I'm exploring a new idea called FediOTP (codename): an authentication system that uses #ActivityPub DMs to deliver one-time passwords, allowing any #fediverse account to authenticate with web services. Unlike current solutions that rely on specific APIs (#Mastodon, #Misskey), this would work with any ActivityPub-compatible server, increasing interoperability across the fediverse. Would love to hear your thoughts on potential challenges or use cases for this approach.
@hongminhee What can be done with email, can also be done with ActivityPub. For example, I'd love to be able to register on websites with WebFinger address instead of email address. Some sites already support registration with Matrix or XMPP addresses, but I haven't yet seen WebFinger being offered
@hongminhee
I may be wrong, but it seems that Bluesky uses something similar.
@hongminhee Hmm…you should take a look at Owncast. They do this already to authenticate to chat. It’s one option of several, you can also authenticate via IndieAuth. I’ll spin up a live stream and demo it if you’d like.
For those skeptical of DMs in #ActivityPub: I'm also considering an alternative verification approach using ActivityPub's Question feature. Instead of sending numeric codes, the system could send a poll with several emoji options, and the user would select the one that matches what's displayed on their login screen. This visual authentication method might offer better security against certain automated attacks while still leveraging federation rather than platform-specific APIs. Would this approach address some of the privacy concerns around DM-based verification?
@hongminhee it's not a bad idea, but I think OIDC is still better. I have some notes here:
https://evanp.me/2024/04/22/cross-server-interactions-in-activitypub/
evanp.me
So, Richard McManus asked me about how ActivityPub supports cross-server usage. As an example use case, let’s say a user with the account eric@social.example wants to comment on a photo by di…
