Bitcoin Forum

I just learned of this new login authentication service that uses your Bitcoin wallet to login to various places.  Instead of "Connect with Google" or "Connect with Facebook" instead you can "Connect with Bitcoin". 

http://www.coindesk.com/authentication-protocol-bitid-lets-users-connect-bitcoin/ (http://www.coindesk.com/authentication-protocol-bitid-lets-users-connect-bitcoin/)

My gut reaction is that this is not a good idea.  It creates another system that needs to access your private key.  Why is that necessary when you aren't making a payment?  For example, if I want to access my hotel room - instead of a key;swipe card;access code - BitID would allow you to use your bitcoin wallet.   But this means the authentication mechanism needs to access my private key.  Why do I want that happening when an access code or something would not put my wallet credentials at more risk?

Thoughts?

Yeah this doesn't sound too great of an idea. Would you have to type your bitcoin address in each time too? Not exactly easy to remember.

Please learn before speaking: https://www.youtube.com/watch?v=3eepEWTnRTc

Man I wish Google would add a hardware wallet into Nexus 5 (or some other smartphone company). Can you imagine if every smartphone could be also used as a hardware secured authentication device/Bitcoin wallet?

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.

+1

exactly. you can create a bitcoin address (pub and priv keypair) that you will never use for actual funds, but used just for 2factor access and other login pages

imagine my username was linked with an address 1frankyBlatBlahBlah. i can then login by not only sing a privkey, which has risks the website will keep that to then use on other services(risky), BUT by SIGNING a message using my privkey and only sending the encrypted signature

EG

Nobody has access to the private key except your wallet.


The point is that you don't have to set up another wallet and your don't have to type anything in.


My guess is that that is exactly how it works.

BitID can bind to any electronic products ,for eg : telsa , smartphone , xbox ....
We need multisig to implement this 

..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.

we need more developers to integrate BitID like Mintpal, Cryptsy, and other exchanges.

you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp

OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?

well my last post was just to inform that giving a privkey to a website is risky, even if un-used for funding, that website can keep the privkey and then invade other websites. (phishing tactic)

the message signing is not risky as no privkey is handed over and each time you log in the random message you have to sign will be different, kind of like a 'captcha' and a address validation message all rolled into one.

but whether its practical... well heres some flaws
1. average joe has no client app, and only uses blockchain.info or a webwallet. the webwallet needs signature verification.. but he cant sign a message until he gets into his wallet to play with the features inside the webwallet..
2. requires a wallet app on average joes computer, meaning people dont just type in username and password, thy have to open their wallet client click a couple buttons to get to the 'sign message' feature and then type in the 'captcha' to sign it before pasting it back in. this can seem more secure, yet more complex than just receiving a email with a 6-8 digit code (email 2FA)

maybe the solution is having options
1factor logon: username and password
2factor login: username and password + (email/google authenticator)
3factor login: username and password + (email/google authenticator) + address message signing

where novices playing  with under $50 can 'risk' 1 factor, and those with larger amounts can decide which level of security they want dependant on laziness, amount they wish to be secure, paranoia, etc

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

This is how I imagine it'll work:

- Bitcoin wallet apps will have a secondary address book for authentication addresses (these can be some of the same addresses they already use or completely new addresses)
- when you sign up for an account you simple scan a QR code which will give you the option of creating a new authentication address or to pick an existing one
- to login you scan a QR code and click confirm

It couldn't be simpler, and every Bitcoin user could have this functionality already on their device due to simply being a Bitcoin user, no additional installation necessary. All we need is Bitcoin wallet app devs to implement this.

and where I said you had to use the same wallet or an address with funds ???

why dont have as much id/addresses as you need and use different ids for each site you need a different id.

if all this addresses comes from a cold wallet. you can sign offline and login without compromise your private key.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already.

+1

and its much much easier to generate/use/mantain a new address/id than a gpg id.

you can have ONE HD wallet (offline if you dont trust on you pc)  only for ids, and can sign on every site you ever use ( only one pass, only one backup., lots of ids)  

The thing you are missing is that these posters are a dumb as fuck.  They can't think past their tits.  You might as well try to explain this to your pet pig.  They aren't going to get it - ever.

This is a freaking great idea, I see Killer App here.

Everybody needs to securely store their Bitcoins - offline wallets etc. using this extreme security for logins? Brilliant.

I personally am a security freak when it comes to my wallet. Anything like this will somewhat compromise that safety net that I like to have. After all, that's the main reason alot of us use BitCoin.

So use a different wallet.

There are already similar systems. It is hard to say is it better at this stage for sure.

Maybe I'm going to check it in future, but for now I would like to get more opinions of other people about it.

Also who are the providers?