Bitcoin Forum
November 11, 2024, 10:18:22 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: The new BitID Authentication System  (Read 1450 times)
Thread7 (OP)
Newbie
*
Offline Offline

Activity: 33
Merit: 0


View Profile
May 07, 2014, 05:30:17 PM
 #1

I just learned of this new login authentication service that uses your Bitcoin wallet to login to various places.  Instead of "Connect with Google" or "Connect with Facebook" instead you can "Connect with Bitcoin". 

http://www.coindesk.com/authentication-protocol-bitid-lets-users-connect-bitcoin/

My gut reaction is that this is not a good idea.  It creates another system that needs to access your private key.  Why is that necessary when you aren't making a payment?  For example, if I want to access my hotel room - instead of a key;swipe card;access code - BitID would allow you to use your bitcoin wallet.   But this means the authentication mechanism needs to access my private key.  Why do I want that happening when an access code or something would not put my wallet credentials at more risk?

Thoughts?
guybrushthreepwood
Legendary
*
Offline Offline

Activity: 1232
Merit: 1195



View Profile
May 07, 2014, 05:32:11 PM
 #2

Yeah this doesn't sound too great of an idea. Would you have to type your bitcoin address in each time too? Not exactly easy to remember.
hazek
Legendary
*
Offline Offline

Activity: 1078
Merit: 1003


View Profile
May 07, 2014, 08:58:04 PM
 #3

Yeah this doesn't sound too great of an idea. Would you have to type your bitcoin address in each time too? Not exactly easy to remember.

Please learn before speaking: https://www.youtube.com/watch?v=3eepEWTnRTc

Man I wish Google would add a hardware wallet into Nexus 5 (or some other smartphone company). Can you imagine if every smartphone could be also used as a hardware secured authentication device/Bitcoin wallet?

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
percocet
Full Member
***
Offline Offline

Activity: 222
Merit: 102


View Profile
May 07, 2014, 11:57:07 PM
 #4

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
franky1
Legendary
*
Offline Offline

Activity: 4396
Merit: 4761



View Profile
May 08, 2014, 12:08:47 AM
 #5

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
+1

exactly. you can create a bitcoin address (pub and priv keypair) that you will never use for actual funds, but used just for 2factor access and other login pages

imagine my username was linked with an address 1frankyBlatBlahBlah. i can then login by not only sing a privkey, which has risks the website will keep that to then use on other services(risky), BUT by SIGNING a message using my privkey and only sending the encrypted signature

EG
Code:
USERNAME [ franky1 ]
using your registered address to sign the MESSAGE and paste the signature below
MESSAGE [ franky1 wishes to log into this zone at 01:06AM on the 8th of May G0b3ldiG00p ]
Signature [ sflskdjflaskj;laskjf;aslkdfj;slkdjf;asdkhjgjdrttjfgdfsrgffdgsfgjfgsdff;asldkfj;sldlkf;a= ]

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
odolvlobo
Legendary
*
Offline Offline

Activity: 4494
Merit: 3408



View Profile
May 08, 2014, 01:09:50 AM
 #6

It creates another system that needs to access your private key. But this means the authentication mechanism needs to access my private key. 

Nobody has access to the private key except your wallet.

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish.

The point is that you don't have to set up another wallet and your don't have to type anything in.

Code:
USERNAME [ franky1 ]
using your registered address to sign the MESSAGE and paste the signature below
MESSAGE [ franky1 wishes to log into this zone at 01:06AM on the 8th of May G0b3ldiG00p ]
Signature [ sflskdjflaskj;laskjf;aslkdfj;slkdjf;asdkhjgjdrttjfgdfsrgffdgsfgjfgsdff;asldkfj;sldlkf;a= ]

My guess is that that is exactly how it works.

Join an anti-signature campaign: Click ignore on the members of signature campaigns.
PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
p2pbucks
Hero Member
*****
Offline Offline

Activity: 642
Merit: 500


Evolution is the only way to survive


View Profile
May 08, 2014, 01:22:37 AM
 #7

BitID can bind to any electronic products ,for eg : telsa , smartphone , xbox ....
We need multisig to implement this 
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
May 08, 2014, 01:33:52 AM
 #8


Nobody has access to the private key except your wallet.


..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
testconpastas2
Full Member
***
Offline Offline

Activity: 199
Merit: 100



View Profile
May 08, 2014, 04:25:34 AM
Last edit: May 08, 2014, 06:17:51 AM by testconpastas2
 #9



..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.


Bitmessage: BM-2DAetLWJBKWHZoPbNCgg5z8jwaPpDYWwd4
gpg key id:C6EF5CE3
erono
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250


View Profile
May 08, 2014, 04:28:07 AM
 #10

we need more developers to integrate BitID like Mintpal, Cryptsy, and other exchanges.

jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
May 08, 2014, 04:46:27 AM
 #11


Nobody has access to the private key except your wallet.


..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.



you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp

Bit_Happy
Legendary
*
Offline Offline

Activity: 2114
Merit: 1040


A Great Time to Start Something!


View Profile
May 08, 2014, 04:59:12 AM
 #12

OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?

franky1
Legendary
*
Offline Offline

Activity: 4396
Merit: 4761



View Profile
May 08, 2014, 05:22:26 AM
 #13

OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?

well my last post was just to inform that giving a privkey to a website is risky, even if un-used for funding, that website can keep the privkey and then invade other websites. (phishing tactic)

the message signing is not risky as no privkey is handed over and each time you log in the random message you have to sign will be different, kind of like a 'captcha' and a address validation message all rolled into one.

but whether its practical... well heres some flaws
1. average joe has no client app, and only uses blockchain.info or a webwallet. the webwallet needs signature verification.. but he cant sign a message until he gets into his wallet to play with the features inside the webwallet..
2. requires a wallet app on average joes computer, meaning people dont just type in username and password, thy have to open their wallet client click a couple buttons to get to the 'sign message' feature and then type in the 'captcha' to sign it before pasting it back in. this can seem more secure, yet more complex than just receiving a email with a 6-8 digit code (email 2FA)

maybe the solution is having options
1factor logon: username and password
2factor login: username and password + (email/google authenticator)
3factor login: username and password + (email/google authenticator) + address message signing

where novices playing  with under $50 can 'risk' 1 factor, and those with larger amounts can decide which level of security they want dependant on laziness, amount they wish to be secure, paranoia, etc

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
hazek
Legendary
*
Offline Offline

Activity: 1078
Merit: 1003


View Profile
May 08, 2014, 06:02:18 AM
 #14

BitID sounds great, but will it be easy enough to use for most people?

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

This is how I imagine it'll work:

- Bitcoin wallet apps will have a secondary address book for authentication addresses (these can be some of the same addresses they already use or completely new addresses)
- when you sign up for an account you simple scan a QR code which will give you the option of creating a new authentication address or to pick an existing one
- to login you scan a QR code and click confirm

It couldn't be simpler, and every Bitcoin user could have this functionality already on their device due to simply being a Bitcoin user, no additional installation necessary. All we need is Bitcoin wallet app devs to implement this.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
testconpastas2
Full Member
***
Offline Offline

Activity: 199
Merit: 100



View Profile
May 08, 2014, 06:05:57 AM
 #15


Nobody has access to the private key except your wallet.


..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.



you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp

and where I said you had to use the same wallet or an address with funds Huh

why dont have as much id/addresses as you need and use different ids for each site you need a different id.

if all this addresses comes from a cold wallet. you can sign offline and login without compromise your private key.


Bitmessage: BM-2DAetLWJBKWHZoPbNCgg5z8jwaPpDYWwd4
gpg key id:C6EF5CE3
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
May 08, 2014, 06:08:06 AM
 #16

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
hazek
Legendary
*
Offline Offline

Activity: 1078
Merit: 1003


View Profile
May 08, 2014, 06:17:05 AM
 #17

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
testconpastas2
Full Member
***
Offline Offline

Activity: 199
Merit: 100



View Profile
May 08, 2014, 06:24:31 AM
 #18

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already.

+1

and its much much easier to generate/use/mantain a new address/id than a gpg id.

you can have ONE HD wallet (offline if you dont trust on you pc)  only for ids, and can sign on every site you ever use ( only one pass, only one backup., lots of ids)  

Bitmessage: BM-2DAetLWJBKWHZoPbNCgg5z8jwaPpDYWwd4
gpg key id:C6EF5CE3
RawDog
Legendary
*
Offline Offline

Activity: 1596
Merit: 1026



View Profile WWW
May 08, 2014, 02:21:55 PM
 #19

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
The thing you are missing is that these posters are a dumb as fuck.  They can't think past their tits.  You might as well try to explain this to your pet pig.  They aren't going to get it - ever.

*Image Removed* *Expletive Removed*  *Obsenity Removed*
What's going on - Slavetards?!!!
Watch my videos: https://www.youtube.com/watch?v=oE43M1Z8Iew  1FuckYouc6zrtHbnqcHdhrSVhcxgpJgfds
xDan
Hero Member
*****
Offline Offline

Activity: 688
Merit: 500

ヽ( ㅇㅅㅇ)ノ ~!!


View Profile
May 08, 2014, 02:57:45 PM
 #20

This is a freaking great idea, I see Killer App here.

Everybody needs to securely store their Bitcoins - offline wallets etc. using this extreme security for logins? Brilliant.

HODLing for the longest time. Skippin fast right around the moon. On a rocketship straight to mars.
Up, up and away with my beautiful, my beautiful Bitcoin~
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!