Simple ID: Easier Blockstack Feature Survey 📊

prabhaav · July 26, 2019, 4:59pm

As you may remember, we posted a question and survey on the forum a few weeks ago. We wanted to know if there was a general need/interest from the Blockstack development community for a better onboarding/authentication tool within the Blockstack ecosystem. The response was overwhelmingly positive and gave us all the validation we needed.

Graphite and Stealthy collaborated to build SimpleID, a library that allows developers to drop in a simple JS package (and eventually make simply HTTP requests from any environment). The benefit of this library is that developers can get up and running in literally just a few minutes. For the apps these developers build, users get the experience they’ve become used to on the web:

Sign up with an email, username, and password
Sign in with username and password

Even though the experience is exactly what users expect, the complexity behind the scenes is immense. That complexity, hidden from the users, and avoided by the developers using our library, gives end-users control over their identity, encryption keys, and login, all without ever revealing any private information to us. A technical write-up is coming soon, but we encourage you to visit the website to learn more today:

While we love the spirit of open source projects, this is a commercial endeavor. The library is open source, but will require API key generation and payment from the developer/app wanting to use it. We feel the benefit this provides the Blockstack developer community is well worth the $9/month base plan price.

Please let us know if you have any questions!

hank · August 2, 2019, 5:48pm

Hey @prabhaav ,

First of all, I want to thank you and Justin for taking on the task of building on top of Blockstack, and seeking to improve the overall community. Third parties building on top of the Blockstack platform is exactly what we need in order to grow as a community.

There have been some questions about whether this qualifies for app mining. While this highlights the need to exactly define what qualifies as “Blockstack authentication”, as a team we have determined that this current implementation does not qualify for app mining.

One feature that would get this closer to qualifying is some clear mechanism for being compatible with typical Blockstack auth using the Browser. If I start with SimpleID, can I later on use the Browser? Can I use the ID I registered with SimpleID later on in other apps? Can I start with the Browser, and later use SimpleID? Right now, it seems that none of these could be answered in the affirmative.

I think there are other concerns here, like whether the user has any idea that they’re using a platform that provides a personal data locker and a self-sovereign ID that can be used in other apps. This is a less well-defined problem, which is why I think the above concerns are more immediate.

Again, we want to encourage 3rd parties on the platform. I am sure you would like to get to a place where SimpleID qualifies for app mining, and if so, then we can definitely work together to find a solution that we feel does qualify.

jehunter5811 · August 2, 2019, 8:11pm

Thanks for writing this up, Hank. First, let us point out that SimpleID is actively being developed. Just like any of us here can post all of the things that Blockstack is missing because Blockstack is actively being developed, the same is true of SimpleID.

That being said, what’s possible as of today with SimpleID mirrors everything possible with traditional Blockstack Auth. We’ve just pushed an update to give users control to take an ID registered on SimpleID and use it via the Blockstack Browser. That was always in the cards and it was a matter of exposing the function. So done.

We also intend to allow existing Blockstack IDs to be used on SimpleID-based apps. That’s a bit less of a priority, and in our eyes should not disqualify anyone using SimpleID from App Mining.

This particular issue strikes me more as one that should be communicated by developers as they see fit. SimpleID is intentionally un-opinionated. Blockstack Auth is very opinionated, so building an alternative that is also opinionated doesn’t make a ton of sense. It also puts a lot of centralization on the solution.

Now, let’s talk about roadmap, both immediate and long-term. As mentioned, we plan to allow existing Blockstack IDs to sign into SimpleID apps. All user data (which consists of non-revealing pointer files) will be replicated to IPFS to ensure that if SimpleID’s database and server go down, users can still log in. That’s a major goal of further decentralizing Blockstack, so this seems very much aligned with your goals.

Long-term, we plan to introduce user data replication. In addition to storage on the user’s selected Gaia Hub, developers using SimpleID will be able to offer user storage replication to IPFS. We also plan to support custom Gaia hubs as well as simple profile.json updates. These two features alone will significantly extend the capabilities of Blockstack and we think developers and users of apps built by these developers will benefit immensely.

I’m not sure what other information is necessary for you all to make a decision on this being something developers can use in app-mining-eleigible apps, but I do want to leave you with a post in which @muneeb himself confirmed that third-party auth built using Blockstack would be acceptable:

https://forum.blockstack.org/t/3rd-party-blockstack-app-auth/6983

jude · August 5, 2019, 2:51pm

I took a look at the code for Simple ID. I just want to make sure I understand one thing correctly – is the 12-word seed generated from a user-given password? If so, then I cannot overstate how dangerous this is. Passwords do not have very much entropy, and given that your ID address is public knowledge, it’s trivial to build a rainbow table of all plausible password --> address mappings and guess peoples’ seed phrases offline.

jehunter5811 · August 5, 2019, 3:03pm

No, the 12-word seed phrase is generated exactly the same way Blockstack generates it today. The password encrypts the seed phrase (just like the Blockstack Browser does today).

jude · August 5, 2019, 3:11pm

Good to know. Thanks!

muneeb · August 6, 2019, 1:06pm

Great to see this work here and especially to see a commercial ID solution in our ecosystem!

RE qualification for App Mining, there are many considerations here. We want to be thoughtful and make the best decision for both our users and App Miners. I trust the App Mining team to work through all the angles and reach a decision.

As always, Github or this forum remain the best place for discussions.

prabhaav · August 6, 2019, 3:50pm

We’ve created a Github issue: https://github.com/blockstack/app-mining/issues/141

I understand there are many considerations to be made, but if we can help resolve any questions/concerns to speed up the process, please let us know.

jehunter5811 · August 6, 2019, 7:47pm

We’ve finished our first pass at the Technical Documentation for those interested:

github.com

simplesecure/ssa-sdk/blob/master/TECHNICAL_DOCS.md

# SimpleID Technical Documentation  

Index:  
* [Summary](#summary)    
* [Public Functions](#public-functions)  
* [Additional Info](#additional-info)

## Summary

SimpleID is a developer toolkit built on top of the groundwork laid by existing decentralized application protocols. SimpleID provides a familiar user experience to end-users while giving developers felxibility in implementation. The toolkit can be used by any type of application, decentralized or not. 

At its base layer, SimpleID offers user authentication via username/password—as users expect—without compromising on privacy and security. Users are always in control of their private keys and no private information is ever exposed to SimpleID or the app developers using SimpleID. 

In addition to authentication, SimpleID also offer decentralized storage replication, multi-factor authentication options, basic developer analytics, and more. 

**Is it decentralized?**  

Yes, in the most basic sense of decentralization—no one party controls the user data and access. No, in the sense that app developers relying on SimpleID are trusting our process and our server. That said, the actual content being stored via SimpleID is available p2p via IPFS. A content hash is returned to the user profile so app developers can easily expose that hash to users and the hash is emailed to users upon account creation. 

With that information and the password the user chose when signing up, they can use their authentication information outside of SimpleID. For example, a user can easily migrate their identity from SimpleID to the Blockstack Browser. This will be true of all future protocols supported as well.

This file has been truncated. show original