[Standards] Easy XMPP

Jonas Wielicki jonas at wielicki.name
Wed Jun 8 14:13:36 UTC 2016


On 08.06.2016 15:28, Jonas Wielicki wrote:
> On <https://wiki.xmpp.org/web/Easy_Onboarding>, someone wrote
>> To allow for password recovery, something needs to be done. One
>> possibility is to ask the user for their phone number or email
>> address. However, users often mistype things, so that the
>> number/address needs to be validated during onboarding. This is
>> making XMPP less accessible and onboarding more complicated.
> 
> Mobile clients (which are, I feel, those with the most need for a very
> very very simple onboarding process) could simply let the user choose
> one of the phone numbers associated with the device. A server operator
> would in that case have to send a check SMS. "Ideally", the client would
> transparently read that SMS if the user allows that, or the SMS contains
> a URL which can be opened with either the XMPP client or with a normal
> web browser which concludes the verification.

Thinking more about this, the URL must only be handleable by the XMPP
client, and whatever authentication token it contains should be sent
over an authenticated XMPP connection. Otherwise, if the user indeed
makes a typo in the number and a malicious third party receives the
token, they could easily take over the account if it would not require a
working, authenticated XMPP connection :-)

regards,
jwi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20160608/b52e0484/attachment.sig>


More information about the Standards mailing list