Hey, my boss said to talk to you — I hear you know a lot about web authentication?
-Yeah, I’m more of a passwordless authentication guy now. With cryptography being where it is right now, it’s hilarious how we used human memory for password authentication. I’m excited about how we can use SQRL and the blockchain for authentication now. It’s the future!
Cool. I’m just building a simple web app at the moment — a normal CRUD app using Rails, going to deploy to Heroku and use Auth0 for authentication with username and passwords to issue JWTs. Is that still the way to go?
-Oh no. That’s old school. Passwords are dead. Securely authenticating with a side channel is the way to go! It’s the future!
Oh, Okay. What’s that?
-SQRL is a take on using a trusted device to authenticate you on websites. It bypasses the need to remember a weak human generated password. It’s the future!
Squirrels? What? What do squirrels have to do with anything?
-Not squirrels, SQRL! It sounds like squirrel but it’s spelled SQRL.
SQRL. Okay, what is it?
-SQRL shows you a prompt which you click to authenticate. It’s basically a nonce that your computer signs, or a QR code that you scan so that your phone signs it. The signed nonce is sent back to the server and you’re in! It’s the future!
So like Oauth and logging in with Facebook?
-No, Oauth is dead. Trusted third parties are dead! With SQRL you host the key on your own device! It’s the future!
What? Wait, don’t users need to have a SQRL client installed on their devices to use it?
-Well, yeah, but they can get SQRL on their phones or install a computer client.
So people don’t have it on their devices?
-No, but they’ll catch on.
What? How? Who’s pushing the adoption for this? Google?
-Oh, no, Gibson wrote the draft for this.
Gibson? The guy in Brave Heart?
-Not Mel Gibson, Steve Gibson! The guy in the Security Now! podcast. He made SpinRite, the disk recovery tool and said that Microsoft engineered a RCE backdoor in Windows.
Microsoft engineered a backdoor in Windows?! What!
-Oh, no, he was wrong about that. But then he wrote the draft for SQRL.
Ummm, okay… so I need to add SQRL on my website?
-Oh, no! SQRL is dead. Use Blockstack’s Auth JS to authenticate with the blockchain! It’s the future!
Wait, what? What’s Blockstack.
-It’s a distributed key-value store powered by a blockchain.
Like the bitcoin Blockchain?
-Yes, but no. Blockstack’s blockchain is for PKI, DNS and storing hashes.
So Blockstack has it’s own blockchain?
-No, it uses the bitcoin blockchain to store their virtual blockchain
Like a side chain?
-Yes, but it’s a virtual blockchain.
Right, but what does this have to do with Authentication?
-Blockstack’s Authentication looks up the user’s key from the blockchain. So the server doesn’t need to store that either! It’s trustless. It’s the future!
But the user still needs to manage the private key! What if i need to log in from my dad’s computer?
-Eventually someone will make a web based key store for private keys.
Like Lastpass?
-Yeah, but for private keys! It’ll be amazing!
But then how will I log into that web based key store?
-Maybe with a unique user identifier and a secret string. It’ll be amazing!
I see. So I need to authenticate my web application with Blockstack Auth, which users don’t have a stable client for, yet. It’s like SQRL, but not SQRL because it uses a virtual blockchain to store the keys, which is actually a side chain. Users will be tied to their devices until LastPass starts storing private keys, and then I can log into my site from my dad’s computer by logging into LastPass with a username and password?
Yes! Isn’t it glorious?!
I’m going with basic http-auth.
Thank you for reading this! If you have time and like alpha things, check out this app I’m building: Mailpenny.com
If you love distributed things, Blockstack is doing amazing work with their distributed DNS that may kill DNSSEC! Check them out at blockstack.org
Big shoutout to Steve Gibson from Security Now! for his podcast! It keeps me focused during my workout!
If you’re setting up authentication, I recommend Auth0.com to shave off weeks of development related to authentication. Their feature list is too long for me to list here.
This piece was inspired by my musings with Kobi and this post by CircleCI.
Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising &sponsorship opportunities.
To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!