Bitcoin Forum

Is there any project you know using bitcoin as a login system?
I never liked the login/password system as we keep saying "do not reuse your password twice" but then most of the ppl just keep doing it because you can't possibly have 20 account and remember 20 different passwords... And you can never be sure that your password is well stored among other problems...
The only thing that looks like a solution for me actualy is the "login with facebook" btn that you see sometimes. But still doesn't make me very happy.


So couldn't we use the bitcoin system? It would be much better to just always sign the same adress to proove you own it to log on? Or send a satoshi from a particular adress that the website send you back. If you keep using the same adress and with a well enough designed system you could have an history of all your login (and track thief). You would have no password to remember, eventually just your private key to avoid storing it on your computer...

Am i dreaming or reinventing the wheel?

see https://lastpass.com/ (https://lastpass.com/)

Lastpass allows authentication by bitcoin-address?

An idea I had for authentication is to provide a bitcoin address you own when signing up. To change your PW, you must send 20 BTC (or whatever threshold) to that address over the next hour. This would allow anyone access to your accounts, but at a price. Just set your own threshold when setting up the account.

no but will give you a different password for each login

might be another solution i should try but i never felt very happy with it too.
If loads of poeple use thoose kind of solutions, they'll get phished, give theire main pass and then it is the apocalypse...
Also, i don't trust lastpass.com.
Trustless systems looks very important to me.

So if I have few BTC to begin with (say 1 BTC) but value my account at 100 BTC, I have to buy 99 BTC just to change my PW?!

Suggestion:
Username = Bitcoin Address (or firstbits of an address)
To login, sign a statement provided by the website (e.g. "Login to service.com at timestamp 12345 from IP 123.123.123.123") with that address' private key and paste the signed statement in the password field.

I was thinking for PW recovery. You can send the same 1 BTC to the address 100 times to satisfy the requirement. I'm not claiming it is very practical at the moment.

Update: oops, sorry, didn't notice previous message of Sukrim that had the same idea, striked out to prevent duplication.

I thought about following mechanism:

1. You enter your <bitcoin address> as login.
2. Website shows a message "I'm the owner of <bitcoin address>, want to login to <site url>. <timestamp>".
3. You sign this message with private key that corresponds to <bitcoin address>.
4. Website checks your signature and lets you in.

Probably all those steps could be automated. You just click the link on site, your bitcoin client asks you to select address which you want to use for authorization, you do so and you are logged in (if you use encrypted wallet, you would need to unlock it with your passphrase).

The gribble IRC bot uses secure bitcoin authentication.  When you register, you provide a bitcoin address.  When you want to authenticate, the bot generates a random cookie and you have to sign it using the key associated with the registration address.  You send back the sigature, and it makes sure that it was signed with the right key.

It is the most secure system that I can think of.

Looks nice, i'll try :p this kind of authentification should be link to a smartphone so it can be fast/handy/ doable everywhere.

Browsers can already do this sort of thing with TLS client authentication (though this system could be improved). Using Bitcoin for authentication is an unnecessary extra layer of complexity.

The tricky part is passing the cookies back and forth.  The challenge cookie and the signature string both need to be somewhat long, longer than you'd want to type.

For a smart phone, you'd need some form of communication other than keyboards.  You could do it with QR codes, or NFC or something.  But I'm not aware of any systems commonly in place that could handle it.

I started working on a system where your login is tied to a Bitcoin address for verification.

You provide an empty address and you are not authenticated until there are BTC in the address.

It still requires a login and password. I could not figure out a good way to use BTC for that.

Pretty much.

my solution to 20 different random passwords is easy

have a random character word u can remember and the somewhere in the word you also put in something else. EG the websites address

eg:
1h9f6e0 49d8ve7 becomes 1h9f6e0bitcointalk49d8ve7
or
193yzso37dsw becomes 1B9I3TyCzOdIoN3T7AdLsKw

by the way my password looks nothing like this, its just an idea to have something that is not in the dictionary.

you can even make a VB.net webbrowser that reads the web address and auto spells your password for you to just copy and paste into it, thus avoiding google chrome addons and internet explorer extensions from listening into the webpage data transmissions. and bypassing keyloggers if u simply copy and paste.
if your smart enough you can even use the document.element code to directly put the passphrase into the webpage login box without the need of your passphrase going into the 'clipboard' which avoids any smart keyloggers which might also copy every text you copy and paste.

there are many ways to secure yourself and the best security is personal security. not relying on third party design or service to secure your system for you.

because if everyone started using the same security service hackers would direct their interest at that single service. but an individual style of security where no two people use the same method, will make hackers lives even harder.