+39
Completed

Streamlined sign-in from car (e.g. 4-digit PIN)

mkolowich 7 years ago updated by zavaboy 4 years ago 18

This should probably wait until we see the browser revisions that are due in the next few weeks, but once the Tesla browser is revealed, it would be great to evolve to a simple PIN-based approach to signing in to TeslaFi from the car.


How this works will depend on: whether the new browser supports cookies; whether the new browser is detectable as a Tesla browser; and whether there is a way to detect that a specific vehicle is accessing TeslaFi.


But the closer we can get to "enter a 4-digit PIN" on sign-ins subsequent to the first from the car, the better

    +1

    Works like a charm, James -- thank you.

    +2

    If anyone would like to test the usability of this and let me know if you run into any issues. There will be a new 'Phone login" button that appears when you're using the browser in your car which will pop up the QR code to scan with your camera app. Once visiting the link it will login the car if you're already logged in with your phone or once you login with your phone.

    Alternatively you can bookmark https://www.teslafi.com/Tesla in your car to get straight to the QR code each time.

    James

    +1

    I have tested this and it works well! Thanks!

    Tip for Android users: Make sure you are logged in inside Chrome (or whatever you have set for opening links). I logged in inside the Google app and Chrome did not have my session so I was asked for TeslaFi login again. To fix this simply open it in Chrome using "Open in Chrome" in the menu and your session will be copied over to Chrome.

    +1

    Will definitely try it out tomorrow, thanks @James for adding this :)

    +1

    @James - just tried it out now and worked perfectly.  Only minor improvement I can think of it to auto-refresh the page when successfully verified but that's just a minor thing, the screen on the phone does tell you to hit refresh (it's just for a lot of these mobile QR logins such as Plex, YouTube, BBC iPlayer, etc it refreshes automatically so the user might be expecting that!).  Thanks for adding this.

    +1

    I think this would be a worthwhile improvement. Even when I tried, even though I was given instructions to hit refresh, I was still half expecting it to automatically refresh.

    +3

    My 2 cents:

    Create a page which my be accessed while not logged in for external logging in. Let me explain how that can work.

    While not logged in on Tesla browser: link_session.php

    Let's say you put this page in your Tesla browser favorites and click on it. You see nothing but a large QRCode with a 4 to 6 character easy to read code and maybe a short paragraph explaining how to use this feature, few simple links to home, FAQ, legal disclaimers, etc. and logo. In the background, it's waiting for you to authenticate from another device. This QRCode is a URL which includes this single use code seen on the screen.

    While logged in on smartphone: link_session.php?verify=X3JU

    So, you are logged in already on your smartphone. You open your camera app and hold it up to the QRCode, which directs your phone to a page which now verifies your login from your smartphone and ties it to the session which generated the code. If you aren't logged in on your smartphone, you will be prompted for a login just as you would be normally before it verifies. Congrats! TeslaFi now knows both the Tesla browser and your smartphone belong to the same user and logs you in on your Tesla. This should only take mere seconds to log in using this method.

    If for some reason you can not get the URL from the QRCode, simply go to a page once logged in on your smartphone where you may enter the code clearly displayed in your Tesla browser.

    The code can expire after a short time, but it's not very necessary as the code has no association with any account until it has been verified anyway. Just allow a period of time since last verification attempt before a code may be reused. If someone keeps hitting an expired or otherwise invalid verification code, you wouldn't want to issue it to anyone unless it's been a considerable amount of time since the last attempt. Even this may not be necessary.

    I hope I explained this well.

    +2

    This is a great approach at solving this.  I've gone ahead and implemented pretty much everything mentioned here except for manually typing the code.  I can always add it if necessary but the QR code seems to work well.

    If anyone would like to test the usability of this and let me know if you run into any issues.  There will be a new 'Phone login" button that appears when you're using the browser in your car which will pop up the QR code to scan with your camera app.  Once visiting the link it will login the car if you're already logged in with your phone or once you login with your phone.

    Alternatively you can bookmark https://www.teslafi.com/Tesla in your car to get straight to the QR code each time.

    James

    Yep, this is how lots of services on Smart TVs link to existing accounts, by displaying a confirmation code on screen. Key thing is to minimise the amount of typing required on the 'big screen' (in this case the Tesla browser) 

    +1

    While on this subject, I thought I would add that one of my friends at Tesla said the Tesla browser has a unique browser signature, thus web sites can determine the browser type and realize the request is coming from a Tesla as opposed to maybe a computer browser or smart phone.   Maybe that helps with coding or maybe it doesn't.   I do agree this would be nice to have a more streamlined way of logging in from the car.  If anyone can figure this out, it will be James.   From what I see here, he is one really smart web dude!

    +1

    Problem is that the server can never be sure of the source. Identifying the browser is only good for "knowing" what capabilities that browser can support, you can't use it to ensure it's a Tesla. Browser ID can easily be spoofed. Combine this with an actual security solution maybe, but not just this.

    +3

    Another app has come up with an elegant solution to this.  A signed-in user has the option to generate a URL that has a secret authentication token built into the URL as a parameter, and then bookmarks that parameterized URL rather than the general Teslafi.com URL in the car browser.  This way, whenever that bookmark is accessed in the car, Teslafi is launched and logged in.


    I'd love to see Teslafi implement this method before Autopilot drives me into a tree while I'm entering my username and password!

    +1
    Under review

    This seems like a pretty big security risk to login to your full account based on accessing with a url.  Do they have a special page that comes up when accessing directly from the url?  For example a page that doesn't allow for editing, controls and etc?

    +2

    I agree with James that it can be a security risk to just have a secret token on a URL if it gets into unauthorized hands. 


    One method done with mobile logins on a project I worked on:

    A token as mk mentions above is tagged onto the end of the url.  In this case it could be as simple as the last few digits of the car identifier.  The customer stores the URL in their favorites in the mobile device.  In this case, the Tesla's browser.  When the url is accessed, it sends a 4 digit code to the user's cell phone for them to enter on the web site.   It's not as easy as just clicking on a cryptic URL, yet still easier and faster than entering a username and password.


    Separately, I have also seen Samsung and a couple other companies use that idea to connect a smart phone to a TV for streaming.  A couple financial sites also use this method.


    At home I use a password manager program to just click on an icon and automatically login to TeslaFi, but as far as I know, there is no such thing for the Tesla browser to make logins easy.

    Or even not having to enter a PIN at all (well, an option once a cookie is set) - in many cases it'll only be the owner likely to attempt to access anyway.

    +1

    agree with this except cookies don't work in the car as far as I understand from one of the developers.