SteemLogin - a new and easy way to sign in to Steem!

in #utopian-io5 years ago

Repository

https://www.github.com/irelandscape/steemlogin

Introduction

SteemLogin is a brand new application providing the easiest way to login to the Steem blockchain using mainstream authentication providers such as Google and Facebook.

By adopting SteemLogin, Steem application users will never need ever again to enter their 50 character posting key to contribute and upvote content on the Steem blockchain.

Interested? Then read on!

What is SteemLogin?

SteemLogin Overview

We are delighted to present you SteemLogin, a brand new application easing the process of authenticating users with the Steem blockchain.

By adopting SteemLogin, Steem app developers enable their users to sign in using their Google, Facebook, Twitter or GitHub account!

More precisely, SteemLogin allows users to store once and for all their Steem username and private posting key on a secure Cloud Firestore database, a solution provided by Google aiming to eliminate the need for application providers to host, scale and secure their own backend database.

Once stored, the Steem username and posting key information is sent securely over HTTPS to the application upon successful authentication with the aforementioned providers.

This process will work across any Steem app enabled with SteemLogin and across any device!

Why use SteemLogin?

A posting key looks like this:

5K7dsflOerj8324lfsdf0lfsKDFSL0284kF9KFWl85skdfk37ks

This is a 50 character hash which is impossible to memorize and difficult to enter without making any mistakes.

upset-3079062-640.jpg
You seriously expect me to type this in?!? (credit: Pixabay)

While such passwords are very awkward to type in on a PC/laptop, the task becomes even more painful when using handheld devices.

In our opinion this is one of the main barriers standing in the way for wide adoption of Steem applications!

In this day and age people have come to expect being able to login to most applications using mainstream content providers and social networks.

This is the user experience that SteemLogin will provide to your Steem apps!

How secure is SteemLogin?

We take the safeguard of Steem users personal data very seriously.

cyber-security-2296269-640.jpg
credit: Pixabay

SteemLogin will only store a user's posting key and username and will prevent anybody from inadvertently supply more sensitive keys such as the active key and owner key.

What is the posting key for?
The posting key can only be used for posting, editing and upvoting content on the Steem blockchain, which is what most people do during their day to day use of Steem applications.

In particular, the posting key does not allow financial transactions to be performed, nor does it permit to update personal information.

Yet, SteemLogin treats the handling of the posting key with the upmost care.

Specifically:

  1. All information exchanged with external Steem applications and authentication providers are transferred encrypted over HTTTPS.
  2. Users' Steem usernames and posting keys are stored in a hosted Cloud Firestore database with security rules preventing users from accessing other users' data. These security rules are a core and unique feature provided by Firebase which makes this solution particularly suited to SteemLogin.

With our declarative security language, you can restrict data access based on user identity data, pattern matching on your data, and more. Cloud Firestore also integrates with Firebase Authentication to give you simple and intuitive user authentication.

From the Firestore information page

  1. SteemLogin follows OAuth2 design principles and does not return directly tokens and keys back to the client in a way that would leave traces within the user browser history.
  2. SteemLogin verifies that the user does not accidentally store any other Steem key than the posting key. Owner keys, master keys, passwords and similar sensitive material cannot be stored within the database.
  3. SteemLogin is open source. The code can be downloaded and analyzed by anybody from our GitHub repository

Why not using Steemconnect?

While Steemconnect has been the de facto application allowing users to authenticate with the Steem blockchain, it still does not prevent users from having to input their active key within each application and each device.

In our opinion the complexity of entering a 50 hexadecimal key on a mobile device to access the Steem blockchain eliminates any chance for massive adoption of Steem applications.

Furthermore, current Steem login mechanisms provide zero integration with mainstream social networks and content providers, such as Facebook and Google.

SteemLogin addresses all of the above issues.

Once the posting key has been entered by the user, it will never need to be supplied ever again across any supported application and any device!

SteemLogin provides a familiar user experience

Authentication Providers
With SteemLogin, users are invited to authenticate in a manner that is very familiar to most.

Simply select your authentication provider of choice and authorize SteemLogin to access your basic profile information.

In this day and age this is the most common way to authenticate yourself with most online applications!

Enable your app with SteemLogin in 3 easy steps!

Steemlogin is free and easy to integrate within your app:

  1. Add a "login" link to your app which points to SteemLogin authentication URL (https://auth.steemlogin.net)
  2. Service your own authentication success/failure URL. Users will be redirected to these URLs upon completing the authentication procedure with their authentication provider of choice.
  3. Retrieve securely the Steem username and posting key from SteemLogin by issuing a GET HTTPs request with the supplied unique authorization code.

These steps above and more are explained in details on our web site developers page.

Which applications currently support SteemLogin?

StemQ - a Q&A application dedicated to STEM subjects - is currently the only supporting application but other apps are currently in the process of integrating their login process with SteemLogin.

SteemLogin has just been launched and its team is now actively getting in touch with other Steem app owners to get wider acceptance.

Who is behind SteemLogin?

@irelandscape is the project owner and main developer and has been supported by some members of the @steemstem community.

Where can I find more information?

For more information, please check our official website:
https://www.steemlogin.net

We have also setup a Discord server for all suggestions and requests for assistance:
https://discord.gg/YrU9nsX

Looking for a logo!

SteemLogin doesn't have an official logo yet.
One of our first tasks will be to submit a new logo task request for the project.

Please let us know if you are a graphic designer and would like to propose a great artistic concept!

Resources

Series Backlinks

This is the first post in this series.

Sort:  

Thank you for introducing your great project via Utopian. This is a job well done. The other means to log into Steem apps are also cool, but I think this one is a better alternative and would have good impact on Steem apps. I tried it on the StemQ site, and it works pretty well. I hope every good project on the Blockchain adopts this Steemlogin ASAP.

The information is clear. The post is very informative, and the flow-chart describes the process correctly.

Since you need a logo for the project, you could use the Utopian Graphics category to create a TR and get designers to work on your project.

Thank you!

Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.

To view those questions and the relevant answers related to your post, click here.


Need help? Chat with us on Discord.

[utopian-moderator]

Thank you for your review, @tykee! Keep up the good work!

In our opinion the complexity of entering a 50 hexadecimal key on a mobile device to access the Steem blockchain eliminates any chance for massive adoption of Steem applications.

100% agree with this. The other issue is RC's and until we have a RC delegation option this will really limit our potential growth.

Don't forget about instant free account creation via incubation accounts or whatever other means. Once we have that and RC delegation then we're set for mass adoption.

I have slowly started saving up a few accounts to help people I know if needed down the road. If we come up with a fair and free way to give away those accounts to onboard the masses I'll donate them all.

RC market is 100% needed. Rex just launched on EOS and now the price to get resources on EOS got much cheaper and more liquid, Steem should do the same asap.

This needs to be a top priority IMO. Having new people show up and have a bad experience is horrible for us. Satisfied people tell a couple friends, dissatisfied people tell everyone. People just love to complain about things for some reason.

Anything storing your chain passwords is a potential risk of losing everything. If you're going to trust someone to store your data it should be yourself or your browser.

There are two trusted methods right now, steem keychain handshake.

The other method is to compare your private key to public key and on confirmation create a session, then store the posting key in the browser encrypted.

I am not a fan of storing your keys with third parties (even if the data is encrypted). However the risk is minimal since the only key that is stored is the posting key. So no risk of financial loss is at stake. Even if the security layer is compromised you can always change your password and that would be the end of the issue.

Overall it looks like an acceptable solution for normies without puting the wallet at risk or the need to download any additional software.

The posting key can do a lot of damage. Following, upvoting, overwriting all your posts and comments, and resteeming which can't be undone.

Someone can turn your page to garbage with just your posting key. They have the ability to destroy what you have worked hard to build up even if they only get your posting key.

My upvote was $100 once upon a time.
I sure don't want someone steal my posting key if we even get to that price.

People are jumping on every new thing like Drugwars or steem bet and many others.

They can type anything and then you can get a lot of downvotes and in a few hours your reputation could go for a toss

Lol, like steem reputation means anything.

Exactly... with someone's posting key ... one could post something controvertial or absurd.
No key should be entered anywhere.
Why cant steem issue temporary login keys to the user for 3rd party apps that expire after a brief period maybe via sms on request, rather than user giving their steem keys to 3rd party.

Cost: Maybe, someone, sometimes, somewhere posts something after hacking for no good reason

Benefit: it's waaaay more convenient and could attract more people

If Benefit >> Cost, we do it

Electricity can kill us, cars as well

Very insecure, not worth it. At least use a system like steemconnect where the user gives the other user authority. Don't give up the private keys.

Steemconnect is already insecure, this is 10x worse. Just look at what happened to utopian when they got hacked.

SteemConnect, you are giving active key = your money is not safe
This Connect, you are giving posting key = your (in most cases) worthless upvote is not safe

Eh, posting keys only, who cares. Steemconnect hardly works. It's buggy on every site that uses it. (See continuous login errors on drugwars due to expired credentials).

Maybe the devs could make that one better :)

The utopian hack caused everyone who used utopian to downvote some posts, making their rewards almost go to zero. Posting keys of tons of people at once has a large power.

If you use the account authority system, like utopian did, everyone could just remove authorization from the @utopian.app account and go back to their daily activities. If you give your key, you must now change it.

I think for the masses, ease of use is more important than security. Yeah if there is issues you gotta change your key. A small price to pay for ease of access for most people.

Can't lose money from a posting key really (other than wasted potential from misused votes). Meh.

Well, then at least use the system steemconnect uses, delegated authority. Don't directly store keys...

Steemconnect sucks

Agreed, but less than this service. Why, in your opinion, is storing actual keys on a server better than delegating authority to their account (@steemlogin)

Easier for normal users. Plus I believe irelandscape can make something that actually works. I've had enough experience using steemconnect to interface with various apps to conclude that it makes the user experience bad.

Not everyone cares as much about security as you (gosh most non crypto applications are as secure as steemlogin or much worse). So it's in keeping with the standard.

You can lose a lot.
What if someone stars downvoting Bernie with your account?

You apologize to him, change your posting key, and move on. He's not going to punish someone who isn't actually at fault. There's no way, he goes after self-righteous assholes and scammers, not people who made an accident and are sorry.

Well, @steemlogin ...

"... to store once and for all their Steem username and private posting key on a secure Cloud Firestore database, a solution provided by Google ..."

[emphasis mine]

... this is concerning for me. "Secure" and "Google" in the same sentence? Hmmm ... You presumably have far more faith in the altruistic intent of this global giant than I do ...

Well, at least Google is accountable to the security of their customers data. Their business model relies in large part to the trust of their customers.
Would you trust me better for storing your details on my own server?
Do you think your Steem details are safer on a Steem node managed by an individual?

Posted using Partiko Android

You and I most likely come from very different philosophical perspectives @irelandscape, if you believe this …

”… at least Google is accountable to the security of their customers data.”

… as I do not. If the American government can’t hold Google accountable, I personally have no thought you or I or anyone else will … I personally want to be free of these “global giants,” e.g. Google, Facebook, etc., as much as I can manage. Which is a significant part of why I elected to invest in this new asset class and its “decentralized blockchains” in the first place.

That said, rest assured I am almost certainly in the minority in this view. Most of our fellow countrymen will likely not give any of this a second thought … For what it is worth, on that basis I have featured SteemLogin in the 👍 section of my monthly update …

I feel for those with small accounts that want access to the dApps this is a great solution. Not sure an account with a real upvote should risk their reputation of having their keys stored anywhere. But as the masses that will come will mainly be free accounts with very limited SP this is a great gateway to the crypto world IMO.

Looks awesome! I have been waiting for something like this since the day I started on Steem. Great to see this implemented by the community.

The security aspect of this demands more scrutiny though

Hi @wehmoen, see my comment above and reply on Discord.
Cheers.

I mentored some friends to help them using some Steem Dapps and I personally experienced that the biggest broblem was the input of the private key.

So, this is a Great Usability Enhancement! 👏

Resteemed and followed with joy!

A huge hug from @amico! 🤗

This is super amazing! Steemconnect is a great interface but I have been a victim of not been able to login to a dApp a few times because I have to use my keys to authorize a new login through steemconnect and I happened to be on mobile at the time, where I don't save my keys.

I think this dApp provides more flexibility. Thumbs up!

Posted using Partiko Android

image.png

Yes, there is an issue reported about this.
This cryptic error message will appear if you try to access the auth.steemlogin.net URL within a browser without specifying any app.
The error message should be clearer.

Coin Marketplace

STEEM 0.30
TRX 0.11
JST 0.033
BTC 64223.84
ETH 3158.34
USDT 1.00
SBD 4.29