How to allow login of user through mobile number?

In India at least, people rarely change their number. They change their handsets/devices, their operators, but not their numbers. (Number Portability is allowed in India and many other countries).

And in rare cases, when a user does happen to change his number, and opens any app which was attached with his old number, he is given OTP option (in which his old number will receive an OTP one last time); or security questions (in which he’ll be asked a few security questions). And this way he can effect the number change.

And this is practically happening in India daily.

There is very wide spread precedent of “mobile phone number == identity”. This is how whatsapp works, they have 1.5 billion active users.

I think any experiment here should probably start with a plugin. It would be an interesting experiment and require some SMS inbound API integration.

How notifications would be handled though is a conundrum under a system like this.

As part of the broad PWA Spec, browsers will be able to read one-time passwords from SMS using a new web API. This is coming this year to Chrome on Android, and was created to deal with cases like this.

https://bugs.chromium.org/p/chromium/issues/detail?id=670299&q=owner%3Agoto%40chromium.org&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified

Passwords through SMS is not secure though, e.g.

Why would we want to support that?

The uptake of email in India is rising too. In 2011 only 2% of the population had any form of email, as of last year it’s close to 1 in 6.

As we experience first hand in India in an average district, majority of these new users have to get someone to create an account on Gmail, just because they want to use WhatsApp and WhatsApp cannot be downloaded unless you’ve a playstore login ID (that’s =Google id).

And thereafter they never sign in to their Gmail. Not even once. For all purposes, they never know what’s their id is (far is password).

And sometime, for whatever reason, they happen to logout of their account on android, and they need to login once again in their Gmail account, they keep carrying their Mobiles to different known persons, requesting them to help start their mobile again. (they consider their mobile to be not usable if either WhatsApp stops, or calling stops)

We would be extremely happy to take place in any plugin experiment. How would we proceed to find someone to author it? Do we need to fund the SMS gateway for phone validation?

Please advise. I think it’s worthwhile testing it and see the uplift in registrations, as opposed to continue the debate. There’s a reason why Fcaebook / whatsapp offer it.

As far as notifications go, considering now that we have browser based notifications, at least there’s an alternative. Looking into occasional SMS notifications is not a bad idea, though I don’t think it’s the priority right now. I would expect it could start with a weekly or monthly reminder that there are new updates (if user hasn’t visited the community) and take users to their notifications page. Easy optout would be needed. Again, I wouldn’t include this in the plugin mvp.

Sorry, I should have clarified above - those figures aren’t ‘email accounts created in India’, that’s the number of unique mobile device users actively connecting to email devices every month.

Those figures are also against the total Indian population for 2018 of 1.344 billion. Measured against the 566 million internet users in that same period, the number of active email users is just over 35%.

ProCourse is actually in the middle of a project like this for a client that is willing to let us open-source the work.

https://github.com/procourse/discourse-sms-authentication

The idea is not to use SMS as a password, but to simply replace the sending of emails with sending SMS through Twilio, Africa’s Talking, and Braze campaigns. The first two are currently implemented and seem to be working well. The last is currently in development.

The concept is to hide the email address on sign-up and fill it in behind the scenes with addresses that mimic the phone number: phone+555-555-5555@example.com. That way Discourse still works with emails if it needs.

But then we tie into specific events (user creation, password update, PM sent, mentions, etc…) and send SMS notifications on top of the email. But since the email is going to the aliased email, the user never has to deal with it.

What if a user wants to swap from using SMS authentication to email-based? Do you have plans to cater for that?

Not currently. This plugin was designed as a complete swap. The main audience being African countries where most people don’t have an email address but most everyone has a smartphone.

so what requirements would a forum provider have if they want to integrate? Create their own Twilio and/or Braze account?

Install the plugin, create a Twilio account, and fill out the site settings for it. It’ll require the API Key for Twilio and the email domain to use for the aliased email account.

Has anyone considered using Facebook’s account kit? It’s a passwordless login method that works with e-mail or phone number. I think it’s free up to 100.000 sms per month.

@joebuhlig can we please touch base on this work? Please call or email.

They stopped the service.

Hello Everyone:

Wanted to revive the topic to see if there has been any progress or updates for this feature request, especially from @joebuhlig.

Context: We work with farming communities (majority are small farmers) in Tamil Nadu, India. Email prevalence is almost non-existent. Mobile phones are pervasive.

Would be great to get a mobile phone based authentication & notification features added to Discourse’s fantastic forum capabilities.

Thanks in Advance.

Sorry. Nothing to report from my end. The project didn’t make it to completion.

Oh, that is too bad. Using an email alias seemed like a good workaround. Thanks for the update.