Pages:
Author

Topic: The new BitID Authentication System (Read 1455 times)

member
Activity: 112
Merit: 10
Cryptocurrencies Exchange
May 09, 2014, 08:48:17 AM
#23
There are already similar systems. It is hard to say is it better at this stage for sure.

Maybe I'm going to check it in future, but for now I would like to get more opinions of other people about it.

Also who are the providers?
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
May 08, 2014, 09:01:09 PM
#22
So use a different wallet.
newbie
Activity: 24
Merit: 0
May 08, 2014, 05:19:14 PM
#21
I personally am a security freak when it comes to my wallet. Anything like this will somewhat compromise that safety net that I like to have. After all, that's the main reason alot of us use BitCoin.
hero member
Activity: 686
Merit: 500
ヽ( ㅇㅅㅇ)ノ ~!!
May 08, 2014, 09:57:45 AM
#20
This is a freaking great idea, I see Killer App here.

Everybody needs to securely store their Bitcoins - offline wallets etc. using this extreme security for logins? Brilliant.
legendary
Activity: 1596
Merit: 1026
May 08, 2014, 09:21:55 AM
#19
I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
The thing you are missing is that these posters are a dumb as fuck.  They can't think past their tits.  You might as well try to explain this to your pet pig.  They aren't going to get it - ever.
full member
Activity: 199
Merit: 100
May 08, 2014, 01:24:31 AM
#18
It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already.

+1

and its much much easier to generate/use/mantain a new address/id than a gpg id.

you can have ONE HD wallet (offline if you dont trust on you pc)  only for ids, and can sign on every site you ever use ( only one pass, only one backup., lots of ids)  
legendary
Activity: 1078
Merit: 1003
May 08, 2014, 01:17:05 AM
#17
It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.

Because not every Bitcoin user has some pgp software installed, but all of them use a Bitcoin wallet already.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
May 08, 2014, 01:08:06 AM
#16
It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

Why not use something like OpenPGP that was designed for it? Why can't users have web-site login sub-keys they access with two clicks?

Edit: thought on one possible reason: Bitcoin is standardized on one signature algorithm.
full member
Activity: 199
Merit: 100
May 08, 2014, 01:05:57 AM
#15

Nobody has access to the private key except your wallet.


..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.



you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp

and where I said you had to use the same wallet or an address with funds Huh

why dont have as much id/addresses as you need and use different ids for each site you need a different id.

if all this addresses comes from a cold wallet. you can sign offline and login without compromise your private key.

legendary
Activity: 1078
Merit: 1003
May 08, 2014, 01:02:18 AM
#14
BitID sounds great, but will it be easy enough to use for most people?

It can be as simple as two clicks. All that's needed is Bitcoin wallet app devs to implement the needed functionality.

This is how I imagine it'll work:

- Bitcoin wallet apps will have a secondary address book for authentication addresses (these can be some of the same addresses they already use or completely new addresses)
- when you sign up for an account you simple scan a QR code which will give you the option of creating a new authentication address or to pick an existing one
- to login you scan a QR code and click confirm

It couldn't be simpler, and every Bitcoin user could have this functionality already on their device due to simply being a Bitcoin user, no additional installation necessary. All we need is Bitcoin wallet app devs to implement this.
legendary
Activity: 4424
Merit: 4794
May 08, 2014, 12:22:26 AM
#13
OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?

well my last post was just to inform that giving a privkey to a website is risky, even if un-used for funding, that website can keep the privkey and then invade other websites. (phishing tactic)

the message signing is not risky as no privkey is handed over and each time you log in the random message you have to sign will be different, kind of like a 'captcha' and a address validation message all rolled into one.

but whether its practical... well heres some flaws
1. average joe has no client app, and only uses blockchain.info or a webwallet. the webwallet needs signature verification.. but he cant sign a message until he gets into his wallet to play with the features inside the webwallet..
2. requires a wallet app on average joes computer, meaning people dont just type in username and password, thy have to open their wallet client click a couple buttons to get to the 'sign message' feature and then type in the 'captcha' to sign it before pasting it back in. this can seem more secure, yet more complex than just receiving a email with a 6-8 digit code (email 2FA)

maybe the solution is having options
1factor logon: username and password
2factor login: username and password + (email/google authenticator)
3factor login: username and password + (email/google authenticator) + address message signing

where novices playing  with under $50 can 'risk' 1 factor, and those with larger amounts can decide which level of security they want dependant on laziness, amount they wish to be secure, paranoia, etc
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
May 07, 2014, 11:59:12 PM
#12
OpenID had a great buzz ~5 years ago, but never reached full mainstream usage (with the possible exception of Google products)
BitID sounds great, but will it be easy enough to use for most people?
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
May 07, 2014, 11:46:27 PM
#11

Nobody has access to the private key except your wallet.


..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.



you dont use the same wallet for cold storage (or even hot storage of funds) as the one you use for authentication....derp
sr. member
Activity: 434
Merit: 250
May 07, 2014, 11:28:07 PM
#10
we need more developers to integrate BitID like Mintpal, Cryptsy, and other exchanges.
full member
Activity: 199
Merit: 100
May 07, 2014, 11:25:34 PM
#9


..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.

If you are paranoid the only thing you must do is signing your message from a cold address. ( or trezor like device)

And then login on your favourite site.

legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
May 07, 2014, 08:33:52 PM
#8

Nobody has access to the private key except your wallet.


..Unless you wallet is running on a compromised general-purpose machine.

Call me paranoid; but you have to plan for the day Microsoft, Apple, Facebook, and Google may be compelled to steal your funds.
hero member
Activity: 642
Merit: 500
Evolution is the only way to survive
May 07, 2014, 08:22:37 PM
#7
BitID can bind to any electronic products ,for eg : telsa , smartphone , xbox ....
We need multisig to implement this 
legendary
Activity: 4522
Merit: 3426
May 07, 2014, 08:09:50 PM
#6
It creates another system that needs to access your private key. But this means the authentication mechanism needs to access my private key. 

Nobody has access to the private key except your wallet.

I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish.

The point is that you don't have to set up another wallet and your don't have to type anything in.

Code:
USERNAME [ franky1 ]
using your registered address to sign the MESSAGE and paste the signature below
MESSAGE [ franky1 wishes to log into this zone at 01:06AM on the 8th of May G0b3ldiG00p ]
Signature [ sflskdjflaskj;laskjf;aslkdfj;slkdjf;asdkhjgjdrttjfgdfsrgffdgsfgjfgsdff;asldkfj;sldlkf;a= ]

My guess is that that is exactly how it works.
legendary
Activity: 4424
Merit: 4794
May 07, 2014, 07:08:47 PM
#5
I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
+1

exactly. you can create a bitcoin address (pub and priv keypair) that you will never use for actual funds, but used just for 2factor access and other login pages

imagine my username was linked with an address 1frankyBlatBlahBlah. i can then login by not only sing a privkey, which has risks the website will keep that to then use on other services(risky), BUT by SIGNING a message using my privkey and only sending the encrypted signature

EG
Code:
USERNAME [ franky1 ]
using your registered address to sign the MESSAGE and paste the signature below
MESSAGE [ franky1 wishes to log into this zone at 01:06AM on the 8th of May G0b3ldiG00p ]
Signature [ sflskdjflaskj;laskjf;aslkdfj;slkdjf;asdkhjgjdrttjfgdfsrgffdgsfgjfgsdff;asldkfj;sldlkf;a= ]
full member
Activity: 222
Merit: 102
May 07, 2014, 06:57:07 PM
#4
I don't understand the point of this at all when it takes all of 1 minute to create a blockchain account which you can use solely for identification purposes if you wish. Unless I am missing something here.
Pages:
Jump to: