SteemLogin - a new and easy way to sign in to Steem!

in #utopian-io6 years ago

Repository

https://www.github.com/irelandscape/steemlogin

Introduction

SteemLogin is a brand new application providing the easiest way to login to the Steem blockchain using mainstream authentication providers such as Google and Facebook.

By adopting SteemLogin, Steem application users will never need ever again to enter their 50 character posting key to contribute and upvote content on the Steem blockchain.

Interested? Then read on!

What is SteemLogin?

SteemLogin Overview

We are delighted to present you SteemLogin, a brand new application easing the process of authenticating users with the Steem blockchain.

By adopting SteemLogin, Steem app developers enable their users to sign in using their Google, Facebook, Twitter or GitHub account!

More precisely, SteemLogin allows users to store once and for all their Steem username and private posting key on a secure Cloud Firestore database, a solution provided by Google aiming to eliminate the need for application providers to host, scale and secure their own backend database.

Once stored, the Steem username and posting key information is sent securely over HTTPS to the application upon successful authentication with the aforementioned providers.

This process will work across any Steem app enabled with SteemLogin and across any device!

Why use SteemLogin?

A posting key looks like this:

5K7dsflOerj8324lfsdf0lfsKDFSL0284kF9KFWl85skdfk37ks

This is a 50 character hash which is impossible to memorize and difficult to enter without making any mistakes.

upset-3079062-640.jpg
You seriously expect me to type this in?!? (credit: Pixabay)

While such passwords are very awkward to type in on a PC/laptop, the task becomes even more painful when using handheld devices.

In our opinion this is one of the main barriers standing in the way for wide adoption of Steem applications!

In this day and age people have come to expect being able to login to most applications using mainstream content providers and social networks.

This is the user experience that SteemLogin will provide to your Steem apps!

How secure is SteemLogin?

We take the safeguard of Steem users personal data very seriously.

cyber-security-2296269-640.jpg
credit: Pixabay

SteemLogin will only store a user's posting key and username and will prevent anybody from inadvertently supply more sensitive keys such as the active key and owner key.

What is the posting key for?
The posting key can only be used for posting, editing and upvoting content on the Steem blockchain, which is what most people do during their day to day use of Steem applications.

In particular, the posting key does not allow financial transactions to be performed, nor does it permit to update personal information.

Yet, SteemLogin treats the handling of the posting key with the upmost care.

Specifically:

  1. All information exchanged with external Steem applications and authentication providers are transferred encrypted over HTTTPS.
  2. Users' Steem usernames and posting keys are stored in a hosted Cloud Firestore database with security rules preventing users from accessing other users' data. These security rules are a core and unique feature provided by Firebase which makes this solution particularly suited to SteemLogin.

With our declarative security language, you can restrict data access based on user identity data, pattern matching on your data, and more. Cloud Firestore also integrates with Firebase Authentication to give you simple and intuitive user authentication.

From the Firestore information page

  1. SteemLogin follows OAuth2 design principles and does not return directly tokens and keys back to the client in a way that would leave traces within the user browser history.
  2. SteemLogin verifies that the user does not accidentally store any other Steem key than the posting key. Owner keys, master keys, passwords and similar sensitive material cannot be stored within the database.
  3. SteemLogin is open source. The code can be downloaded and analyzed by anybody from our GitHub repository

Why not using Steemconnect?

While Steemconnect has been the de facto application allowing users to authenticate with the Steem blockchain, it still does not prevent users from having to input their active key within each application and each device.

In our opinion the complexity of entering a 50 hexadecimal key on a mobile device to access the Steem blockchain eliminates any chance for massive adoption of Steem applications.

Furthermore, current Steem login mechanisms provide zero integration with mainstream social networks and content providers, such as Facebook and Google.

SteemLogin addresses all of the above issues.

Once the posting key has been entered by the user, it will never need to be supplied ever again across any supported application and any device!

SteemLogin provides a familiar user experience

Authentication Providers
With SteemLogin, users are invited to authenticate in a manner that is very familiar to most.

Simply select your authentication provider of choice and authorize SteemLogin to access your basic profile information.

In this day and age this is the most common way to authenticate yourself with most online applications!

Enable your app with SteemLogin in 3 easy steps!

Steemlogin is free and easy to integrate within your app:

  1. Add a "login" link to your app which points to SteemLogin authentication URL (https://auth.steemlogin.net)
  2. Service your own authentication success/failure URL. Users will be redirected to these URLs upon completing the authentication procedure with their authentication provider of choice.
  3. Retrieve securely the Steem username and posting key from SteemLogin by issuing a GET HTTPs request with the supplied unique authorization code.

These steps above and more are explained in details on our web site developers page.

Which applications currently support SteemLogin?

StemQ - a Q&A application dedicated to STEM subjects - is currently the only supporting application but other apps are currently in the process of integrating their login process with SteemLogin.

SteemLogin has just been launched and its team is now actively getting in touch with other Steem app owners to get wider acceptance.

Who is behind SteemLogin?

@irelandscape is the project owner and main developer and has been supported by some members of the @steemstem community.

Where can I find more information?

For more information, please check our official website:
https://www.steemlogin.net

We have also setup a Discord server for all suggestions and requests for assistance:
https://discord.gg/YrU9nsX

Looking for a logo!

SteemLogin doesn't have an official logo yet.
One of our first tasks will be to submit a new logo task request for the project.

Please let us know if you are a graphic designer and would like to propose a great artistic concept!

Resources

Series Backlinks

This is the first post in this series.

Sort:  

Thank you for introducing your great project via Utopian. This is a job well done. The other means to log into Steem apps are also cool, but I think this one is a better alternative and would have good impact on Steem apps. I tried it on the StemQ site, and it works pretty well. I hope every good project on the Blockchain adopts this Steemlogin ASAP.

The information is clear. The post is very informative, and the flow-chart describes the process correctly.

Since you need a logo for the project, you could use the Utopian Graphics category to create a TR and get designers to work on your project.

Thank you!

Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.

To view those questions and the relevant answers related to your post, click here.


Need help? Chat with us on Discord.

[utopian-moderator]

Thank you for your review, @tykee! Keep up the good work!

In our opinion the complexity of entering a 50 hexadecimal key on a mobile device to access the Steem blockchain eliminates any chance for massive adoption of Steem applications.

100% agree with this. The other issue is RC's and until we have a RC delegation option this will really limit our potential growth.

Don't forget about instant free account creation via incubation accounts or whatever other means. Once we have that and RC delegation then we're set for mass adoption.

I have slowly started saving up a few accounts to help people I know if needed down the road. If we come up with a fair and free way to give away those accounts to onboard the masses I'll donate them all.

RC market is 100% needed. Rex just launched on EOS and now the price to get resources on EOS got much cheaper and more liquid, Steem should do the same asap.

This needs to be a top priority IMO. Having new people show up and have a bad experience is horrible for us. Satisfied people tell a couple friends, dissatisfied people tell everyone. People just love to complain about things for some reason.

Anything storing your chain passwords is a potential risk of losing everything. If you're going to trust someone to store your data it should be yourself or your browser.

There are two trusted methods right now, steem keychain handshake.

The other method is to compare your private key to public key and on confirmation create a session, then store the posting key in the browser encrypted.

I am not a fan of storing your keys with third parties (even if the data is encrypted). However the risk is minimal since the only key that is stored is the posting key. So no risk of financial loss is at stake. Even if the security layer is compromised you can always change your password and that would be the end of the issue.

Overall it looks like an acceptable solution for normies without puting the wallet at risk or the need to download any additional software.

The posting key can do a lot of damage. Following, upvoting, overwriting all your posts and comments, and resteeming which can't be undone.

Someone can turn your page to garbage with just your posting key. They have the ability to destroy what you have worked hard to build up even if they only get your posting key.

My upvote was $100 once upon a time.
I sure don't want someone steal my posting key if we even get to that price.

People are jumping on every new thing like Drugwars or steem bet and many others.

They can type anything and then you can get a lot of downvotes and in a few hours your reputation could go for a toss

Lol, like steem reputation means anything.

Exactly... with someone's posting key ... one could post something controvertial or absurd.
No key should be entered anywhere.
Why cant steem issue temporary login keys to the user for 3rd party apps that expire after a brief period maybe via sms on request, rather than user giving their steem keys to 3rd party.

Cost: Maybe, someone, sometimes, somewhere posts something after hacking for no good reason

Benefit: it's waaaay more convenient and could attract more people

If Benefit >> Cost, we do it

Electricity can kill us, cars as well

Very insecure, not worth it. At least use a system like steemconnect where the user gives the other user authority. Don't give up the private keys.

Steemconnect is already insecure, this is 10x worse. Just look at what happened to utopian when they got hacked.

SteemConnect, you are giving active key = your money is not safe
This Connect, you are giving posting key = your (in most cases) worthless upvote is not safe

SteemConnect, you are giving active key = your money is not safe

That's not correct!. You are not "giving" your posting key to SteemConnect. You are using it to allow SteemConnect to update authorities on your account.

Eh, posting keys only, who cares. Steemconnect hardly works. It's buggy on every site that uses it. (See continuous login errors on drugwars due to expired credentials).

Maybe the devs could make that one better :)

The utopian hack caused everyone who used utopian to downvote some posts, making their rewards almost go to zero. Posting keys of tons of people at once has a large power.

If you use the account authority system, like utopian did, everyone could just remove authorization from the @utopian.app account and go back to their daily activities. If you give your key, you must now change it.

I think for the masses, ease of use is more important than security. Yeah if there is issues you gotta change your key. A small price to pay for ease of access for most people.

Can't lose money from a posting key really (other than wasted potential from misused votes). Meh.

Well, then at least use the system steemconnect uses, delegated authority. Don't directly store keys...

Steemconnect sucks

Agreed, but less than this service. Why, in your opinion, is storing actual keys on a server better than delegating authority to their account (@steemlogin)

You can lose a lot.
What if someone stars downvoting Bernie with your account?

You apologize to him, change your posting key, and move on. He's not going to punish someone who isn't actually at fault. There's no way, he goes after self-righteous assholes and scammers, not people who made an accident and are sorry.

Well, @steemlogin ...

"... to store once and for all their Steem username and private posting key on a secure Cloud Firestore database, a solution provided by Google ..."

[emphasis mine]

... this is concerning for me. "Secure" and "Google" in the same sentence? Hmmm ... You presumably have far more faith in the altruistic intent of this global giant than I do ...

Well, at least Google is accountable to the security of their customers data. Their business model relies in large part to the trust of their customers.
Would you trust me better for storing your details on my own server?
Do you think your Steem details are safer on a Steem node managed by an individual?

Posted using Partiko Android

You and I most likely come from very different philosophical perspectives @irelandscape, if you believe this …

”… at least Google is accountable to the security of their customers data.”

… as I do not. If the American government can’t hold Google accountable, I personally have no thought you or I or anyone else will … I personally want to be free of these “global giants,” e.g. Google, Facebook, etc., as much as I can manage. Which is a significant part of why I elected to invest in this new asset class and its “decentralized blockchains” in the first place.

That said, rest assured I am almost certainly in the minority in this view. Most of our fellow countrymen will likely not give any of this a second thought … For what it is worth, on that basis I have featured SteemLogin in the 👍 section of my monthly update …

I feel for those with small accounts that want access to the dApps this is a great solution. Not sure an account with a real upvote should risk their reputation of having their keys stored anywhere. But as the masses that will come will mainly be free accounts with very limited SP this is a great gateway to the crypto world IMO.

Looks awesome! I have been waiting for something like this since the day I started on Steem. Great to see this implemented by the community.

The security aspect of this demands more scrutiny though

Hi @wehmoen, see my comment above and reply on Discord.
Cheers.

I mentored some friends to help them using some Steem Dapps and I personally experienced that the biggest broblem was the input of the private key.

So, this is a Great Usability Enhancement! 👏

Resteemed and followed with joy!

A huge hug from @amico! 🤗

This is super amazing! Steemconnect is a great interface but I have been a victim of not been able to login to a dApp a few times because I have to use my keys to authorize a new login through steemconnect and I happened to be on mobile at the time, where I don't save my keys.

I think this dApp provides more flexibility. Thumbs up!

Posted using Partiko Android

image.png

Yes, there is an issue reported about this.
This cryptic error message will appear if you try to access the auth.steemlogin.net URL within a browser without specifying any app.
The error message should be clearer.

This is awesome! We want to integrate something just like this in @travelfeed.

Excellent, please get in touch on our Discord server and we'll support you with the technical aspects.

Hi @steemlogin!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server

I just love the way you keep innovating. Have resteemed. Appreciate alternatives that help to insure the community will have a future. I'll try to work my way through the weeds and use this new option.
Keep working :)

If this post doesn't become No1 on Trending, people are blind

It won't. Because it's not made by some people's buddies.

Oh no, there is nepotism on Stem(it)? You bigot... :D

What is the difference between using steemlogin and the Dapp storing the keys into Firestore themselves?

The success/failure URL is exposed to the public, what is the process for the dApp success/failure script to validate the code being received is really coming from steemlogin and not some spoofed data?

I have been very busy those days so that steemsteem.io is not using it at the moment. But this is the item #1 on the to-do list! :)

Wait what?! This is HUGE! Resteeming for more visibility. ‘Onboarding normies’, anyone?

Posted using Partiko iOS

haha i'm still like wait, what?

Right? One day you’re dreaming of it, the next day someone made it :D #allthefreakingtalent

Posted using Partiko iOS

Sorry to say @soyrosa, but IMHO the only HUGE thing in this is the complete lack of information about the potential risk of storing one's keys at a third party.

This is really a false good idea and I would never trust/use such product.

You wouldn't, but a 'normie' wouldn't use Keychain because the idea of installing some sort of plug-in just to use some app is still far away for many I believe :D So my question to you is: is there a way in which we can make 'easy'/normie log-in that in your eyes is safer than steemloging? Or... Is informing the most important thing here? I'm here to learn and read what other think, would love to read your input!
Posted with

I personally love Keychain and find it really easy to use, both as a user and as a developer.

I moved away from steemit.com to steempeak.com because they are using it.
It's now so easy to switch from one account to another or to perform transactions where my active key is required.
That's why I decided to implement it on SteemReply.
The only drawback of Keychain is that it is an add-on which cannot be installed on mobile browsers 😢

We are on a blockchain were "keys" concept should be understood by users, even newbies/normies.
On top of "login in" on the various fron-ends/apps, there is money involved.
I audited SteemLogin code and website and I am totally scared of what I saw (I will post about it) and I won't like the way @irelandscape tend to minimize the role of the posting key. Read all the comments on this post, they are very informative.

You are right, we need something easy and universal for users to authenticate, but not at the expense of security.
Posted with

I look forward to your analysis.

Posted using Partiko Android

Yes, I love KeyChain - and you're right that 'ease of use' might not be as important as 'using well'. I'm going to wait for your article :-)
Posted with

Woow. Great idea! Tools like this are what can push STEEM light years ahead of the other blockchains when it comes to mainstreaming crypto

Posted using Partiko Android

A really good project.
I will be willing to contribute to the project with a logo to enable the development of this project.
Regards!
@adewararilwan

Great, feel free to DM me on Discord with any idea. :-)

This is awesome.
Just what steem needs.
I have felt for ages that the login process has been one of the things discouraging mass adoption.

Great job!

Have an awesome day!

Posted using Partiko iOS

Very much needed service, thanks for delivering it to the community!

Most welcome. Thanks for taking the time to read.

Posted using Partiko Android

Seems interesting. What are pros / cons compared with Keychain?

keychain is on your browser and you're responsible for your security.
Also, any browsers based on chrome can use the plugins as well.

If steemlogin is hacked everyone's keys are getting stolen.

There is no 100% secure solution to provide convenience to end users.
I chose what I think is the best tool to store posting keys.
It would require Firebase servers to get hacked for keys to leak.
They build their reputation on the security of their customers data. And they are accountable.
I trust them probably more than I trust Steem Inc to secure much more sensitive information than the posting key.

Posted using Partiko Android

Um, they did attempt this, It ended badly if I remember correctly. Which is why your details are stored in your browser encrypted now.

It's been 3 years and people don't think this idea has been thought of. There's kind of a reason why. There is a reason why meta mask has taken over blockchain technology. Companies who store keys can be responsible for losing thousands if not millions of users data.

If a user gets hacked they only lose their keys not everyone else's. And Google is supposed to be trusted, but the government and other high end hosting solutions of peoples data get hacked constantly. Just because they're a big name and are known to be trustworthy don't make them hack-proof.

Also, it's not if they can break in, these days it's when.

This is what can happen if your posting key is stolen which is just as bad as someone getting your posting key.

Damage that can be done with just the posting key

The posting key can do a lot of damage. Following, upvoting, overwriting all your posts and comments, and resteeming which can't be undone.

Someone can turn your page to garbage with just your posting key. They have the ability to destroy what you have worked hard to build up even if they only get your posting key.

Again, all of your keys can in principle be stolen from Steem nodes.
I am not claiming that Firebase will never be hacked.
I am offering a convenient way for people to use Steem apps without entering a 50 character hash.
This comes with a certain risk. It's unavoidable.

Of course I was expecting this type of reaction from some users.
In my mind this is the price to pay if we really want wide adoption of Steem apps.

You don't need to enter a 50 char hash, You can use a qr scanner on app or copy paste using mobile lastpass.

On desktop or mac you can use lastpass.

What percentage of users would do that do you think?
How would you scan a QR code when using your mobile on the bus?
Many developers have given up on Steem because of the difficulty for potential users to login.
I can live with the risk. I'm sure others can.

Posted using Partiko Android

Hi @jacekw,
I haven't really used Keychain which seems like a great project but I guess the main difference is that SteemLogin doesn't require a specific browser with a particular extension installed.
It will work with any browser, any device and without any supporting extension.
Cheers.

Being a phone only user this is amazing news, steemconnect bugs sometimes n somehow keychain is a no go on my phone. Looking forward to trying out the app and expecting great things!

Posted using Partiko Android

This is awesome! So I think being able to have a custom passcode for users but still being able to secure the keys would be a huge thing, but also being able to use the other, already existing accounts will really help adoption!

Posted using Partiko iOS

Encrypting the posting keys was one of the first possibilities considered.
But of course it involves yet another password from the user which goes against the idea to make the login process really simple.
Having said that, it could be added as an option to users in the future if it turns out to be a much desired feature.

This post has been included in the latest edition of The Steem News in 10 posts - a compilation of the key news stories on the Steem blockchain.

One more step towards mass adoption. It's coming somewhere, might as well be here.

Posted using Partiko Android

Good news :) I AM a graphic designer and I would like to propose artistic concept :) What I have to do?

Posted using Partiko Android

Hi @eugelys, the best is probably to DM me (irelandscape) on Discord if that suits.
Cheers.

Magic Dice has rewarded your post with a 1% upvote. Thanks for playing Magic Dice.

You have receive an upvote. Thanks for playing moonSTEEM

Congratulations @steemlogin! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You published your First Post
You got a First Vote
You received more than 10 upvotes. Your next target is to reach 50 upvotes.

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

good job!

Hi, any plans for Ledger Nano S support?

No, not at present. Sorry.

thanks for upvoting my last post!!!

Congratulations @steemlogin!
Your post was mentioned in the Steem Hit Parade in the following category:

  • Comments - Ranked 2 with 76 comments

Very very very gooooood!!! 👍👍awesome!

Posted using Partiko Android

Hey, @steemlogin!

Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!

Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).

Want to chat? Join us on Discord https://discord.gg/h52nFrV.

Vote for Utopian Witness!

If a Google service becomes a "bottleneck" in logistics, how is it a decentralized solution in the end?

All of it boils down to people's inability to handle their passwords in a responsible way.

Admittedly, keys are impractical, but are also free of any other service. (aside of witnesses, but that's OK)

Almost all current apps rely on steemconnect as of today.
And yes, people don't want to manage yet another set of passwords in a responsible way.

Almost all current apps rely on steemconnect as of today.

Steemconnect is less of a bottleneck.

And yes, people don't want to manage yet another set of passwords in a responsible way.

And it should make you worry.

For this issue, the solution is long-term: providing an ecosystem that's worth all the effort with those passwords, and stuff.

Not the elimination of the fine-tuned security measures of the project.

Congratulations @steemlogin! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Do not miss the last post from @steemitboard:

Use your witness votes and get the Community Badge
Vote for @Steemitboard as a witness to get one more award and increased upvotes!