Blockchain as login system

[Stingery64]

hi, we al know how much suxs having all the data and password you use to register over so many forums, shops, webs, blogs, social networks and so on,
its truly a pain in the ass and a lose of time,

Bitcoins and Trezor Hardware wallet is making the wish of any security bank, as trezor just sen to the comptuer the signed data without sharing the private keys, and as its like electrem, and it uses deterministic address generation, even if you lose it, you can recover all your bitcoins.

Now: this is in my opinion top grade security where a mecanical button push is the single way to confirm a payment.

What about use some system like that to register in webs, login into any way and have logins safe? to login you would need just to "send bitcoins" pushing a  button, the system receive the bitcoins and without the need to get confirmations, you are validated and logged in,

the idea is to do something like that parallel to bitcoin or so, in order that there is no need to have money, but use the idea to sign the login then be able to login and register everywhere just by saying "check out the signed data, that proofs i am the legit user, let me go in".

Well, i can't think exactly about the inner working, buy maybe you can see a better shine about that, maybe in the future notebooks will have a build in "login" hardware button

[franky1]

its already been discussed.

when registering with a website. user can give the website a bitcoin PUBLIC address.. then when logging in the website shows a random message. EG:

"The Lamb Walked Into The Slaughter House. Bar Ram You. Splat! 1204856948447585 08/07/2014"

the user then signs the message using their bitcoin client of the bitcoin address they submitted at registration. and then types in their username and the signed message. the website then verifies the signed message to the bitcoin public address to authorize logins.

meaning although the bitcoin address is used like the password.. the bitcoin address is never actually typed in by the user to log in after registering.. only a signed message is pasted in as the password, which always changes and is also kind of a 2FA all in one because it is encrypted by the privkey, thus it cant be guessed and shows some user ownership verification, all in one.

its not using the blockchain to login as thats costing people money.. but its using bitcoins "message signing" feature, which is free and faster then sending coin

[Bit_Happy]

...meaning although the bitcoin address is used like the password.. the bitcoin address is never actually typed in by the user to log in after registering.. only a signed message is pasted in as the password, which always changes and is also kind of a 2FA all in one because it is encrypted by the privkey, thus it cant be guessed and shows some user ownership verification, all in one.

its not using the blockchain to login as thats costing people money.. but its using bitcoins "message signing" feature, which is free and faster then sending coin

This sounds pretty cool, has anyone produced a working demo yet?

[Mieehayii]

...meaning although the bitcoin address is used like the password.. the bitcoin address is never actually typed in by the user to log in after registering.. only a signed message is pasted in as the password, which always changes and is also kind of a 2FA all in one because it is encrypted by the privkey, thus it cant be guessed and shows some user ownership verification, all in one.

its not using the blockchain to login as thats costing people money.. but its using bitcoins "message signing" feature, which is free and faster then sending coin

This sounds pretty cool, has anyone produced a working demo yet?

wait for a long time.

[franky1]

...meaning although the bitcoin address is used like the password.. the bitcoin address is never actually typed in by the user to log in after registering.. only a signed message is pasted in as the password, which always changes and is also kind of a 2FA all in one because it is encrypted by the privkey, thus it cant be guessed and shows some user ownership verification, all in one.

its not using the blockchain to login as thats costing people money.. but its using bitcoins "message signing" feature, which is free and faster then sending coin

This sounds pretty cool, has anyone produced a working demo yet?

bitcoin-OTC

you can register your identity with a bitcoin address.. and you can verify your identity using a signed message it gives you... its not a website login, but the same rules apply.

http://wiki.bitcoin-otc.com/wiki/Bitcoin_address_authentication

[Stingery64]

wonderful,

[franky1]

what i find strange is that this concept of veryfying identity has been part of bitcoin community for years now, but no website service is using it.. they all get people to sign up to google

[Stingery64]

i guess is more easy to just wirte the google password than copy a string, sign an address with the string, an paste back the result in order to tell the system you are the real user,

maybe some standar in HTML5 or a browser extension that allows you to register and login to websites just by pressing a mouseclick and send the string to the hardware wallet, press the hardware button that sign it, and you are logged, registered, or whatever, no need to remember password, no spam, no mails, no option to access the private keys...

how could anyone hack an user account that way? maybe a "man in the middle" virus would work? i mean, the virus shows him the string to sign, he signs it, i get the signed string and i can log in? if thats possible then its not that safe...

[Velkro]

working demo would be great

[Nerazzura]

what i find strange is that this concept of veryfying identity has been part of bitcoin community for years now, but no website service is using it.. they all get people to sign up to google

then how should it happen, you can give your best ideas?

[franky1]

i guess is more easy to just wirte the google password than copy a string, sign an address with the string, an paste back the result in order to tell the system you are the real user,

google 2FA
go to website, type in username, type in password. press subitmit. get the google code,  switch tabs
type google.com, click sign in. type in email. type in password. click login. go to authenticator.  paste it into authenticator, press ok. copy response code. switch tabs back to website, paste code. pres submit

bitcoin type in username, press submit, get passphrase. go to bitcoin program. click sign message paste passphrase. press sign button, press copy to clipboard. switch back to website, paste signed message. press login

hmmm bitoin seems shorter and no need for 30 second time limit to irritate people

maybe some standar in HTML5 or a browser extension that allows you to register and login to websites just by pressing a mouseclick and send the string to the hardware wallet, press the hardware button that sign it, and you are logged, registered, or whatever, no need to remember password, no spam, no mails, no option to access the private keys...

no need for extensions that need the privkey saved (to sign messages) i can already smell fishy implications.. most SMART bitcoiners already have their bitcoin nodes running in the background so its just a click down at the task bar.. not that hard

how could anyone hack an user account that way? maybe a "man in the middle" virus would work? i mean, the virus shows him the string to sign, he signs it, i get the signed string and i can log in? if thats possible then its not that safe...
[/quote]

nothing is perfect. but:
trying to remember a lengthy single password, people end up using a short password.
trying to remember a password that changes per use, most would just use an incremental number at the end
trying to remember the password at all... yea some forget.

but with a bitcoin message login, no memory, no possibility of weak "entropy/dictionary attacks". simply verifying a bitcoin address safely stored in your existing wallet.. which you SHOULD!!! already have adequate precautions to secure anyways (not downloading bogus software or extensions)

[franky1]

what i find strange is that this concept of veryfying identity has been part of bitcoin community for years now, but no website service is using it.. they all get people to sign up to google

then how should it happen, you can give your best ideas?

http://wiki.bitcoin-otc.com/wiki/Bitcoin_address_authentication

working demo would be great

go to IRC #bitcoin-otc
choose a username. then sing the link above follow the instructions to register, then verify..

then imagine the same copy and paste method to verify each time.. but as a webpage instead of a chat box.

if you like it, find out who made the code and if thy have a javascript/php version.

sorry i cant hold your hands all the way to the finish line

[DannyElfman]

its already been discussed.

when registering with a website. user can give the website a bitcoin PUBLIC address.. then when logging in the website shows a random message. EG:

"The Lamb Walked Into The Slaughter House. Bar Ram You. Splat! 1204856948447585 08/07/2014"

the user then signs the message using their bitcoin client of the bitcoin address they submitted at registration. and then types in their username and the signed message. the website then verifies the signed message to the bitcoin public address to authorize logins.

meaning although the bitcoin address is used like the password.. the bitcoin address is never actually typed in by the user to log in after registering.. only a signed message is pasted in as the password, which always changes and is also kind of a 2FA all in one because it is encrypted by the privkey, thus it cant be guessed and shows some user ownership verification, all in one.

its not using the blockchain to login as thats costing people money.. but its using bitcoins "message signing" feature, which is free and faster then sending coin

You would still need a public address to act as a username as the website would otherwise not know which address to validate the signature against.

[franky1]

You would still need a public address to act as a username as the website would otherwise not know which address to validate the signature against.

no, but yes, but no.. all depends on how the website sets up its registration system.

scenario 1
imagine this forum whn you signed up asks for your username, password and email address... simply remove email, remove password requirement at registrations and replace with just username and bitcoin PUBLiC address at registration.

so now id when logging typ in username copy th passphrase, sign it, paste th signed passphrase as the password.

scenario 2
your username is your bitcoin public address
so this forum, instead of being 'franky1' its 1frankyblahblahlbalhlblalhsdlsdfds

but this requires me to paste in a long username, then copy the passphrase then paste the signed passphrase... and of course on sites like this having usernames as a bitcoin address is just ugly and not 'personal'/'friendly'

.. either way i find it easier to trust a bitcoin signed passphrase. which means unique passwords at every use (anti-phishing) high entropy(anti-bruteforce/guessing) password is not stored as clear text on members database. (anti-insider*)


*people that make "coming soon" websites to get people to sign up for updates, or nasty exchange and other services that look at the members database, and use their members usernames and passwords on other services. after all no user can prove for definite that the services they use only store a hash of a password and not clear text(which should be default, but we know thats not the case all the time)

[DannyElfman]

You would still need a public address to act as a username as the website would otherwise not know which address to validate the signature against.

no, but yes, but no.. all depends on how the website sets up its registration system.

scenario 1
imagine this forum whn you signed up asks for your username, password and email address... simply remove email, remove password requirement at registrations and replace with just username and bitcoin PUBLiC address at registration.

so now id when logging typ in username copy th passphrase, sign it, paste th signed passphrase as the password.

This would still technically be using your public address as your username, it would just be that you type in your "real" username and that is associated with your public address.

[Peter R]

This is one of my hopes for the Sigsafe project that I'm currently working on. 

Like others have said in this thread, your username could be a bitcoin address (or pubkey).  To make it even easier, a merchant or service provider could read this piece of public information from your device over NFC (possibly along with other information you want to share about yourself).   

To authenticate you at some point in the future, the service would send you a random nonce to sign.  You would produce a bitcoin-signed message of that nonce (e.g., by tapping your bitcoin signing tag to an NFC reader), and then your signature would be relayed to the service.  The service would verify the signature to SOME address (or pubkey), and if that address was YOUR address, then you would be successfully authenticated!  Yesterday, I was able to produce bitcoin-signed message on a sub-$2 microcontroller using less than 16 kilobytes of RAM.

Authentication by signing a nonce with a bitcoin private key would be so helpful because it would eliminate the concern with password re-use.  The same signing device (and even the same key within the device) could authenticate you to Gmail, act as a loyalty card at a grocery store, unlock your front door, and perhaps in the future even start your car. 

Right now, a major obstacle IMO is that currently HTML5 browsers don't yet support the Web NFC API.  But I imagine in the future it will be possible to create webpages that request signatures from a device like Sigsafe to complete an online payment or to login to a website using (e.g.) the bitID protocol and a single tap.

[nahtnam]

...meaning although the bitcoin address is used like the password.. the bitcoin address is never actually typed in by the user to log in after registering.. only a signed message is pasted in as the password, which always changes and is also kind of a 2FA all in one because it is encrypted by the privkey, thus it cant be guessed and shows some user ownership verification, all in one.

its not using the blockchain to login as thats costing people money.. but its using bitcoins "message signing" feature, which is free and faster then sending coin

This sounds pretty cool, has anyone produced a working demo yet?

bitcoin-OTC

you can register your identity with a bitcoin address.. and you can verify your identity using a signed message it gives you... its not a website login, but the same rules apply.

http://wiki.bitcoin-otc.com/wiki/Bitcoin_address_authentication

Another example would be if you are changing your ad on A-ads.

[DannyElfman]

...meaning although the bitcoin address is used like the password.. the bitcoin address is never actually typed in by the user to log in after registering.. only a signed message is pasted in as the password, which always changes and is also kind of a 2FA all in one because it is encrypted by the privkey, thus it cant be guessed and shows some user ownership verification, all in one.

its not using the blockchain to login as thats costing people money.. but its using bitcoins "message signing" feature, which is free and faster then sending coin

This sounds pretty cool, has anyone produced a working demo yet?

bitcoin-OTC

you can register your identity with a bitcoin address.. and you can verify your identity using a signed message it gives you... its not a website login, but the same rules apply.

http://wiki.bitcoin-otc.com/wiki/Bitcoin_address_authentication

Another example would be if you are changing your ad on A-ads.

This is really a great example as all the information that is collected is your address to send payment to and the website that the ads will be placed on.

[laurentmt]

This sounds pretty cool, has anyone produced a working demo yet?

You should check BitId.
- video demo => https://www.youtube.com/watch?v=3eepEWTnRTc
- forum thread => https://bitcointalk.org/index.php?topic=557037.0
- github => https://github.com/bitid/bitid

It has been integrated in DarkWallet alpha 5 and Mycelium 1.2.15

Server-side, libraries have been developed for several languages and there's also some plugins/extensions for django, wordpress and mediawiki

[tutkarz]

I don't see the reason for browser to not store bitcoin private key for less important sites like it already does with passwords now, and just automatically sign you to sites when you want. Also making signing up flawlessly simple by automatically sending public address to site with your username.