Sites, Security, Accounts and Authentication

Accounts

The Users plugin helps people authenticate with a website. It understands that people may have accounts at many different websites, and would prefer to seamlessly work across them. At the same time, users don’t necessarily want multiple companies to track their activity across websites, and compare notes. Qbix designed an innovative solution that helps enables social, personalized, and yet private, experiences across websites. Here’s how it works:

WebAuthn and Authentication

The set of things the user trusts with their identity is called the Trusted Computing Base, and for accessing web sites this usually includes the hardware, the operating system and the browser. Watch out, for example, when using a public computer: there may be a keylogger or a camera watching what you type. This is why authenticating on other people’s computers can instead be done by scanning QR codes or NFC tags with your trusted devices, instead.

WebAuthn is a standard for generating credentials consisting of public-private key pairs, and using them to sign into different websites. It even supports attestation, which can help limit the number of spam accounts that sign up because each account would need an official device from a trusted manufacturer such as an iPhone or Android. Here is information on how it works.. WebAuthn has the advantage that credential management is then delegated to the operating system and browser vendors.

Signing Payloads and Authorizing Transactions

Can WebAuthn be used to sign various payloads for actions the user may want to take, such as web requests? One the one hand, WebAuth usually brings up an interactive flow that requires the user to scan their face or finger using their trusted device (biometrics) every time something is to be signed. Thus, it can be used to authorize significant actions, such as voting or sending a bunch of money. However, WebAuthn doesn’t, however, currently mandate the devices to clearly show you what you’re signing, so it’s not very useful in that regard by itself.

Instead, users are better off installing a browser extension from a trusted vendor (such as MetaMask) and relying on that extension to show them what they’re signing in a clear manner, rather than an obscure string of text. (See, for example, EIP 712 in the Ethereum ecosystem.)

The whole thing can be done without WebAuthn. The new Crypto.subtle API allows browsers to create non-extractable private keys which cannot be exported, making them safe from a whole range of attacks which plague, for example, Bitcoin and Ethereum wallets. (The unfortunate design decision to allow users to export private keys or seed phrases led to a lot of phishing, which is responsible for the vast majority of cases where an address with a lot of assets got “hacked”).

The corresponding public key, on the other hand, can be sent anywhere. It can accompany any payload, such as a request sent to a web server, which can then verify the signature using the public key. (Incidentially, this is also what Web3 nodes do when they process signed transactions.) Since the public key is revealed to everyone, it would be better to tie it to user sessions instead of the user themselves. Each device and session would have a unique public key, and the user would simply manage them all in their trusted credential manager or browser extension.

Qbix’s Users plugin already handles all this for you:

  • Generating public keys
  • Saving them in the server session
  • Installing a Service Worker to sign requests to the server
  • Validating these requests on the server using the public key in the session
  • Managing “cookies” in environments where third party cookies are blocked
  • Helping the user to view and manage their sessions
  • Helping the user to view and manage devices to deliver push notifications

The user interface is standardized across all sites, too:

A third way to register a user would be through enabling Push Notifications through the Web Push protocol. A user who enables notifications doesn’t need to enter their email address or mobile number, because vendors such as Apple and Google offer to send push notifications to their browser. Apple plans to enable Push Notifications for iOS Safari in 2023, and Qbix will update our Users plugin to work with that. As usual, we can keep improving our standardized implementations so you can focus on building your app, instead.

Related Articles

https://community.qbix.com/t/site-security-and-cookies

https://community.qbix.com/t/caching-and-sessions

We need to make sure this kind of stuff doesn’t happen: