not approved
Crypto wallets for signup, login, and 2FA
Current Project Status
Unfunded
Amount
Received
₳0
Amount
Requested
₳137,280
Percentage
Received
0.00%
Solution

Signing with your crypto wallet is better, safer, simpler and a two-factor-auth at the same time. Your public key reveals nothing, your signature changes on each login, and can’t be forged.

Problem

Access control on the internet has terrible UX and security because Username and passwords. Signing with your crypto wallet is safer, simpler and a two-factor-auth at the same time.

Feasibility
Value for money
Impact / Alignment

Team

1 member

Crypto wallets for signup, login, and 2FA

Please describe your proposed solution.

Your browser extension web wallet is great, it comes handy when you need to pay online and use the Cardano DeFi, but I could do more for you. Most of your online needs are about managing each of your accounts with service providers. You must authenticate to access their service using username and password. Your service provider stores that data, and when they get hacked, your account passwords end up floating on the internet. To reduce that risk you use password managers, to use a different password on every service & keep track of them. On the provider side they give you two factor authentication. That is a terrible User experience, too many tools to use to solve a simple authentication problem.

Because of Blockchains we are spreading the use of cryptography as an infrastructure and we should make more use of it. Wouldn't it be awesome if your wallet would take care of authenticating you? It can, it is simpler and safer than any other alternative.

Your wallet is a secure system, it guards your keys safe. Instead of usernames, you give your public key, which reveals no information about your or your keys, yet unequivocally identifies you. To login into a service, you sign a login message and the service provider validates it. The signature will change, by its properties on each domain, time, and message you sign, it becomes a second factor authentication by construction(something you know: your wallet unlock password, something you have: your secret key), and it runs on your computer. Once the service provider validates your signature you are authenticated. Because the service provider does not store your password anymore, when they get hacked and suffer a data leak, no body can impersonate you as they don't have your private key. This is so much safer, because with this method we push the power and control back to the users.

This system is ready for the Cardano ecosystem. The wallet dapp connector CIP-30 gives you on your wallet the ability to sign messages, and the CIP-8 teaches developers how to sign arbitrary messages. What is missing is the backend infrastructure to help developers with this authentication form, and the education to users how to use this and why to prefer it. A big part of this project revolves around educating user and developers.

How does your proposed solution address the challenge and what benefits will this bring to the Cardano ecosystem?

As the Cardano ecosystem develops easier this solution becomes. Yet most of its current challenges are educational. This project mostly goes on the challenge direction of "Knowledge base & documentation". It is about teaching developers how to implement the authentication backend on their services, it is about teaching users how much safer this method is.

As you just read it, it is a two sided market place problem. Users need to want to login with their wallets, developers need to offer services people can login using their wallets. Yet which is the alternative?

Today, developers don't have enough security experience to implement secure password authentication protocols and secure password storage solutions. Regardless of how bad password authentication as a concept is. The safest solution today is to rely on OAuth, and that is secure and supported by today's tech monopolies. But that is part of the problem too, we must rely on those tech monopolies, we consolidate power and data with them. Although better financed than any individual developer, they are still prone to suffer hacks and experience data leaks. They are actually honey pots because all the data they have, putting them on a vulnerable position. And the power they have? Well they have not been role models of good behavior, why should we keep giving them more power?

This solution bring decentralization back into play. The cryptographic libraries are safe, the cryptography is safe. I'm not implementing my own cryptography, I build upon our safe system and so should all developers. If the user can authenticate with his wallet, there is no need for passwords at the service provider, there is no need to store them. You can't leak data you don't store. The cryptography is safe, there can't be identity forgery on this scheme. And because of the wallet nature of holding user funds, people take better care of their secrets. On top of that, people only need to take care of their wallet seed and unlock password, not of password, not a different one for every site, the dynamic nature of the signature takes care of that.

This project brings the Cardano ecosystem forward by educating developers and users how to better embrace cryptography, decentralization and become self-sovereign.

How do you intend to measure the success of your project?

A market has supply and demand, this project would have availability and usage. The more each project offers authentication over this method the more successful will I consider it. This is an easy feature to monitor, in the same way projects offer to connect to your web wallet, which by the way does not provide authentication it provides an anchor to the user wallet for payment transactions. Yet services can offer through authentication offer users access to restricted parts or services of their project.

As an example, since micro transactions are not intended for the L1. The users can authenticate to a service and pay a larger fee. Then through future authentication to the same service they can keep using the service without spending an new transactions each time.

The fact that you now have authentication also allows to personalize information to each user, personalize services, and create new offerings.

The measure of success is how much the ecosystem embraces this feature and that can be measured by counting projects that include next to their wallet connection an authentication option.

The developer productivity will grow, as this becomes an established practice. Because developers will know where to search and learn for this service.

Please describe your plans to share the outputs and results of your project?

This project is educational modules, and the corresponding code templates for developers to incorporate this authentication protocol in their services.

Building is not enough of course, communication is extremely important, and I will hold many more YouTube tutorials to teach developers and users how to embrace the features.

All software will be BSD-3 clause, which is the most liberal open source license, allowing everybody to incorporate the software without any legal worries as much as to read the code and modify it. That is important for adoption as some application developers will not release their software source code yet they need to use this open sourced library.

The documentation will be creative commons licensed.

From previous Catalyst funded projects, I know things take longer than expected. I do plan to offer enough software libraries in the first 3 months while continually releasing YouTube tutorials. The last 2 months of this project timeline are to dedicated evangelize the developer and user base to embrace this authentication standard.

What is your capability to deliver your project with high levels of trust and accountability?

I have participated in the Cardano ecosystem over the last 2 years. The community has recognized and rewarded my efforts funding my projects in Funds 7, 8 and 9. I have successfully delivered and closed all my projects, and the community can audit them. I completed 2 open source projects with little more than a month delay to my plan, 1 documentation effort completely according to plan, and 1 DApp project which challenged me beyond my initial proposal, forced my to redesign it, during implementation, readapt my infrastructure considerations due to the Vasil Hard Fork and how much testing it required, creating huge delays. On top of that I worked after consuming all my budget and in the depths of last year valuation collapse of ADA. Yet, I persisted to deliver the project feature completed with 8 months delay instead of calling it a failed project.

It is my experience and my persistence that show my capability. My ideas are valuable to be funded, and I have been honestly working to bring them to completion.

What are the main goals for the project and how will you validate if your approach is feasible?

The main goal of the project is to move people away from using passwords to authenticate users. Passwords offer poor security, today's secure alternative is to rely on OAuth, which entrenches the big tech monopolies. This approach is feasible because I have seen it in use, it is even easier than the SSH handshake, because the secure channel is already provided by the TLS connection of the web-service over the internet. The user only needs to sign a message the server must validate.

Yes, the project involves some software development, yet mostly is educational, teaching developers how to embrace this protocol, by giving them documentation, examples and some libraries to use.

The project is feasible, the goal, well it fights the inertial of people of doing what they have always done, use passwords for login. Yet the success can be actively measured by following how services in the Cardano ecosystem adoption this type of authentication when needed.

Please provide a detailed breakdown of your project’s milestones and each of the main tasks or activities to reach the milestone plus the expected timeline for the delivery.

  1. Protocol documentation - 2 weeks

Here I prepare technical documents and diagrams explaining the details of how to implement this type of authentication. This isn't much of a challenge, it is mostly busy work to get it done.

  1. Example implementations - 10 weeks

From idea to reality things change. The goal here is to provide actual software implementations of the authentication protocol. I will provide the templates or libraries(depending on the ecosystem) to implement

this protocol on popular languages like Python, JavaScript and less popular but favorite of mine Clojure.

  1. Advertising - 10 weeks

Because build and they'll come does not work. The project needs a substantial amount of YouTube tutorials to inform developers as well a users about this possibilities. That now that we have large scale diffusion of a cryptographic infrastructure thanks to crypto currencies, that we can cryptographically authenticate.

Please describe the deliverables, outputs and intended outcomes of each milestone.

Every list item is a tangible deliverable.

  1. Protocol documentation
  • Technical document on the arsmagna.xyz website
  1. Example implementations: Code template or library depending on use case and system integration
  • Python backend to validate signed authentication message
  • JavaScript backend to validate signed authentication message
  • Clojure backend to validate signed authentication message
  • JavaScript frontend to request webwallet to sign authentication message
  1. Advertising
  • Protocol description
  • User point of view: login to an application
  • User point of view: Why is it safe and my funds aren't at risk
  • Developer: Python backend
  • Developer: JavaScript backend
  • Developer: Clojure backend
  • Developer: Wallet integration frontend

Please provide a detailed budget breakdown of the proposed work and resources.

This project as all my previous ones remains small in scope and is an extra tool for the Cardano ecosystem. The main expense is compensation for my work time and effort, which I average out at a rate of 60USD/hour, making me a cheap software developer, an expensive video editor, an ok accountant and an undervalued project manager since I have brought all my projects to completion.

The timeline assumes me working part time on this project. Milestones propose 22 weeks of work. Out of experience, I'll budget 30% buffer for completion amounting to 29 weeks. That budget buffer leaves me opportunity to work around unforeseen problems.

I account for ADA price of 0.25 USD, that seems to have been the bottom in December last year and now. I imagine even with the 12 Million USD in sell pressure originating from this Catalyst fund, and amortized over a year, that it won't drop that much.

Final budget 22[weeks] 1.3 [buffer factor] 20[hour/week] 60 [USD/hour] 4 [ADA/USD] = 137280 ADA

<span class="ql-cursor"></span>

Who is in the project team and what are their roles?

Oscar Najera (Jack of all trades, master of Software development)

PhD in Theoretical Physics, Software developer, Contributor to Cardano ecosystem. I let my work speak for me, with my Catalyst funded and completed projects

  • Fund7 - Transaction editor & wallet # 700257

Ideascale: https://cardano.ideascale.com/c/idea/385056

Closeout Video: https://www.youtube.com/watch?v=fTDCxC8No6o

Closeout report: https://drive.google.com/file/d/1pcCL93-XYvDjS3EIUW7W57XecjBm880f/view

  • Fund7 - Web based transaction editor # 700265

Ideascale : https://cardano.ideascale.com/c/idea/61277

Closeout Video : https://youtu.be/knP3T391Wak

Closeout report : https://drive.google.com/file/d/1cOIxjuf12d0eGWZKuOU1-PiV7oukyVcB/view

  • Fund8 - Ouroboros-mini query specification # 800282

Ideascale : https://cardano.ideascale.com/c/idea/400914

Closeout Video : https://www.youtube.com/watch?v=eNaoS8zAfu4

Closeout report : https://drive.google.com/file/d/1XyktSqoLOT9BHLkjcmGc_bYTfRDyYq8u/view

  • Fund9 - Transaction Editor Hardware wallet # 900202

Ideascale : https://cardano.ideascale.com/c/idea/420147

Closeout Video : https://youtu.be/VV59yVv2VJc

Closeout report : https://drive.google.com/file/d/1O-7LN0LXLHw2WK0Tl75msyXzUHNQu1ah/view

How does the cost of the project represent value for money for the Cardano ecosystem?

This a do it and pay it once use forever. All my work in this project is open source and the documentation is publicly available. I won't keep any royalties from the output of my work. This belongs to the Cardano community and I expect it to grow into a bigger community, making this resources more valuable. Getting out of passwords into authentication from your wallet, would be huge for cybersecurity and it also brings us a step forward into decentralization where we as user can manage our identities instead of delegating them to tech monopolies.

As stated previously, the budget is only compensation for my work where it averages me out into a cheap software developer, an expensive video editor, an OK accountant and an undervalued project manager since I have brought all my projects to completion

close

Playlist

  • EP2: epoch_length

    Authored by: Darlington Kofa

    3m 24s
    Darlington Kofa
  • EP1: 'd' parameter

    Authored by: Darlington Kofa

    4m 3s
    Darlington Kofa
  • EP3: key_deposit

    Authored by: Darlington Kofa

    3m 48s
    Darlington Kofa
  • EP4: epoch_no

    Authored by: Darlington Kofa

    2m 16s
    Darlington Kofa
  • EP5: max_block_size

    Authored by: Darlington Kofa

    3m 14s
    Darlington Kofa
  • EP6: pool_deposit

    Authored by: Darlington Kofa

    3m 19s
    Darlington Kofa
  • EP7: max_tx_size

    Authored by: Darlington Kofa

    4m 59s
    Darlington Kofa
0:00
/
~0:00