Thread7 (OP)
Newbie
 Offline
Activity: 33
Merit: 0
|
 |
May 07, 2014, 05:30:17 PM |
|
I just learned of this new login authentication service that uses your Bitcoin wallet to login to various places. Instead of "Connect with Google" or "Connect with Facebook" instead you can "Connect with Bitcoin". http://www.coindesk.com/authentication-protocol-bitid-lets-users-connect-bitcoin/My gut reaction is that this is not a good idea. It creates another system that needs to access your private key. Why is that necessary when you aren't making a payment? For example, if I want to access my hotel room - instead of a key;swipe card;access code - BitID would allow you to use your bitcoin wallet. But this means the authentication mechanism needs to access my private key. Why do I want that happening when an access code or something would not put my wallet credentials at more risk? Thoughts? |
|
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
guybrushthreepwood
Legendary
Offline
Activity: 1232
Merit: 1195
|
|
May 07, 2014, 05:32:11 PM |
|
Yeah this doesn't sound too great of an idea. Would you have to type your bitcoin address in each time too? Not exactly easy to remember.
|
|
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1002
|
|
May 07, 2014, 08:58:04 PM |
|
Yeah this doesn't sound too great of an idea. Would you have to type your bitcoin address in each time too? Not exactly easy to remember.
Please learn before speaking: https://www.youtube.com/watch?v=3eepEWTnRTcMan I wish Google would add a hardware wallet into Nexus 5 (or some other smartphone company). Can you imagine if every smartphone could be also used as a hardware secured authentication device/Bitcoin wallet? |
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
|
percocet
|
|
May 07, 2014, 11:57:07 PM |
|
I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
|
|
|
|
|
franky1
Legendary
Offline
Activity: 4200
Merit: 4441
|
|
May 08, 2014, 12:08:47 AM |
|
I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
+1 exactly. you can create a bitcoin address (pub and priv keypair) that you will never use for actual funds, but used just for 2factor access and other login pages imagine my username was linked with an address 1frankyBlatBlahBlah. i can then login by not only sing a privkey, which has risks the website will keep that to then use on other services(risky), BUT by SIGNING a message using my privkey and only sending the encrypted signature EG USERNAME [ franky1 ]
using your registered address to sign the MESSAGE and paste the signature below
MESSAGE [ franky1 wishes to log into this zone at 01:06AM on the 8th of May G0b3ldiG00p ]
Signature [ sflskdjflaskj;laskjf;aslkdfj;slkdjf;asdkhjgjdrttjfgdfsrgffdgsfgjfgsdff;asldkfj;sldlkf;a= ]
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
odolvlobo
Legendary
Offline
Activity: 4298
Merit: 3208
|
|
May 08, 2014, 01:09:50 AM |
|
It creates another system that needs to access your private key. But this means the authentication mechanism needs to access my private key.
Nobody has access to the private key except your wallet. I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish.
The point is that you don't have to set up another wallet and your don't have to type anything in. USERNAME [ franky1 ]
using your registered address to sign the MESSAGE and paste the signature below
MESSAGE [ franky1 wishes to log into this zone at 01:06AM on the 8th of May G0b3ldiG00p ]
Signature [ sflskdjflaskj;laskjf;aslkdfj;slkdjf;asdkhjgjdrttjfgdfsrgffdgsfgjfgsdff;asldkfj;sldlkf;a= ]
My guess is that that is exactly how it works. |
Join an anti-signature campaign: Click ignore on the members of signature campaigns.
PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
|
|
|
|
p2pbucks
|
|
May 08, 2014, 01:22:37 AM |
|
BitID can bind to any electronic products ,for eg : telsa , smartphone , xbox ....
We need multisig to implement this
|
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
May 08, 2014, 01:33:52 AM |
|
Nobody has access to the private key except your wallet.
..Unless you wallet is running on a compromised general-purpose machine. Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds. |
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160 |
|
|
|
testconpastas2
|
|
May 08, 2014, 04:25:34 AM
Last edit: May 08, 2014, 06:17:51 AM by testconpastas2 |
|
..Unless you wallet is running on a compromised general-purpose machine.
Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.
If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device) And then login on your favourite site. |
|
|
|
|
erono
|
|
May 08, 2014, 04:28:07 AM |
|
we need more developers to integrate BitID like Mintpal, Cryptsy, and other exchanges.
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1004
Core dev leaves me neg feedback #abuse #political
|
|
May 08, 2014, 04:46:27 AM |
|
Nobody has access to the private key except your wallet.
..Unless you wallet is running on a compromised general-purpose machine. Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds. If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device) And then login on your favourite site. you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp |
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2100
Merit: 1040
A Great Time to Start Something!
|
|
May 08, 2014, 04:59:12 AM |
|
OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?
|
|
|
|
franky1
Legendary
Offline
Activity: 4200
Merit: 4441
|
|
May 08, 2014, 05:22:26 AM |
|
OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?
well my last post was just to inform that giving a privkey to a website is risky, even if un-used for funding, that website can keep the privkey and then invade other websites. (phishing tactic) the message signing is not risky as no privkey is handed over and each time you log in the random message you have to sign will be different, kind of like a 'captcha' and a address validation message all rolled into one. but whether its practical... well heres some flaws 1. average joe has no client app, and only uses blockchain.info or a webwallet. the webwallet needs signature verification.. but he cant sign a message until he gets into his wallet to play with the features inside the webwallet.. 2. requires a wallet app on average joes computer, meaning people dont just type in username and password, thy have to open their wallet client click a couple buttons to get to the 'sign message' feature and then type in the 'captcha' to sign it before pasting it back in. this can seem more secure, yet more complex than just receiving a email with a 6-8 digit code (email 2FA) maybe the solution is having options 1factor logon: username and password 2factor login: username and password + (email/google authenticator) 3factor login: username and password + (email/google authenticator) + address message signing where novices playing with under $50 can 'risk' 1 factor, and those with larger amounts can decide which level of security they want dependant on laziness, amount they wish to be secure, paranoia, etc |
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1002
|
|
May 08, 2014, 06:02:18 AM |
|
BitID sounds great, but will it be easy enough to use for most people?
It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality. This is how I imagine it'll work: - Bitcoin wallet apps will have a secondary address book for authentication addresses (these can be some of the same addresses they already use or completely new addresses) - when you sign up for an account you simple scan a QR code which will give you the option of creating a new authentication address or to pick an existing one - to login you scan a QR code and click confirm It couldn't be simpler, and every Bitcoin user could have this functionality already on their device due to simply being a Bitcoin user, no additional installation necessary. All we need is Bitcoin wallet app devs to implement this. |
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
|
testconpastas2
|
|
May 08, 2014, 06:05:57 AM |
|
Nobody has access to the private key except your wallet.
..Unless you wallet is running on a compromised general-purpose machine. Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds. If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device) And then login on your favourite site. you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp and where I said you had to use the same wallet or an address with funds  why dont have as much id/addresses as you need and use different ids for each site you need a different id. if all this addresses comes from a cold wallet. you can sign offline and login without compromise your private key. |
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
May 08, 2014, 06:08:06 AM |
|
It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.
Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks? Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm. |
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160 |
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1002
|
|
May 08, 2014, 06:17:05 AM |
|
It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.
Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks? Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm. Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already. |
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
|
testconpastas2
|
|
May 08, 2014, 06:24:31 AM |
|
It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.
Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks? Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm. Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already. +1 and its much much easier to generate/use/mantain a new address/id than a gpg id. you can have ONE HD wallet (offline if you dont trust on you pc) only for ids, and can sign on every site you ever use ( only one pass, only one backup., lots of ids) |
|
|
|
RawDog
Legendary
Offline
Activity: 1596
Merit: 1026
|
|
May 08, 2014, 02:21:55 PM |
|
I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
The thing you are missing is that these posters are a dumb as fuck. They can't think past their tits. You might as well try to explain this to your pet pig. They aren't going to get it - ever. |
|
|
|
|
xDan
|
|
May 08, 2014, 02:57:45 PM |
|
This is a freaking great idea, I see Killer App here.
Everybody needs to securely store their Bitcoins - offline wallets etc. using this extreme security for logins? Brilliant.
|
HODLing for the longest time. Skippin fast right around the moon. On a rocketship straight to mars.
Up, up and away with my beautiful, my beautiful Bitcoin~
|
|
|
|
