Log in Tardigrade with wallet address

Hi!

As a Tardigrade customer, I’m thinking it would be very nice to be able to log in Tardigrade satellites with an Ethereum address.
It would still be possible to login with your email address. Ethereum address login would be just another way to login.

With this login method, it would also be a nice way to allow the customer to spend the STORJ he has on his wallet address.

What do you think?

Login with email & password is very common. It’s the standard so adding this method IMO is not worth the sprint.

This is already possible without the need to use ETH address as your credential. Also you get 10% bonus :slight_smile:

1 Like

It’s not so common for Blockchain / Decentralized applications.

Yes but it requires to send your STORJ, which requires transaction fees.

I am definitely in support of this idea.

Connecting a metamask wallet would easily allow for payment as well as prevent username/password rainbow attacks and/or poor password storage or salting in the web server’s database.

2 Likes

Indeed, I didn’t think about security aspects but it’s also a good point! Thanks

So for a login I only need to know your wallet address? Really? Or are you willing to give away your private key?

As long as it is your private key you will have to pay the transaction fees anyway. Sure you could give storj your private key and let them execute the transaction but it would still be you that has to pay the fee.

1 Like

No private key exchange is needed.

An Ethereum wallet address is generated from the public key… so no public key is needed to be stored either.

The authentication mechanism is generally the following:

  1. Web site generates a random nonce.
  2. Metamask wallet user signs nonce and returns signed nonce.
  3. User Wallet address is authenticated.

There are js libraries that already handle the entire process.

2 Likes

I think connecting through Metamask is secure. You would need to unlock your wallet in order to be logged-in the Tardigrade satellite WebGUI. You don’t have to give your private to anyone. It works exactly the same way for a lot of decentralized applications (such as uniswap)

but then you could also generate a seed or a hardware wallet as login password. It would give you the same security and protection against rainbow attacks. You don’t need to login with a wallet. You can have the same security right now.

No.

The authentication mechanism requires a new nonce and new signature with each login. The only individual who can create the signature is the wallet user. If the web site DB is popped, the attacker only get wallet addresses or hashed of wallet addresses… which are useless without the private keys… which never leave the authenticated user’s wallet.

This process is similar to ssh public key auth.

Here’s a decent randomly found write up:

https://www.spiderposts.com/2019/09/10/one-click-login-with-blockchain-a-metamask-tutorial/

It’s very different than using a username/password database for authentication. The server doesn’t store anything that’s useful to an attacker. However, if a user loses their wallet somehow, the website has no method to retrieve the account. So, some websites offer both methods of authentication.

2 Likes

The satellite doesn’t store your password. It only stores the hash of it. Just use a random 24 word seed and the attacker will be unable to find it even if you reveal the hash of it.

The hashes are salted. An attacker would not be able to even tell if you are using the same password for several other sites.

I would also add that it is a very convenient way to login since you don’t have to register before using it.
If you have a wallet address, then you are already able to access Tardigrade (and use it if you have enough STORJ).

2 Likes

You would still have to pay first but further up in this thread you didn’t want to pay the fees for that.

I understand.

However, the hash could have collisions … or be incorrectly salted… or be a hash found in a rainbow table.

Login with Metamask prevents all of those possibilities. There is no method to authentication without control over the wallet’s private keys… which are kept in the user’s wallet and secured locally encrypted with the wallet’s local password.

Yes, you were right about the fees. But I keep thinking it is a nice way to login and it avoids registration process. Even if registration process is easy and quick, it can be a barrier. All Ethereum wallet holders would be able to use Tardigrade, just like that!

I also think this way of login would allow other features such as being able to easily pay in other tokens (even in Ether) by implementing a uniswap feature into Tardigrade. For example, the user pays in Ether and the amount is automatically swapped for STORJ and then sent to Storj Labs. Of course, the fees would be paid by the customer.

No, No and No. You can verify the hashing method we are using. That is the advantage of open source.

Again you can have the requested level of security right now. You just need to choose a secure password. I have generated myself a 500 char password just to see if there is any restriction. It worked just fine and gives me even a higher security than metamask.

Coinpayment could do that right now. This service comes with additional fees that we would like to avoid.

An instant swap function would require significant development and requires integrating with a specific DEX API…

Login with a wallet is something that can be achieved with much less development.

1 Like

Coinpayment requires you to register on this platform, which is another barrier before using the platform…

How would a user get email notifications without registration?

Nope. We need an account to receive a payment but if we would allow you to pay with ETH you could do that with any wallet. You don’t need a coinpayment account.

Same for STORJ payment ofc except that we wouldn’t need to enable the coinpayment exchange for that.