Figuring out how to verify user identity is a roadblock that contributed to me losing momentum on one of the projects I was working on. I haven't done any security or encryption stuff before so it took me a little bit to wrap my head around it. The last part to click into place for me was that you want freshly-signed transactions based on some information from the server so you can confirm the user is trying to do the thing right now, like with your random bytes. Since people don't need to keep their old signed transactions private seeing an old signature or a signature on some unrelated transaction doesn't prove the person you're talking to has the key, only a freshly signed transaction with contents specific to the present moment does that. Unfortunately my motivation for the project got too low before I figured that part out so my progress stalled.