Unless if you don’t want to accept Ether
I am pretty sure the service can work without email notifications.
If the user wants to get notified (for payment date, or for other purposes), he would be able to specify his email address (and it could be recommended in his Account page).
it could but it would be quite reckless to operate without an email adress as you would miss out on notifications about payment, downtimes, updates, … And if you enter an email anyway, it doesn’t make much of a difference anymore from normal registration.
I am not sure if that would even work. Are we allowed to delete customer data without sending him a warning? (negative balance) That is what the email address is required for.
Cryptokitties is a decent working example of how all of this works.
The login process is accomplished through the wallet. And users can add Personally Identifiable Information (PII) later, if they so choose. However, there’s still no username/password DB to be cracked, stolen, broken into, or incorrectly utilized… and all payments are processed through the user’s wallet.
This post does not in any way support the use of Cryptokitties… in fact, I never really saw the point to begin with… but it is a working example.
Other working examples of Web 3.0 Injection login are:
- Hive (replacement of Steemit)
- Ethereum Remix
And many other websites/Dapps
Yes and no… no matter how well it’s hashed and salted, there is still a shared secret to protect. It relies on hashing algorithms to be completely solid. It also relies on users picking a secure password.
Using public key crypto has the elegant upside of not having to share any secret at all. Server side all you need to store id a public key to associate a key with that account. Each challenge (nonce) sent to the customer on login is unique and each response would require a unique signature that can only be generated by the person in possession of the private key. Even if the entire user database including public keys leaks out for some reason, there is still no harm done and no data to even begin to brute force.
There are several initiatives out there already to use something similar to replace passwords. For those who listen to the security now podcast, Steve Gibsons SQRL will be familiar, but there are others too.
Public key crypto solutions do provide an even higher level of security than any form of hashing + long passwords. Though it could be argued that that level is far beyond what is needed for Tardigrade. I don’t make a judgement on that, but it is definitely a step above the alternative.
I’m not making any specific claim about the particulars of Tardigrade username/password storage procedures.
I’m simply indicating that wallet login methods do not require storing username/passwords. Therefore, all attacks that might be possible against username/password databases and not possible against wallet logins.
The password generated… and therefore the hash of that password… is a static object that is stored on someone’s server. Therefore, it is subject to compromise beyond the user’s control. Wallet login is entirely under user control. The server stores nothing to steal.
Wallet login is much more secure than username/password, no matter the storage or hashing procedures of the username/password combo. This is one reason Microsoft added wallet authentication to Azure:
Of course, Azure uses a private proof of authority blockchain which has zero actual funds transferred and no mining operation. But, the login via crypto signatures on random data is the same… and provides a massive increase in security assurance.
In general username/password databases are fine if done correctly and carefully with the code base reviewed often for potential vulnerabilities. My posts here are in no way a statement of belief that Storj or Tardigrade is doing something “wrong” or has security issues… It’s simply true that username/password databases are broken security (from an absolutist perspective)… and that wallet login is not just more secure - it’s actually secure from the server’s or service provider’s perspective. If the signature verification process is done properly, the authentication has no known methods of attack… except through local compromise of the end-user’s wallet… which isn’t the service provider’s purview.
Additional fees for the user or for Storjlabs? If for the user, I would prefer Storjlabs not to make this decision on behalf of the user. if users are willing to take the fee, Storjlabs should not stand in the way.
As far as I know, Coinpayment requires the user to pay transaction and exchange fees. The input currency is converted to the vendor requested currency at whatever the exchange rate happens to be at that time… with all blockchain fees paid via the input currency.
I really don’t understand the need or desire for an integrated universal crypto currency exchange… If one has ERC-20 Token Z … just exchange it on a DEX somewhere and send STORJ. The exact same fees and process will be paid by the user anyway. We’re really talking about one extra step. I prefer to perform the exchange myself so that I have full control over the fees and exchange platform.
I think it’s a question of convenience.
Some biginner users may think it’s easier to spend their own token or ETH directly on the platform if they can. If they have to swap their token for STORJ, it’s just an extra step that could give them away from using Tardigrade, even it is a really “small” step…
From a general philosophical viewpoint… I agree with you.
However, it’s important to remember that Tardigrade is not a “beginner’s” platform. It’s a developer’s platform. It’s not a “front-end” product. It’s a back-end storage system meant for a rather technical customer… one who is expected to be familiar with blockchain technology, servers, coding, and navigating the inner architecture of the Internet.
It’s very unlikely that Tardigrade will expand extensive development costs to incorporate an instant exchange system for payment… So, that particular discussion is mostly moot.
However, I definitely would like to see the top level idea of logging in with a wallet to the Tardigrade service platform implemented.
As far as I understand, if you want to use Filezilla with Tardigrade integration you need a Tardigrade account. Filezilla will not provide one for you.
I don’t see how your claim would fit here.
And that goes for all partners that provide solutions for Tardigrade for end customers. It is really strange to not understand to make payment as easy and convenient as possible.
Coinpayments gives you your own Ethereum address to utilize for deposit and 24 hours to transfer the requested tokens. An entire day to get a good bargain on STORJ tokens is a pretty neat feature.
Let’s say I was building a platform on Tardigrade and I needed 100,000 STORJ… Maybe I could save a few thousand USD by purchasing STORJ at a low price during the month or year or whatever and then spending them when STORJ rises in price.
Sometimes and in some situations, it’s very beneficial to have the exchange of tokens and the payment of tokens separate processes on separate platform performed at separate times.
Filezilla Pro provides backend connection API to cloud services that you run… So, of course if one is going to use it with Tardigrade, then one would need to have a Tardigrade account and pay for storage on the Storj network.
Filezilla also requires that I pay for my IaaS… if that’s what I’m using instead of Tardigrade. I don’t understand the point you’re trying to make. I’m not aware of a Filezilla server for public consumption.
Reference link for “How-to” for Filezilla S3, etc:
They have a Community version too. It has a Tardigrade connector integrated.
I think it might be better to say:
“It has a Tardigrade connector integrated”
The other way implies that Tardigrade service comes with the Filezilla product. But that’s not accurate. It’s just a protocol connector… of course, the service needs to be purchased… just like S3 or a WebDAV server, or any of the other back-end connectors.
I have not tried Filezilla with Tardigrade but it was my impression that it is geared towards end users too. This turns any Filezilla user into a potential Tardigrade users. This is what I am trying to say that makes your claim or assumption that every Tardigrade user can be considered a crypto tech experienced user invalid.
I am also not advocating for removing any payment options. You are sounding like that. I am all for adding more options. That is all.
So all I am saying don’t make the choice for the users. Let the users decide and give them the options to choose what they prefer. No need to be a nanny for them. Existence of services like Coinpayments proves there is some customer demand for it and it is always great to have flexible options on how to pay.
I’ve been thinking of this feature and I still believe it would bring some value to the product.
This long Twitter thread explains in better words how Sign-in with Ethereum is better for end-users and for service providers.
In a nutshell, the benefits for the end users are the following:
- The users control their identity, since it is not stored on a service provider ;
- The user can use and re-use his identity with any other service provider that allows Ethereum Sign-In ;
- No need to register (again!) to a new service provider ;
- The credentials are safer. No offense to Storj Labs, I know you are doing things right. But identities stored on a central location will always be attractive targets. And end users have a limited power to counter this (even having a strong password can be hacked if not properly stored and secured).
For Storj Labs, I also see advantages of implementing Ethereum Sign-In:
- New users can jump in faster and more easily, meaning better user experience (which is good for business, right?);
- Storj is a Web3 product and should use new features offered by this new era. This would impact the Storj’s brand image positively. In my own opinion, when I log in a website with Ethereum Sign-In, it gives me the image of a new kind of applications that are more “modern” (of course, this is just my opinion and it doesn’t mean at all that the service is good neither actually modern). Offering this feature is like saying “Hey! You wanna try our service? Good, you can do it right now, no need to register!” - And I think it’s cool
Would love to talk more about it with you guys
I think it’s the great idea.
Some questions should be nailed down (eg. is it only for sign-in (after email based registration) or also for registering new accounts?) but I like it.
And I hope it will be finalized soon:
Great, I’m glad you like it!
I don’t know exactly what will this EIP bring to Ethereum since it is already possible to sign-in with Ethereum. I’ve read somewhere that this is more about adding some standards to accelerate the implementation and make it easier.
Indeed you are right, we need to identify what is our real needs.
In my opinion, what is really interesting would be to be able to register new accounts with this feature. But maybe it is easier and faster to start with “Sign-In after email registration”.
Blockchain-based Identity services like Ceramic IDX can be an interesting component too.
There are a couple of legal aspects that make signing in without any identity (meaning person or organization) information hard. Since storage providers sometimes get abused for prohibited content, the operator (in our case satellite operator) will get legal problems if they can not provide the needed account information for further steps. An email is better than just the ethereum address, since the operator can then hand this over and let the interested parties reach out to the email provider. Of course, this is just pushing the burden down the chain but resolves the issue at least somewhat.
I personally also really like the idea, but also know about these challenges.