the authorization page invoke the SDK to invoke the authorization interface. The SDK first initiates a request to obtain the mobile phone number mask from the carrier, and jumps to the authorization page after the request succeeds. The authorization page displays the phone number mask and carrier agreement for the user to confirm.
  • Agree authorization and Login The user agrees to the relevant protocol and clicks the login button on the authorization page. The SDK requests the token for retrieving the number and returns the token to the client after the request is successful.
  • Retrieving the number will send the obtained token to our own server, and the server will call the operator’s one-click login interface with the token, and the mobile phone number will be returned when the call is successful. The server uses the mobile phone number to log in or register and returns the operation result to the client to complete one-click login. Here we need to bring out the authorization page. It usually looks like this:

The authorization page is the page defined in the SDK. Take Android as an example. After accessing the SDK, we need to register this page in the AndroidManifest. We cannot and should not skip the authorization page and get users’ mobile phone numbers without their permission. Since the licensing page is a third party page, we are not free to change the page style, but the SDK provides a rich enough interface for us to customize the style. As mentioned above, before the authorization page is displayed, the mobile phone number mask needs to be requested for display on the authorization page. In order to increase the jump speed of the authorization page and reduce the waiting time of users, the SDK usually provides a prefetch number interface to us, which is the mask of the mobile phone number. We can call this interface when we open the APP. In the case that the mask has been obtained, the user clicks the jump authorization page and no longer needs to wait. It’s a minor refinement of the user experience. In the authentication process, the network will be switched to mobile cellular network, currently supported by China Mobile 2G/3G/4G, China Unicom 3G/4G, China Telecom 4G. Of course, it is best to use 4G, 2G, 3G will reduce the success rate of authentication. Authentication cannot be done without inserting a phone card or turning off the mobile cellular network. Therefore, even with one-click login, we should also be compatible with traditional login methods, allowing users to manually enter their mobile phone number to log in in the case of authentication failure. Each of the three carriers has its own SDK, but each SDK does not necessarily support the other’s authentication. As a result, many of today’s products with one-click login support only one carrier. To be compatible with three carriers, you need to connect to three SDKS. Now we also have a simpler method, that is, access to a third-party SDK that integrates the authentication capabilities of the three major carriers. At present, there are mainly the following:

  • Ali – Number authentication service
  • Aurora – Aurora certification
  • MOBS – second test principle and use method are basically the same, you can check their specific documents. Let’s talk about the price that we are concerned about. I have learned about the pricing of the operators and those mentioned above, and the price of one certification varies from 4 to 6 cents, among which the cheapest is the second test of MOB. But the price might change, so I’m not going to talk about that. Generally, a successful replacement of the mobile phone number is calculated once, but the call to the prefetch number interface and authentication failure are not charged. Overall, one-click login costs about the same as sending a verified SMS. Sending an SMS message charges users once. However, users may need to obtain verification codes for several times to log in successfully. The one-click login can replace the phone number, basically means that the login is successful. So from the number of times, access to a key login should be able to save a little bit. At present, one-click login is in its infancy, the operator’s authentication service still needs to be improved, and there is still an accepted process for users. But there is no doubt that one-click login will become one of the mainstream login methods in the future.