[REQ] Passwordless Login - As A Secondary Option

[cakir]

Hi, I want to propose something to new forum software.
We can add bitcoin addresses to our profiles etc. Beside standart username - password combination to log in; I propose this as a secondary login option:
When we want to log in our accounts;
Forum Software provides us a random string and we provide a signature with this message and our saved bitcoin address then forum software controls this signature if it's valid then we log into our accounts without username & password.

Possible problems on sold accounts (old owner can still log in):
X user sells M account to Y.
There'll be a panel for sold accounts & forum'll provide a random string on this panel.
User Y gives a new bitcoin address to user X; user X signs that message with the given btc address. And forum software changes user M's bitcoin address to one given by Y. That provides user Y to control over account besides classical login method.

Also this kinda login & registration methods can be used on fully anonymous boards etc.

[ColderThanIce]

This sounds very similar to how #bitcoin-otc authentication works, but bitcoin-otc also supports PGP signing as well as bitcoin signing. I'd be supportive of this idea, however the one issue I'm able to think of possibly arising would be that if someone's bitcoin private key was stolen, then they could potentially lose access to their account, and would have no way to truly prove that they're the account owner, since there could be someone else signing messages with their private key as well.

[Muhammed Zakir]

This is already in the to-do list.

-snip-

Fancy Authentication

In addition to normal password authentication, the forum should support various kinds of of alternative authentication. At least password auth, email verification, secret questions, OpenID, PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address signing should be supported, with multiple allowable credentials for each auth type. Users should have the option of requiring any combination of these auth types. Like "pgp OR (password AND OpenID)". And users should be able to require that changes to some or all auth types as well as the required combination of types not take effect for some configurable number of days. This allows for different types of recovery methods.

Link to that DOC is in theymos' post -- https://bitcointalk.org/index.php?topic=523070.0.

[Blazed]

This sounds very similar to how #bitcoin-otc authentication works, but bitcoin-otc also supports PGP signing as well as bitcoin signing. I'd be supportive of this idea, however the one issue I'm able to think of possibly arising would be that if someone's bitcoin private key was stolen, then they could potentially lose access to their account, and would have no way to truly prove that they're the account owner, since there could be someone else signing messages with their private key as well.

Well #Bitcoin-OTC allows you to use both Bitcoin and PGP signed auth. If you loose one you at least have the other to get your account back.

[bimasena25]

greats idea,
this is usefully make easy member to dialogue at forum, my bro

[Muhammed Zakir]

This is 2 factor authentication right? which has already been confirmed that its going to be included using bitcoin address to sign with. not sure about PGP yet but I would think so

PGP is there. https://docs.google.com/document/d/1bHlm4NQkSzaBTT5tLIqQBmV92wSsbdOX5r-dRR9Dgg0/