As you may remember, we posted a question and survey on the forum a few weeks ago. We wanted to know if there was a general need/interest from the Blockstack development community for a better onboarding/authentication tool within the Blockstack ecosystem. The response was overwhelmingly positive and gave us all the validation we needed.
Graphite and Stealthy collaborated to build SimpleID, a library that allows developers to drop in a simple JS package (and eventually make simply HTTP requests from any environment). The benefit of this library is that developers can get up and running in literally just a few minutes. For the apps these developers build, users get the experience theyâve become used to on the web:
Sign up with an email, username, and password
Sign in with username and password
Even though the experience is exactly what users expect, the complexity behind the scenes is immense. That complexity, hidden from the users, and avoided by the developers using our library, gives end-users control over their identity, encryption keys, and login, all without ever revealing any private information to us. A technical write-up is coming soon, but we encourage you to visit the website to learn more today:
While we love the spirit of open source projects, this is a commercial endeavor. The library is open source, but will require API key generation and payment from the developer/app wanting to use it. We feel the benefit this provides the Blockstack developer community is well worth the $9/month base plan price.
First of all, I want to thank you and Justin for taking on the task of building on top of Blockstack, and seeking to improve the overall community. Third parties building on top of the Blockstack platform is exactly what we need in order to grow as a community.
There have been some questions about whether this qualifies for app mining. While this highlights the need to exactly define what qualifies as âBlockstack authenticationâ, as a team we have determined that this current implementation does not qualify for app mining.
One feature that would get this closer to qualifying is some clear mechanism for being compatible with typical Blockstack auth using the Browser. If I start with SimpleID, can I later on use the Browser? Can I use the ID I registered with SimpleID later on in other apps? Can I start with the Browser, and later use SimpleID? Right now, it seems that none of these could be answered in the affirmative.
I think there are other concerns here, like whether the user has any idea that theyâre using a platform that provides a personal data locker and a self-sovereign ID that can be used in other apps. This is a less well-defined problem, which is why I think the above concerns are more immediate.
Again, we want to encourage 3rd parties on the platform. I am sure you would like to get to a place where SimpleID qualifies for app mining, and if so, then we can definitely work together to find a solution that we feel does qualify.
Thanks for writing this up, Hank. First, let us point out that SimpleID is actively being developed. Just like any of us here can post all of the things that Blockstack is missing because Blockstack is actively being developed, the same is true of SimpleID.
That being said, whatâs possible as of today with SimpleID mirrors everything possible with traditional Blockstack Auth. Weâve just pushed an update to give users control to take an ID registered on SimpleID and use it via the Blockstack Browser. That was always in the cards and it was a matter of exposing the function. So done.
We also intend to allow existing Blockstack IDs to be used on SimpleID-based apps. Thatâs a bit less of a priority, and in our eyes should not disqualify anyone using SimpleID from App Mining.
This particular issue strikes me more as one that should be communicated by developers as they see fit. SimpleID is intentionally un-opinionated. Blockstack Auth is very opinionated, so building an alternative that is also opinionated doesnât make a ton of sense. It also puts a lot of centralization on the solution.
Now, letâs talk about roadmap, both immediate and long-term. As mentioned, we plan to allow existing Blockstack IDs to sign into SimpleID apps. All user data (which consists of non-revealing pointer files) will be replicated to IPFS to ensure that if SimpleIDâs database and server go down, users can still log in. Thatâs a major goal of further decentralizing Blockstack, so this seems very much aligned with your goals.
Long-term, we plan to introduce user data replication. In addition to storage on the userâs selected Gaia Hub, developers using SimpleID will be able to offer user storage replication to IPFS. We also plan to support custom Gaia hubs as well as simple profile.json updates. These two features alone will significantly extend the capabilities of Blockstack and we think developers and users of apps built by these developers will benefit immensely.
Iâm not sure what other information is necessary for you all to make a decision on this being something developers can use in app-mining-eleigible apps, but I do want to leave you with a post in which @muneeb himself confirmed that third-party auth built using Blockstack would be acceptable:
I took a look at the code for Simple ID. I just want to make sure I understand one thing correctly â is the 12-word seed generated from a user-given password? If so, then I cannot overstate how dangerous this is. Passwords do not have very much entropy, and given that your ID address is public knowledge, itâs trivial to build a rainbow table of all plausible password --> address mappings and guess peoplesâ seed phrases offline.
No, the 12-word seed phrase is generated exactly the same way Blockstack generates it today. The password encrypts the seed phrase (just like the Blockstack Browser does today).
Great to see this work here and especially to see a commercial ID solution in our ecosystem!
RE qualification for App Mining, there are many considerations here. We want to be thoughtful and make the best decision for both our users and App Miners. I trust the App Mining team to work through all the angles and reach a decision.
As always, Github or this forum remain the best place for discussions.