Bitcoin Authenticate

Here is some info about this and what’s going on.


Bitcoin Authentication Open Protocol

Pure Bitcoin sites and applications shouldn’t have to rely on artificial identification methods such as usernames and passwords. BitID is an open protocol allowing simple and secure authentication using public-key cryptography.

Classical password authentication is an insecure process that could be solved with public key cryptography. The problem however is that it theoretically offloads a lot of complexity and responsibility on the user. Managing private keys securely is complex. However this complexity is already being addressed in the Bitcoin ecosystem. So doing public key authentication is practically a free lunch to bitcoiners.

Video demonstration of the user flow :

Slides presentation of the project :

Implementation example (server) :

Implementation example (client) :

The protocol is described on the following BIP draft and is open for discussion :

Some security concers:

Security concerns

BitID offers a secure authentication method :

  • As secure as sending funds through Bitcoin
  • out-of-band, keyless authentication using a smartphone wallet, allowing login through an untrusted computer
  • anti-phishing protection when using a desktop wallet (IP address matching verification)
  • no third party, no external compromission possible, no storage of user sensitive data on the server
  • resistant to arbitrary signature requests: challenges are syntaxically verified by the wallet as valid bitid URIs
  • resistant to brute force or dictionary attacks

However many responsibilities are in the hands of the user :

  • the user must protect his private keys and make backups (this should already be the case)
  • the user must pay attention to the URL shown in authentication requests in order to avoid man-in-the-middle attacks; the out-of-band authentication process does not allow any protection against these attacks.
  • Finally, a major drawback of this protocol is the absence of revocation procedures. If the user loses her private key or if it is compromised, there is no native possibility of revoking the authentication access. The only way to revoke the user’s identity is then to to establish a back-channel communication with the website using email, security questions, or a password.