Topic: Bitcoin website operators: please consider using Google sign-in (Read 5488 times)

I think you will be pleased to learn that we have implemented this at BIPS. It was already in place at the time this thread was created but we had to wait until the site was launched to share.

For those of you who are interested, BIPS offers a free Bitcoin eWallet and free Bitcoin merchant tools.

https://bips.me

Google sign-in isn't for everyone, but for small websites run by people in their spare time it can save a lot of hassle.

There should be something like google sign-in for wallet management too.  At the moment, if you want to run a theft-proof bitcoin website you basically need to be a security guru.  That creates a big barrier to entry and excludes a lot of mom-and-pop web businesses from the Bitcoin economy.

There is absolutely no need to have only one account type implemented.
As an example, we allow users to login using username/password, Google, Persona, or by signing a token with their bitcoin address.
For all those account types, one can enable two-factor authentication as an added security measure. By proving all those options users can decide them self, what they prefer. Keep in mind, that all types have their pros and cons.

I read through the first page of this thread, but didn't read the rest, so perhaps this information will be redundant, anyway, here goes:

Firstly I'd like to thank Mike Hearn for all the stuff that he does for bitcoin at large.

Secondly I'd like to put forth my opinions about OpenID.

What if your Google e-mail is compromized, it seems then it would also be possible to get access to the sites that you're connected to through OpenID.

The privacy issues is also interesting. If a certain individual is the member of 5 sites, and all these sites run their own user account systems, then any law enforcement agency or any 3-letter agency would need to contact 5 entities to get required data. However, with one central repository, one rogue sysadmin or a request to Google from law enforcement would be enough to get the required data.

Now, most users are honest individuals doing nothing nefarious, and you don't even need to do anything nefarious to value your privacy online. But as a website operator, you're now relying on a 3-rd party for all your user accounts, and what if it's decided that pulling the plug on your website is the right thing to do, caused from legal of political pressure ? There's nothing you can do, but to see your entire userbase vanish by the snap of some fingers.

And what if some google employee fucks up, and user data is leaked ? I assume there is tight security, but tight security has been broken before. Also, google will be able to record when you log in to a certain site, and a host of other parameteres, they can and will use for various purposes that you may or may not agree with.

For example, if you are a member of some soccer sites that use OpenID, google will possibly serve you commercials for computer soccer games and so on. Google may also use your habbits as a toll to suggest stuff for you on Google+.

Make no mistake about it, although Google does a lot of good things, like drone program to help wildlife preservation, and offering a hostload of free services online, they also need and want to turn a profit, and in addition they're US based, meaning it's very easy for law enforcement and 3-letter agencies to tap into their data, and mind you - this is happening. We don't hear about it, but we should not be naive and think it's not happening.

So who knows, some years down the line, you need to pay a mandatory license for using bitcoins, and lists of users will be extract from Google, and you will have your bills in your mailbox.. Ok, that may be stretching it, but judging from all the silly things that US policy makers and law enforcement agencies actually do, I would not be surprised if this will happen. What about mining pools, I'm sure the IRS would be happy to look up personal information about big time miners to see if they're paying their taxes.

This being said, it's unquestionable that Google provides a more secure and more professional service than most devs would be able to put up alone, but it's worth knowing about the privacy implications, which can be severe.

I already see that Google is exploting my online habits to do targeted marketing in regards to my interests, and I don't like it much, but I understand why the development is going this way, and I see how it can make revenue, it's not like I would click on ads sporting womens makeup articles, give me some geeky ads, and the chance is bigger that I click on an add, and then add this up for thousands and millions of users, and we have the answer to why targeted marketing works great for google.

I'd say if you run a somewhat serious website, have your own user account system, and protect it well, two factor identification may also be an interesting thing to implement.

Why not do X or Y or Z ... sure you can do all those things. In practice though, people usually don't. Even Paymium doesn't seem to support 2-factor auth and that's an exchange!

The advantage of outsourcing it is that you can focus on your business, rather than on re-inventing the authentication wheel. And yes, it can lead to some additional risk, no different to using virtual server providers or outsourcing your email or DNS. You have to weigh up the costs vs the benefits.

well, you aren't forced to go "all in". you can still have your own system … the more important point is, that it is not about YOUR security, but also in large about the user's security. e.g. do you protect your login against brute force attacks? do you offer 2-way authentication? do you have a heuristic to detect login attempts by a password thief based on e.g. the IP access pattern of the user (thief sits in another country) and ask some security question?
so, if you have all this and it's working, fine … if not, the USER has something to gain if s/he uses this system instead of yours.
and once again, you should offer both ways, it's easy to do!

Why depend on third parties, why not use PKI?  Something like ssh maybe?  I have been using PKI to log in my servers via ssh, since it adopted ECDSA, and made life so much easier without having to remember passwords (just the password for encrypting the private key).

When you register, web sites could ask you to paste your public key (in base64).  Then ask you to confirm the hash of the public key (in base58), via email just to make sure. Or visually, if there is no email required for registration.

This could be made user friendly, via a plug-in in Firefox/Chrome.  Or even better have native support for this in Firefox/Chrome.  If private keys are stored locally, they obviously need to be encrypted.

If the history is any guide openly blocking is least of the worry.

I have no data to compare Google legal eagles with Microsoft legal eagles, but Microsoft has about a decade more of the experience with their Passport and Live ID products. And before that Novell, Compuserve and Shiva, three other early pioneers of "single sign on service". Too bad that Netscape & AOL had purged all the old Compuserve forums. There were some nice stories to re-tell from some of the non-English language boards.

The problems are completely non-technical and non-cryptographic, they are all human factors and human resources issues.

Coming Soon...

I'd suggest website operators take a third approach: support Google Authenticator, or to be exact, RFC 6238 time-based one-time passwords. Basically under the hood it uses a secret key, which is cryptographically hashed with the current time, and that creates a secondary password. For your users they just install the Google Authenticator app on their smart phone, use the camera to scan a special QR code containing the secret key, and from then on after enter the 6 digit one time password every time they login in addition to their normal password. Blockchain.info and many other Bitcoin sites already use it, not to mention non-Bitcoin sites. You do need a smartphone, but they're pretty common these days. Unless hackers get your users password and their phone, they can't do anything.

Unlike Mike's suggestion of using Google sign-in, RFC 6238 doesn't send any information what-so-ever to third parties. Not when you login, or even that you are using Google Authenticator at all. For non-Bitcoin sites, I can see why Google sign-in could make a lot of sense - if you use Google analytics Google already knows when your users sign in anyway - but Bitcoin is a target and you really don't want to be one court-order away from suddenly finding that none of your customers can login. Google has a better track record than most of fighting court orders, but because they're infrastructure and employees are spread out across the world in most countries they have no choice but to follow court orders. For instance Google has an office in Argentina, and I could easily see a court order to force Google to block sign-ins to Bitcoin exchanges pushed through under the guise of enforcing that countries capital controls. Equally I can easily imagine Google getting a court order by the Argentinian government forcing them to reveal all the Google sign-in's made in that country in an attempt to identify and prosecute people violating those same capital controls. Your website wouldn't even have to be based in Argentina for any of this to happen.

Mike has a point about Google sign-in being "one strong basket", but court orders can do things no attacker ever could, and if your risk is court orders, centralization is the last thing you need.

You probably mean authentication.  Authentication is about who someone is.  Authorization is about what people are authorized to do.  Access control is what you do when you apply the authorization rules in your systems.  Thus the access control normally requires authentication to work.  The part that this thread is about is authentication.

I am working on a website and while the idea of handing off the authorization portion to a third party seems tempting I can think of two things that would hold me back.

One, I am giving away a portion of my site's security to a third party with only the hope that they will not abuse it. I may as well have all BTC transactions handled by MtGox and content controlled by Wikipedia. While I do not believe Google's business model would last if they abused the access of websites, I still do not like the idea of handing such control over to someone else.

Second, as a user I tend to avoid sites or apps that require access to my Facebook or other accounts. I may trust Facebook or Google to keep my information secure and private but I do not trust XYZ site to use that information the way I originally intended.

I may consider giving users options of security. With the highest security being the use of their private key to sign something for each login and perhaps the lowest being a Google or other third party auth.

yes, but they only seemed to really back-off once they were the specific target of the Chinese. Not exactly an act of courage. I don't mean to just blame them either. Cisco makes special routers that keep the "great firewall of China" operational, and there are many others who are complicit.
Eventually they will come home crying when their servers are bled dry by government backed thieves who will vacuum up years of product development and research. I don't know when we forgot that China is a cruel and brutal totalitarian regime. We should be destroying their wall and placing the news of the world in front of their citizens.
Remember this guy?
 

This image is virtually unknown in China. That's what suppressing the truth is all about.

Mike...

How would this implementation benefit Google?

Thanks. 

You know that Google stopped operating filtered search in China years ago, right?

   http://googleblog.blogspot.ch/2010/01/new-approach-to-china.html

Thanks for the replies guys. It looks like theres a bit more to it than I know. I guess I'm just becoming increasingly skeptical of Google. Their motto is "do no evil". But then they go out and cooperate with the Chinese government to limit free speech and help enforce anti-freedom efforts. I just don't trust Google any more. 

If you're worried about that (it would be largely unprecedented), ask for users email addresses so you can email them with a password setup link.

That is the reason for open standards.  If you support Google logins in this way, it is easy to support other OAuth-like providers who are not named Google. 

From a bitcoin website operator's standpoint, the biggest concern is not privacy, but giving a single entity a big fat "off switch" to your website.  If Google decides you are malicious (unlikely) or receives a court order, 100% of the Google-login-based users cannot access your website.

This problem is a general problem of interfacing with any large, 3rd party account system, and is not specific to Google.  As long as you have account recovery procedures in place, creating a contingency for en masse account blocking, I would definitely endorse Mike's points here.

well, for you, but for >99% it will be centered around identity and associated services. that's what google has in its vision because from their POV it will happen. and there isn't much doubt about that at all.

besides that, the word "open" in openID implies that anyone can start creating and promoting it's own identity provider. it's just that google has already invested a lot into such a service and newcomers have a hard time to catch up with their advantage -- purely technical speaking.
generally speaking, if all actions taken yield to a situation, where there are more possibilities, it is overall better … and that's what's happening here. (heinz v. foerster)

It is actually very easy to use both, Google and Persona, on a single website. That way users can decide which one does fit them better.