Hello all!
We have published an RFC (request for comments) for a Nimiq.ID authentication scheme in a new Github repository nimiq/rfcs. To learn how RFCs work, please read the README.
To keep the discussion in one place, please try to comment on the Pull Request in Github if possible, instead of in this forum thread.
Here is an excerpt of the RFC:
Summary
This RFC describes a proposal to use Nimiq’s public-key cryptography for basic identity proofs and authentication of Nimiq Account holders with online services.
Background
A secret seed (a form of a private key) used in the Nimiq cryptocurrency ecosystem is meant to only be known to one person and gives control over all funds that are stored in addresses belonging to its private keys. The blockchain ensures that those funds can only be moved by the rightful owner - the owner of the seed - by signing transactions from those addresses with their respective private keys. Ownership of the keys and thus the seed authenticates the owner.
Similar to transactions, any list of bytes can be cryptographically signed by a private key, proving ownership over that key. This so called “message signing” involves an additional cryptographic hash and a prefix, but it essentially uses the same method as the tamper-proof sending of transactions on the blockchain.
Message signing can therefore be used to authenticate the owner of a private key against online services, which is what we call Nimiq.ID. This authentication system would not store user data on Nimiq servers - instead all identity proof generation happens only in the users’ browser during the authentication-attempt.
Motivation
With most people’s life being increasingly online and using a wide variety of online services, maintaining access to these services often still uses basic username-and-password methods, which are prone to hacks, credential-stealing attacks and phishing. Two-factor-authentication has helped a lot in reducing account-takeovers, and so have password-managers in increasing password security. Additionally, big social networks and software companies such as Facebook, Google, GitHub, LinkedIn, Apple, etc. are offering single-sign-on solutions where people can log into various online services by connecting them with their social account. However, as has become clear in recent years, these social networks and software companies are not so much focused on providing ease-of-use and convenience to their users, but rather on analysing and “data mining” their users’ behaviors to increase their (ad-)revenue.
Nimiq is in the unique position to offer a combination of
- Ease-of-use: Nimiq is browser-first and does not require special software downloads.
- Privacy: Setting up a Nimiq Account does not use any personal data, so no personal data can be shared with any third-party.
- Safety: The private keys are protected by the Nimiq Keyguard and never leave the browser. The Keyguard is architected to only output data that is safe to share publicly.
- Decentralization: Authentication happens in the browser, directly on-device. No Nimiq server is required for using Nimiq.ID.
- Convenience: Logins with Nimiq.ID are essentially a unique address on the Nimiq blockchain and could be used to make payments to and from services, such as exchanges, games, service providers and more.
Last but not least, providing the Nimiq.ID service would increase visibility and awareness for the Nimiq project as a whole.
Read more: https://github.com/nimiq/rfcs/pull/1