Subscribe
Sign in
DID — The simplest way to add passwordless auth to websites & apps
DID is the fastest and simplest way to get authentication done on your website. DID authenticates with a key pair stored on the user’s device. Authentication is instant and passwordless. DID is an identity provider compatible with Oauth and Open ID Connect.
37
Replies
Best
Anna Filou
What if I wanna log in on a new device just once, without registering that device? (Say I'm at a friend's house, using their computer.)
How do you handle that?
Report
Share
@anna_0x You can always log in using an email, and not select to trust that device.
We do have on our roadmap (https://did.nolt.io/) the feature to be able to sign in using a QR code. so you could click sign in with QR on your friends computer scan that with your trusted phone and have one time access to your accounts on your friends computer.
Hi Peter, Thank you for your insights into how you've been considering authentication for your application. In addition to your comments about SSO, we also found that some users complain they can't remember which social account they used to sign into a service with (was it Facebook, was it Twitter etc) so they then have to go through the options trying to remember. A once convenient feature becomes very inconvenient in that scenario.
Thank you as well for your honest feedback on our explainer video. At the moment, Peter and I are self-funding DID and as a result we are strapped for funds and time is very prescious. We made that video ourselves with tools we could get our hands on quickly and easily and I very much agree with you that it isn't perfect!
In the very near future we would both like to add more production value to our explainer video. We didn't mean to trivialise the subject, you're right, the opportunities for user experience that passwordless authentication offers does deserve more production value.
Very helpful comment and thanks again.
@richardesigns Totally understand getting something fast and cheap (we're bootstrapping too), but figured it was worth mentioning. Hope i didn't come off as a dick! :)
@pvan1201 haha, not in the slightest. Bootstrapping - move quickly, maybe make a goofy vid. My new mantra. What's your product? We probably owe you a +1.
@richardesigns we're a couple weeks away from our PH launch. But i wouldn't post it here anyway - today is about you guys! :)
Great solution, particular interesting to track conversion rates with the reduced friction this provides, as a commenter has already mentioned! Also, I left some tips for you here on your landing page that I hope is helpful to you! -- https://app.usebubbles.com/f3377...
Hi everyone,
We are Peter and Richard and we are excited to share DID with you.
DID was created so that we could all stop using passwords. Most of us have too many passwords and we don't like using them. Not wanting to remember the details of another account is often the reason I don't sign up for a new service.
Creating DID has show us there can be a better way to handle authenticating for a service.
We really like it and hope you do to.
Let us know what you think, and we are of course happy to answer any questions.
Cheers
@crowdhailer
Thank you for your cool product information.
So what do you think about its strength against competitors like Firebase Auth or Auth0?
@yatima_k The alternatives you mentioned make it very easy to do Authentication the established way, for example using email + password. We aim to offer just one way to do authentication, that is the way your users will find simplest.
Cool product, though the private key stored locally brings up a question. Can you explain what options a DID user has if their laptop containing the private key is stolen?
@idontremember Hi Kevin, thanks for your question. If any device is lost (including a laptop but it could be a phone or tablet) then the user has the option to untrust that device from inside their DID account. The user needs a device that isn't lost in addition to the one that is lost but if the user can access the internet, they can access their DID account and untrust a previously trusted device.
What we also found during our testing and gathering rounds of feedback is that devices tend to be locked either with a pin code, a device password or something more personal like your face scan or fingerprint scan.
If the device is lost, the theif would still need to access the operating system. It's worth adding I feel that, while devices do get lost and stolen, they are much harder to steal than a digital password is to phish or crack for example.
We advise users to only trust devices that are secured with biometrics or pin codes to mitigate this risk, however.
In addition to this, if a device is stolen that has no 'lock', the thief could still access websites that have long-lived sessions or 'saved passwords' in exactly the same way.
Our aim has always been to make sure DID's device authentication at least as secure as a username/password sign in with our focus being on convenience for the user and potential conversion improvement for the website.
I hope this answers your question, please let me know if you have any other comments and thank you for your interest in DID.
I've previously liked the idea of using social accounts, which prevents the user from having to deal with yet another password. Plus you can rely on that social network's security measures. However, I've always hated that you're essentially locking your users into a 3d party company. With DID's approach, you have the same benefits, without the lock-in!
@almarklein cheers.
Another problem that we aim to fix vs those social login solution, is that we don't have a business model that relies on tracking our end users as the sign in to different services
Super interesting, as passwordless login has been a friction point for us, in finding the right "balance" of pleasing users. (Some love passwordless, some want passwords, some want SSO via social, but having all of these would be ultra confusing and result in multiple accounts). I actually inadvertently have multiple PH accounts due to bouncing between their SSO options.
Brutally-honest nitpick - your explainer video comes across as very amateurish with the low-budget, animate-a-doodle stuff. This is a big step in the right direction for user experience and tech, and should be treated as such in that video.
I'd recommend dropping the goofy music and doodles and focus on a clean video that shows exactly what the end user would see/experience using DID, as well as a few points addressing security measures taken. Hope that helps, and good luck!
Cool product given the CX it can achieve. How has your feedback around "security concerns" been so far and are you looking to take this to enterprise products too?
@alextassone once people realize that almost every password based authentication solution has an email reset and that DID is at least that secure we have received good feedback.
We are focused on improving User Experience without any compromise when compared to existing system. We think we have achieved that.
There are enhancements that could add even greater security, such as locking you account to only be accessible from trusted devices, i.e. no more email reset.
These are things which we can roll out overtime with customers of DID having to make no changes to their integration with DID, these features are on our Roadmap.
Could you expand a bit on what you mean by enterprise product? Something that enterprises could use to authenticate there own employees?
@crowdhailer yeah sure. It is for both internal enterprise tools and also for enterprise grade products such as a new mobile app for financial traders at the large banks.
@alextassone We would potentially tackle these audiences however the market is quite crowded for very high security requirement solutions. So we prefer to focus on improving CX and then look to add the enhancements I mentioned in the previous comment.
I've been impressed whilst trialing this. I thought the first site I visited with DID was almost frictionless but it just get's better with each site after that. I've not tried jumping between devices, how is that handled?
@lewisea thanks for the kind comments.
We handle recovery of accounts via email. It is also possible to use you email to add multiple devices to the same account. All of this is handled by DID and when building a website or app you will just have a single identifier for the user to work with
@lewisea Hi Lewis, thanks for your question. If you signed up using your mobile phone, for example, and then wanted to sign in on your laptop DID issues a link to your email which you use to authenticate on the new device.
You can choose to authorise multiple devices, a phone, a laptop, a tablet for example.
DID then provides you, the end user, with a list of all the devices you have authorised so you can easily manage them.
This is slightly easier, we've found, than trying to use a password manager across multiple devices.
Does this answer your question?
Genuine paradigm shift - this can do wonders for conversion rates by reducing friction.
@duarteosrm Thanks Duarte. I think there is certainly potential for supercharging conversion rates, particularly once a DID user who already has already trusted a device visits a new website using DID, they can sign in with just one click. There is such a lot of friction with asking a user to choose a username and password. Our challenge is evidencing that improvement in conversion rate in order to sell that as a feature. Hopefully in time, working with our community of users, we'll be in a position to evidence significant improvement in conversion rate.
@duarteosrm wonderful! Please let me or Peter know if you would like any help.
?makers the product is really lovely! I remember I saw few mentions about something in Elixir/Phoenix circles. What tech stack are you using? Is there any open-source products around DID?
Looks cool, but I don't really see that much need for it.
Password manager + social login covers 100% of my needs. And I guess the same is for majority of the internet users.
Good luck though! ;)
@miro_cosic sites cannot assume their customers are using password managers so there is always the possibility that an account that has password authentication is using a weak/compromised or easily guessable password.
Social login is a problem when multiple options are offered there is a choice paralysis on deciding which one to use and when returning remembering which one you used last time
How comes, that i have to give u an email " Instead of One Click " to register at ur website??
@sven_kudszus email is used for recovery of lost devices. Because we are moving to a new paradigm the email first flow is best for conversion rates, as it confuses fewest visitors.
All the keys are stored on in your browser in the mydid.app domain.
If you want to try you can:
- visit mydid.app first set up your device, still with email backup.
- Then when you try to sign up at did.app to sign up with a single click for as long as you have that device, or until you clear your history
@pvan1201 - please see my reply to your message above. Thanks for your comments.
