The new BitID Authentication System

[Thread7]

I just learned of this new login authentication service that uses your Bitcoin wallet to login to various places.  Instead of "Connect with Google" or "Connect with Facebook" instead you can "Connect with Bitcoin". 

http://www.coindesk.com/authentication-protocol-bitid-lets-users-connect-bitcoin/

My gut reaction is that this is not a good idea.  It creates another system that needs to access your private key.  Why is that necessary when you aren't making a payment?  For example, if I want to access my hotel room - instead of a key;swipe card;access code - BitID would allow you to use your bitcoin wallet.   But this means the authentication mechanism needs to access my private key.  Why do I want that happening when an access code or something would not put my wallet credentials at more risk?

Thoughts?

[guybrushthreepwood]

Yeah this doesn't sound too great of an idea. Would you have to type your bitcoin address in each time too? Not exactly easy to remember.

[hazek]

Yeah this doesn't sound too great of an idea. Would you have to type your bitcoin address in each time too? Not exactly easy to remember.

Please learn before speaking: https://www.youtube.com/watch?v=3eepEWTnRTc

Man I wish Google would add a hardware wallet into Nexus 5 (or some other smartphone company). Can you imagine if every smartphone could be also used as a hardware secured authentication device/Bitcoin wallet?

[percocet]

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.

[franky1]

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.

+1

exactly. you can create a bitcoin address (pub and priv keypair) that you will never use for actual funds, but used just for 2factor access and other login pages

imagine my username was linked with an address 1frankyBlatBlahBlah. i can then login by not only sing a privkey, which has risks the website will keep that to then use on other services(risky), BUT by SIGNING a message using my privkey and only sending the encrypted signature

EG

Code:

USERNAME [ franky1 ]
using your registered address to sign the MESSAGE and paste the signature below
MESSAGE [ franky1 wishes to log into this zone at 01:06AM on the 8th of May G0b3ldiG00p ]
Signature [ sflskdjflaskj;laskjf;aslkdfj;slkdjf;asdkhjgjdrttjfgdfsrgffdgsfgjfgsdff;asldkfj;sldlkf;a= ]

[odolvlobo]

It creates another system that needs to access your private key. But this means the authentication mechanism needs to access my private key. 

Nobody has access to the private key except your wallet.

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish.

The point is that you don't have to set up another wallet and your don't have to type anything in.

Code:

USERNAME [ franky1 ]
using your registered address to sign the MESSAGE and paste the signature below
MESSAGE [ franky1 wishes to log into this zone at 01:06AM on the 8th of May G0b3ldiG00p ]
Signature [ sflskdjflaskj;laskjf;aslkdfj;slkdjf;asdkhjgjdrttjfgdfsrgffdgsfgjfgsdff;asldkfj;sldlkf;a= ]

My guess is that that is exactly how it works.

[p2pbucks]

BitID can bind to any electronic products ,for eg : telsa , smartphone , xbox ....
We need multisig to implement this 

[phillipsjk]

Nobody has access to the private key except your wallet.

..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

[testconpastas2]

..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.

[erono]

we need more developers to integrate BitID like Mintpal, Cryptsy, and other exchanges.

[jonald_fyookball]

Nobody has access to the private key except your wallet.

..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.

you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp

[Bit_Happy]

OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?

[franky1]

OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?

well my last post was just to inform that giving a privkey to a website is risky, even if un-used for funding, that website can keep the privkey and then invade other websites. (phishing tactic)

the message signing is not risky as no privkey is handed over and each time you log in the random message you have to sign will be different, kind of like a 'captcha' and a address validation message all rolled into one.

but whether its practical... well heres some flaws
1. average joe has no client app, and only uses blockchain.info or a webwallet. the webwallet needs signature verification.. but he cant sign a message until he gets into his wallet to play with the features inside the webwallet..
2. requires a wallet app on average joes computer, meaning people dont just type in username and password, thy have to open their wallet client click a couple buttons to get to the 'sign message' feature and then type in the 'captcha' to sign it before pasting it back in. this can seem more secure, yet more complex than just receiving a email with a 6-8 digit code (email 2FA)

maybe the solution is having options
1factor logon: username and password
2factor login: username and password + (email/google authenticator)
3factor login: username and password + (email/google authenticator) + address message signing

where novices playing  with under $50 can 'risk' 1 factor, and those with larger amounts can decide which level of security they want dependant on laziness, amount they wish to be secure, paranoia, etc

[hazek]

BitID sounds great, but will it be easy enough to use for most people?

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

This is how I imagine it'll work:

- Bitcoin wallet apps will have a secondary address book for authentication addresses (these can be some of the same addresses they already use or completely new addresses)
- when you sign up for an account you simple scan a QR code which will give you the option of creating a new authentication address or to pick an existing one
- to login you scan a QR code and click confirm

It couldn't be simpler, and every Bitcoin user could have this functionality already on their device due to simply being a Bitcoin user, no additional installation necessary. All we need is Bitcoin wallet app devs to implement this.

[testconpastas2]

Nobody has access to the private key except your wallet.

..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.

you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp

and where I said you had to use the same wallet or an address with funds

why dont have as much id/addresses as you need and use different ids for each site you need a different id.

if all this addresses comes from a cold wallet. you can sign offline and login without compromise your private key.

[phillipsjk]

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

[hazek]

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already.

[testconpastas2]

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already.

+1

and its much much easier to generate/use/mantain a new address/id than a gpg id.

you can have ONE HD wallet (offline if you dont trust on you pc)  only for ids, and can sign on every site you ever use ( only one pass, only one backup., lots of ids)  

[RawDog]

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.

The thing you are missing is that these posters are a dumb as fuck.  They can't think past their tits.  You might as well try to explain this to your pet pig.  They aren't going to get it - ever.

[xDan]

This is a freaking great idea, I see Killer App here.

Everybody needs to securely store their Bitcoins - offline wallets etc. using this extreme security for logins? Brilliant.