Crypto wallets for signup, login, and 2FA

[GENERAL] Name and surname of main applicant

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

Signing with your crypto wallet is better, safer, simpler and a two-factor-auth at the same time. Your public key reveals nothing, your signature changes on each login, and can't be forged.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

No Dependencies

[GENERAL] Will your project’s output/s be fully open source?

[GENERAL] Please provide here more information on the open source status of your project outputs

All software will be BSD-3 clause, which is the most liberal open source license, allowing everybody to incorporate the software without any legal worries as much as to read the code and modify it. That is important for adoption as some application developers will not release their software source code yet they need to use this open sourced library.

The documentation will be creative commons licensed.

[METADATA] SDG rating

SDG goals:

Build resilient infrastructure, promote inclusive and sustainable industrialization and foster innovation

SDG subgoals:

Develop quality, reliable, sustainable and resilient infrastructure, including regional and transborder infrastructure, to support economic development and human well-being, with a focus on affordable and equitable access for all

Support domestic technology development, research and innovation in developing countries, including by ensuring a conducive policy environment for, inter alia, industrial diversification and value addition to commodities

Key Performance Indicator (KPI):

Proportion of medium and high-tech industry value added in total value added

Universal Human Rights Index (UHRI):

[SOLUTION] Please describe your proposed solution.

Your browser extension web wallet is great, it comes handy when you need to pay online and use the Cardano DeFi, but I could do more for you. Most of your online needs are about managing each of your accounts with service providers. You must authenticate to access their service using username and password. Your service provider stores that data, and when they get hacked, your account passwords end up floating on the internet. To reduce that risk you use password managers, to use a different password on every service & keep track of them. On the provider side they give you two factor authentication. That is a terrible User experience, too many tools to use to solve a simple authentication problem.

Because of Blockchains we are spreading the use of cryptography as an infrastructure and we should make more use of it. Wouldn't it be awesome if your wallet would take care of authenticating you? It can, it is simpler and safer than any other alternative.

Your wallet is a secure system, it guards your keys safe. Instead of usernames, you give your public key, which reveals no information about you or your keys, yet unequivocally identifies you. To login into a service, you sign a login message and the service provider validates it. The signature will change, by its properties on each domain, time, and message you sign, it becomes a second factor authentication by construction(something you know: your wallet unlock password, something you have: your secret key), and it runs on your computer. Once the service provider validates your signature you are authenticated. Because the service provider does not store your password anymore, when they get hacked and suffer a data leak, no body can impersonate you as they don't have your private key. This is so much safer, because with this method we push the power and control back to the users.

This system is ready for the Cardano ecosystem. The wallet dapp connector CIP-30 gives you on your wallet the ability to sign messages, and the CIP-8 teaches developers how to sign arbitrary messages. What is missing is the backend infrastructure to help developers with this authentication form, and the education to users how to use this and why to prefer it. The measure of success is how much the ecosystem embraces this feature and that can be measured by counting projects that include next to their wallet connection an authentication option.

The developer productivity will grow, as this becomes an established practice. Because developers will know where to search and learn for this service.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community.

As the Cardano ecosystem develops the more necessary this solution becomes. However, most of its current challenges are educational. This project mostly goes on the challenge direction of "Knowledge base & documentation". It is about teaching developers how to implement the authentication backend on their services, it is about teaching users how much safer this method is.

As you just read it, it is a two sided market place problem. Users need to want to login with their wallets, developers need to offer services people can login using their wallets. Yet which is the alternative?

Today, developers don't have enough security experience to implement secure password authentication protocols and secure password storage solutions. Regardless of how bad password authentication as a concept is. The safest solution today is to rely on OAuth, and that is secure and supported by today's tech monopolies. But that is part of the problem too, we must rely on those tech monopolies, we consolidate power and data with them. Although better financed than any individual developer, they are still prone to suffer hacks and experience data leaks. They are actually honey pots because all the data they have, putting them on a vulnerable position. And the power they have? Well they have not been role models of good behavior, why should we keep giving them more power?

This solution bring decentralization back into play. The cryptographic libraries are safe, the cryptography is safe. I'm not implementing my own cryptography, I build upon our safe system and so should all developers. If the user can authenticate with his wallet, there is no need for passwords at the service provider, there is no need to store them. You can't leak data you don't store. The cryptography is safe, there can't be identity forgery on this scheme. And because of the wallet nature of holding user funds, people take better care of their secrets. On top of that, people only need to take care of their wallet seed and unlock password, not of password, not a different one for every site, the dynamic nature of the signature takes care of that.

This project brings the Cardano ecosystem forward by educating developers and users how to better embrace cryptography, decentralization and become self-sovereign.

This project is educational modules, and the corresponding code templates for developers to incorporate this authentication protocol in their services.

Building is not enough of course, communication is extremely important, and I will hold many more YouTube tutorials to teach developers and users how to embrace the features.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

I have participated in the Cardano ecosystem over the last 2 years. The community has recognized and rewarded my efforts funding my projects in Funds 7, 8 and 9. I have successfully delivered and closed all my projects, and the community can audit them. I completed 2 open source projects with little more than a month delay to my plan, 1 documentation effort completely according to plan, and 1 DApp project which challenged me beyond my initial proposal, forced my to redesign it, during implementation, readapt my infrastructure considerations due to the Vasil Hard Fork, creating huge delays and going completely out of plan, time schedule and budget. However, I did not let that project fail, I persisted to deliver the project feature complete despite the 8 months delay instead of calling it a failed project. I worked after consuming all my budget and in the depths of last year's valuation collapse of ADA.

It is my experience and my persistence that show my capability. My ideas are valuable to be funded, and I have been honestly working to bring them to completion.

The main goal of the project is to move people away from using passwords to authenticate users. Passwords offer poor security, today's secure alternative is to rely on OAuth, which entrenches the big tech monopolies. This approach is feasible because I have seen it in use, it is even easier than the SSH handshake, because the secure channel is already provided by the TLS connection of the web-service over the internet. The user only needs to sign a message the server must validate.

Yes, the project involves some software development, yet mostly is educational, teaching developers how to embrace this protocol, by giving them documentation, examples and some libraries to use.

The project is feasible, the goal, well it fights the inertial of people of doing what they have always done, use passwords for login. Yet the success can be actively measured by following how services in the Cardano ecosystem adoption this type of authentication when needed.

[Project Milestones] What are the key milestones you need to achieve in order to complete your project successfully?

1. Protocol documentation

  Here I prepare technical documents and diagrams explaining the details of how to implement this type of authentication. This isn't much of a challenge, it is mostly busy work to get it done. Technical document on the arsmagna.xyz website

1. Example implementations

  From idea to reality things change. The goal here is to provide actual software implementations of the authentication protocol. I will provide the templates or libraries(depending on the ecosystem) to implement this protocol on popular languages.

• Python backend to validate signed authentication message
• JavaScript backend to validate signed authentication message
• Clojure backend to validate signed authentication message
• JavaScript frontend to request webwallet to sign authentication message

1. Education & Advertising. All these are YouTube explanation videos

  Because build and they'll come does not work. The project needs a substantial amount of YouTube tutorials to inform developers as well a users about this possibilities. That now that we have large scale diffusion of a cryptographic infrastructure thanks to crypto currencies, that we can cryptographically authenticate.

• User point of view: Login to an application
• User point of view: Why is it safe and my funds aren't at risk
• Developer: Protocol description
• Developer: Python backend
• Developer: JavaScript backend
• Developer: Clojure backend
• Developer: Wallet integration frontend

1. Project closeout:

• Report
• Video Summary with milestones review

[RESOURCES] Who is in the project team and what are their roles?

Oscar Najera (Jack of all trades, master of Software development)

PhD in Theoretical Physics, Software developer, Contributor to Cardano ecosystem. I let my work speak for me, with my Catalyst funded and completed projects

• Fund7

Ideascale: https://cardano.ideascale.com/c/idea/385056

Closeout Video: https://www.youtube.com/watch?v=fTDCxC8No6o

Closeout report: https://drive.google.com/file/d/1pcCL93-XYvDjS3EIUW7W57XecjBm880f/view

• Fund7

Ideascale : https://cardano.ideascale.com/c/idea/61277

Closeout Video : https://youtu.be/knP3T391Wak

Closeout report : https://drive.google.com/file/d/1cOIxjuf12d0eGWZKuOU1-PiV7oukyVcB/view

• Fund8

Ideascale : https://cardano.ideascale.com/c/idea/400914

Closeout Video : https://www.youtube.com/watch?v=eNaoS8zAfu4

Closeout report : https://drive.google.com/file/d/1XyktSqoLOT9BHLkjcmGc_bYTfRDyYq8u/view

• Fund9

Ideascale : https://cardano.ideascale.com/c/idea/420147

Closeout Video : https://youtu.be/VV59yVv2VJc

Closeout report : https://drive.google.com/file/d/1O-7LN0LXLHw2WK0Tl75msyXzUHNQu1ah/view

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources.

In the previous section of Milestones I list every deliverable. This includes the simplified timeline for each milestone.

1. Protocol documentation - 2 weeks
2. Example implementations - 6 weeks
3. Education & Advertising - 10 weeks

Although I separate the example code and libraries as separate milestones and deliverables, their release will be interleaved. It is a lot easier to work on a specific project also thinking how I'll present it on a tutorial.

This project as all my previous ones remains small in scope and is an extra tool for the Cardano ecosystem. The main expense is compensation for my work time and effort, which I average out at a rate of 60USD/hour, making me a cheap software developer, an expensive video editor, an ok accountant and an undervalued project manager since I have brought all my projects to completion.

The timeline assumes me working part time on this project. Milestones propose 18 weeks of work. Out of experience, I'll budget 30% buffer for completion amounting to 23.4 weeks. That budget buffer leaves me opportunity to work around unforeseen problems.

I account for ADA price of 0.25 USD, that seems to have been the bottom in December last year and now. I imagine even with the 12 Million USD in sell pressure originating from this Catalyst fund, and amortized over a year, that it won't drop that much.

Final budget 18[weeks] 1.3 [buffer factor] 20[hour/week] 60 [USD/hour] / (0.3 [USD/ADA]) = 93600 ADA

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

This project as all my previous ones remains small in scope and is an extra tool for the Cardano ecosystem. The main expense is compensation for my work time and effort, which I average out at a rate of 60USD/hour, making me for the German market where I live a cheap software developer, an expensive video editor, an OK accountant and an undervalued project manager since I have brought all my projects to completion. The Cardano ecosystem will profit from this treasury investment.

The beauty of software in this project is that you only need to pay it once, then it works. All my work in this project is open sourced and the documentation is publicly available. I won't keep any royalties from the output of my work. This belongs to the Cardano community and I expect it to grow into a bigger community, making this resources more valuable. Getting out of passwords into authentication from your wallet, would be huge for cybersecurity and it also brings us a step forward into decentralization where we as user can manage our identities instead of delegating them to tech monopolies.

[IMPORTANT NOTE] The Applicant agrees to Fund Rules and also that data in the submission form and other data provided by the project team during the course of the project will be publicly available.