
Bitshares Login - jarsin
http://bytemaster.bitshares.org/article/2014/12/22/BitShares-Login/
======
javajosh
So it's like "Login with Facebook" but it redirects you to a local
application, which then writes to a shared data-structure (a blockchain) which
the target website reads from.

This sounds amazing and useful to me, but even if it all works perfectly, I do
have one serious concern: if you forget the passphrase to your private key,
your online identity is owned by _nobody_. That is a very scary prospect!

(Also, from a usability/understandability perspective, I think there might be
a better, if less secure alternative to the blockchain, something like an
encrypted twitter that transacting parties "listen to" for the duration of
their transaction.)

(Something I've been thinking about is an ultra-secure private key backup
protocol/device to address this concern. So far, the best I can come up with
is an (instant) photograph of a screen showing a textual representation of the
key.)

~~~
deweller
Yes. This is tradeoff of privacy vs recoverability. The best security means I
am completely responsible for my own private keys (or passwords). But if I
lose them, no one can reset my password for me.

Ultimately, though, I think we are heading toward separating the ownership of
the identity and the backup of the identity. I am ok with owning and backing
up my own identity. But maybe my dad feels more comfortable with some 3rd
party having a backup for him. In that case he can use someone else to be a
trusted backup for him.

Right now, if I want to login to Facebook, then Facebook both serves as my
identity owner and my identity backup (e.g. "forgot your password?"). I might
be ok with Facebook being a backup provider, but I don't want them to be my
identity owner.

~~~
javajosh
I'm not sure I understand the distinction between identity owner and identity
backup provider. Possession of an unencrypted private key _is_ ownership, in
my understanding. To wit, FB might be under some contractual constraint on
using that data, but what if they broke that agreement? Would I be able to
prove that it wasn't me using my private key? This opens up a "detection" and
"enforcement" can of worms.

~~~
patcon
I think the assumption is that a backup solution is very very strongly
encrypted and decrypted on the client side

------
dsl
Yet another stab at trying to solve identity on the internet. The problem this
will face, just like every other attempt, is that websites want to own their
log in process and associated user records.

The only people that benefit from single sign on are websites that experience
high friction on sign ups. i.e. "oh I need to create an account for _this_?"
and close the browser tab. In which case a Twitter or Facebook button makes a
lot of sense.

I highly encourage anyone looking to build something like this as more than a
fun side project to read up on the fascinating history of Microsoft Passport.

~~~
yRetsyM
Some links for those who wanted to read up on said history:

[http://en.wikipedia.org/wiki/Microsoft_account](http://en.wikipedia.org/wiki/Microsoft_account)
see, especially, the references section:
[http://en.wikipedia.org/wiki/Microsoft_account#References](http://en.wikipedia.org/wiki/Microsoft_account#References)

------
azdle
I don't really understand what benefit using the backchain for this. If you're
already depending on an external application, why not do something simpler
with a direct challenge-response like SQRL:
[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

~~~
juliangregorian
+1 for SQRL. I don't know what it would take to push it over the hump of
adoption, but it is a beautifully simple and secure solution. Don't know why
it doesn't get more attention.

~~~
jerrycabbage
Blockchains make a decentralized service do authentication. Anything that is
centralized is easier to MITM. SQRL may very well have a better user
experience but it doesn't appear to be solving the same problem.

------
cdvonstinkpot
I wonder if it would work when logging in using a machine which doesn't have
the BitShares client installed on it. In my case, I keep BitShares running on
a beefier machine than my desktop, being that it has such a high memory
footprint. My main BitShares account is only on that machine, & I wouldn't be
able to clone it to run in tandem on another machine, AFAIK. I'll have to read
up on this later to see how that would work.

------
ryan-c
A similar project, NameID[1] has been around for a while. The fact that names
on Namecoin expire may make it unsuitable for some applications, though.

1\. [https://nameid.org/](https://nameid.org/)

~~~
higherpurpose
Or OneName: [https://onename.io/](https://onename.io/)

------
etchalon
I think the issue this, and all other identity systems have and will struggle
with, is developer adoption.

As a web developer, I'm not spending time adding this to my site until a
sufficiently high number of users are using. As it has no value beyond login
itself, users will not adopt it. Because users have no adopted it, there's no
reason for me to implement it. Because I have not implemented it, there's no
reason of users to adopt it. Because…

…you can see the problem.

It's a neat idea, though.

~~~
leepowers
Exactly. Which is why I'm hesitant to adopt it right away. Why develop a
feature that only a tiny fraction of users?

Even so developer adoption can be encouraged. By doing most of the work for
the developer: a rails gem that integrates with Devise; a Symphony component;
a WordPress plugin, etc.

------
orbiter5
...now that makes sense! What is Bitshares?

~~~
tinkerrr
A counter-view to just how awesome Bitshares is (I don't fully agree with the
article, and I am not the author): [http://prestonbyrne.com/2014/08/17/dont-
walk-away-run/](http://prestonbyrne.com/2014/08/17/dont-walk-away-run/)

~~~
logic_geek
The article makes a lot of false points but is right in one respect. It would
be a fragile system without a price feed. The price feed is in place now and
it works decently.

~~~
etchalon
What false points do you feel it makes?

~~~
jerrycabbage
It is poorly written emotional FUD spreading. What is a specific strong point
made? It seems more reasonable to work from the other end.

~~~
etchalon
lol. So, you didn't actually read the article? Cool.

