Account authentication
Current Project Status
unfunded
Total
amount
Received
$0
Total
amount
Requested
$22000
Total
Percentage
Received
0%
$ Received out of $22000
Solution
A web extension that uses your HD wallet to sign authentication messages and lets you log in into online services. Backup is in your wallet.
Problem
Each online service account requires to create a user & password and can get hacked or you can forget it.
Impact alignment
Feasibility
Value for money

Team

Detailed Plan

** Executive Summary. Why do we need this?

Your browser extension web wallet is great, it comes handy when you need to pay online. However, that is the smallest part of your needs online. Most of the time you must manage each of your accounts with service providers. You must authenticate to access their service, most of the time by username and password. Your service provider stores those users & passwords, and when they get hacked, your account passwords end up floating on the internet. To reduce that risk you use password managers, to use a different password on every service & keep track of it.

Wouldn't it be awesome if your wallet would take care of authenticating you? Your wallet can sign authentication messages. What would be more secure than actually logging in with your own keys? Your keys, your coins, your accounts. You are in complete control & ownership.

It is already possible. In the Hive blockchain, they use this system to authenticate users, their web extension wallet manages different types of keys. One for authentication to their social network, one for spending your funds. Their innovation can be incorporated to be compatible with Cardano and allow us to profit from it and use also our own innovations. It will unlock, as it has done in Hive, not only social media applications but the highest growing sector in crypto: Gaming.

** Impact & target group

Most blockchains focus on finance, of course we all need money it is a super important and thus there are a lot of undeserved markets & promising ventures to work on. However, you will daily login to services more than you will send/receive a payment. Authentication is a big problem and we wing it with username & password. Public-key cryptography solves the authentication problem, we just need to use it and have it handy in our wallets.

Today, we have HD wallets and their derivation paths. We can pick one path to serve authentication purposes, and thus never mix them with your hard earned ADA. This would provide the same level of security and authentication that public key cryptography offers to secure you funds to secure your accounts. It also becomes an immediate two factor authenticator. You have your keys and your know your unlock password and both components are in your control instead of stored by your online service provider.

Additionally, you stop needing to remember passwords, even to have a password manager, or use Google authentication services. This is great for user and application developers, because all authentication happens at the cryptographic level and the user is in full control and custody of their login keys.

From user side. They only have to remember(and have securely saved in physical form) their mnemonic phrase. That restores their wallet and now account logins. Then they need an unlock password, for the web extension to sign the login messages. That's all, no more password managers with master passwords either. Just your unlock password. There is not even a need to give different public keys to different sites, as you do with passwords on different sites. Your public keys are there to be shared, they don't unlock anything, it is your signature with your private key which only you control that unlocks things.

For the service provider it is also great, they only need to validate signatures, no need of figuring out how to store passwords safely or relying on Google/Facebook/etc third party authentication services.

The target group would be anyone with an online wallet. That is too generic and the end goal. Currently it is the niche group of people and developers willing to incorporate this technology.

** What this project is not

This proposal addresses authentication. Off-chain authentication. It doesn't need the Cardano blockchain to work, it will only be cryptographically compatible with it. You don't need to submit a transaction to the blockchain for authentication. This approach has the advantage of no cost on each login you perform, and you can log in from any device, and as many times as you want, because you are just authorizing yourself to access the service.

From the feedback there was some confusion around identity. This project does not deal with identity and identity authentication.

What is the difference?

Identity and identity authentication is about a trusted entity giving you a passport, they assign you an identity. Then with your passport you go around showing it to people who verify that the passport has not been tampered and that the picture on it matches you appearance. They then have authenticated your identity, they now know it is you.

This project is only authentication. It is the equivalent of you going to the hardware store, buying a bunch of locks and using them to secure your belongings. You own the keys, you are the owner. From the lock perspective, because your have the correct key you are the owner.

Yes, there is a huge application for on-chain authentication. Specially on spam prevention. If you have to authenticate with a transaction on chain, it is a negligible price for a user, but it quickly becomes expensive for a bot network. This is a better way to prevent abuse on services and avoid all those annoying captchas. That will be a project for a later time.

Same goes for identity. Here IOHK has the lead with the Decentralized Identifier (DID) in Atala Prism. Yet there is still room for merging authentication to identity. Most probably by signing DIDs with your keys. That is but a project for a later time.

** Feasibility(Skill required)

The biggest tailwind, is that this is an existing solution that needs to be adopted to work over the Cardano ecosystem. That is the Hive Keychain wallet(https://github.com/stoodkev/hive-keychain). A straightforward fork wont do, because of Cardano's own way of serializing thinks, key signing algorithms, hash functions. Yet, having a model product helps a lot, especially being open sourced. There is a clear goal of what needs to be copied.

Second advantage is that all required cryptographic primitives for Cardano are already in the forms of libraries released by Emurgo.

The true challenge of this project is the architectural work of putting this components together into a usable interface. Then abstracting it out again into a library that any wallet provider can incorporate. Finally, writing a CIP for authentication that standardizes the process.

** Auditability & KPI

If you read attentively, you'll notice this project suffers from the two-sided market problem. Creating supply and creating demand. It needs users to want to authenticate with their wallets and it needs service providers offering that authentication option. Although both sides benefit, none is joining without the other. It is hard to judge success on adoption, at least early on. Thus my indicators are around the base infrastructure, and measure deliverables instead of adoption at this early stage of the project.

- Cardano Improvement Proposal (CIP) to standardize the authentication path.

- An MVP with the login feature released in great imitation of the Hive keychain wallet, as this project web extension.

- The message signing will be available as a library for other web wallets to incorporate this feature.

- A backend message verification reference implementation released for each application provider to use.

The Project will be developed in the open with a public git repository. Because its libraries will be used by other wallet providers and also services. It will be licensed BSD-3 clause allowing everyone incorporate this tool without worrying. It can be incorporated even on closed source application. That is important for adoption as some application developers will not release their software source code yet they need to use this open sourced library.

** Success Growth

- 3 Months: Authentication web extension is available for major browsers
- 6 Months: 5 Dapp services of the Cardano ecosystem, that need login, offer authentication method
- 12 Months: This authentication method is adopted into other web wallets.

** Timeline

Everyone has a plan until they get punched in the face – Mike Tyson.

I propose a 14 Week action plan, on dedicated focus for this web extension

Most software development is unpredictable and has little to do with the task at hand. It always requires investigating and solving problems related to dependencies. It all takes an unpredictable amount of time. Despite that, this is the best realizable timeline.

- Weekend-01-04: Build signing procedures. Help documenting Emurgo's serialization lib.

- Weekend-05-08: Web extension MVP build.

- Weekend-09-12: Draft CIP. Isolate library for signing. Write tutorials.

- Weekend-13-14: Release extension into mozilla addons and google store. Outstanding bugfix,

** Budget

600 USD Cloud Infrastructure 12 months. Includes Continuous Integration & build servers.

The rest of the budget is for work compensation at an average rate of 60USD/hr. On the various tasks of Software design and implementation, documentation writing, tutorial video recording & editing, project stewardship, and other communication. Development work is done by myself. Video editing will be hired.

** My experience

- Plutus pioneer first cohort, "Completed/Survived/Graduated". Awarded NFT 117 of class photo, Titan-C

- Second Place on the Plutus Pioneer Capstone Challenge on the Cardano Summit 2021 for the transaction editor

*** Contributions to cardano

- cardano.el :: <https://github.com/Titan-C/cardano.el>

This is the inspiration for this service

My pull request and issues to IOHK repos.

- <https://github.com/input-output-hk/cardano-node/pull/3082>

- <https://github.com/input-output-hk/Alonzo-testnet/issues/54>

That is part of parallel work done while developing the transaction editor.

*** Most successful Open-Source project

- Sphinx-Gallery :: <https://sphinx-gallery.github.io/stable/index.html>

Grew this project to become the standard documentation tool for Scientific Python projects.

This project is my hallmark of how dense example-based documentation fosters the use of a tool.

*** Other

Currently employed to develop for checkmk. <https://github.com/tribe29/checkmk>

Work ranging from tools to analyze monitoring data, to the user interface. Always with a direct dialog with customers.

I hold a Ph.D. in Theoretical Physics developing simulations for correlated electrons systems.

Everything summarizes into: I'm a tool builder. I build the tools I need to get the job done.

Community Reviews (1)

Comments

close

Playlist

  • EP2: epoch_length

    Authored by: Darlington Kofa

    3m 24s
    Darlington Kofa

  • EP1: 'd' parameter

    Authored by: Darlington Kofa

    4m 3s
    Darlington Kofa

  • EP3: key_deposit

    Authored by: Darlington Kofa

    3m 48s
    Darlington Kofa

  • EP4: epoch_no

    Authored by: Darlington Kofa

    2m 16s
    Darlington Kofa

  • EP5: max_block_size

    Authored by: Darlington Kofa

    3m 14s
    Darlington Kofa

  • EP6: pool_deposit

    Authored by: Darlington Kofa

    3m 19s
    Darlington Kofa

  • EP7: max_tx_size

    Authored by: Darlington Kofa

    4m 59s
    Darlington Kofa
0:00
/
~0:00