PINDROP BLOG

Facebook Releases Account Kit SDK for Authentication Without Passwords

Facebook has released a new SDK called Account Kit that enables app developers and site owners to provide a login experience without passwords.

The new system, which the company announced at its developers’ conference yesterday, uses Facebook’s own infrastructure to perform authentication via SMS and email. Account Kit doesn’t require that users have a Facebook account in order to register with a site or app that uses the system.

“Account Kit is built for the mobile world, providing long-lived sessions, easy account management, and no passwords to remember. When a person initiates a login with their phone, an SMS confirmation code is sent to that number for validation. Similarly, email accounts are validated with a one-time link sent to the person’s email address. The SDK will detect when an email address is verified every time a login is initiated,” Facebook says in its description of the new system.

“The login flows for Account Kit combine account registration and account login. There is no need to check if an account exists already or to use a separate flow to register new users. After a successful login or registration, an authentication credential associated with the user will be made available.”

The Account Kit system has SDKs for iOS, Android, and the Web and it’s designed to simplify the account registration and login process for users. Rather than generating a new username and password for a given app, a user can just her mobile number and then will receive a text message confirming that an account has been created. The system relies on Facebook’s API and the company said it can be localized for a number of countries.

Facebook is already one of the larger authentication providers on the Web, through its social authentication system. Many third-party sites allow visitors to login with their Facebook credentials, but that still requires a username and password and obviously doesn’t work for people who don’t have Facebook accounts. Account Kit takes that one step further and removes the obstacle of needing a Facebook account. For developers, the system provides long-lasting sessions and takes the pain of authentication out of their hands.

“Your application’s authentication can work two ways. In your app’s dashboard, there is a switch labeled Enable Client Access Token Flow. When that switch is ON, your client application will (after a successful login) directly receive a long-lived access token, which it is then responsible for securely passing to your server to be used in API calls,” the developer’s guide for Account Kit says.

Image from Flickr stream of C_osett

Webinar: Call Center Fraud Vectors & Fraudsters Defeated