Sign-in with Cardano

[IMPACT]

Sign-in with Cardano would offer an alternative for users who wish to assume more control and responsibility over their own digital identity when signing into web2 apps and services. The audience is two-fold: (i) any app/website developers can easily integrate such sign-in ability into their app or web service ; (ii) End-users who have a Cardano wallet and are wary of data privacy will prefer to choose a Sign-in with Cardano over a typical Sign-in with Facebook. This is solution built for them.

Sign-in with Cardano would work as follows:

 1/ A web or mobile app integrates by adding backend and client JS authentication code provided by "Sign-in with Cardano", and by setting a scope of required shared data for login.

 2/ The end-user has a Cardano account on-chain, accessible either via a Cardano compatible web wallet, or via a Wallet as an app.

 3/ A click on the "Sign-in with Cardano" button, displayed in the initial web or mobile app, issues a structured message for signing to the wallet. The message will contain the end-user's Cardano public address, the domain requesting the signing, an on-chain identifier (i.e. a DID, which could be an Atala-Prism DID or an alternative), a scope of required shared information, a nonce acceptable to the server, and a valid timestamp. Additional fields could be added later such as expiration time, or extra off chain data.

 4/ As the wallet receives and displays the message, the end-user signs the message at no cost (zero ADA). The signature is then presented to the web app server to check the signature’s validity and message content. JWT tokens and Auth cookies are issued by "Sign-in with Cardano" to the web or mobile app.

 5/ The end-user is logged in the web or mobile app with the agreed shared credentials (those in the scope)

This project is an opportunity to standardize the sign-in workflow and improve interoperability across existing services of the Cardano ecosystem and community.

Whilst Sign-in with Cardano could become an essential piece of infrastructure in the Cardano ecosystem, its reach could be far beyond as the integration of this authentication method by web2 and web3 app developers will only be a matter of a couple of hours if they have already made the effort to provide a Social Login authentication.

Finally, by defining a robust standard, it is also an opportunity to provide wallet vendors with a reliable method to identify signing requests by making use of Sign-in with Cardano for an improved and consistent UX. This would improve synergies and cement the common standard for authentication. In turn, it could lead to extending this standard to the concept of authorization, so that the same open standard is used for more granular operations (such as issuing a certificate, downloading a file behind a firewall, etc…)

Although the initial spec and implementation will be very much inspired by common standards (oAuth2, EIP-4361, W3C DID specs), it will be shared openly (on Github) and could later evolve with proper governance from Catalyst member's votes, in the hope that it could even form the basis for a Cardano Improvement Proposal in the future.

A small marketing budget is sought to make the crypto community at large aware of the project once delivered.

The main risk is that Cardano wallet providers do not integrate fast enough with Sign-in with Cardano, thereby making the adoption of the solution slower and more dependent on the few who will have agreed to make this integration. The current lack of browser-extension based Cardano wallet solutions (such as Metamask for example) is also a factor in slower adoption of the solution, since a browser extension wallet makes the UX more seamless.

To mitigate this risk, we have planned for a proof of concept which would see us develop a light cardano wallet for integrating DIDs and authentication. Contrary to the rest of the code which would be open-source, in its first implementation, this PoC wallet would not be fully open source, as to speed up its development, we may just add web3 capabilities on top of the Authenly App (already available on iOS and Google Play) and make it compatible with Cardano via a simple/light web3 implementation (such as ADALite). This proof of concept would provide a blueprint for integrating the Sign-in with Cardano libraries, and would also act as a complete validation of the end-to-end authentication solution.

[FEASIBILITY]

This project will be delivered in five stages, for a total duration of 32 weeks. Each stage is an independent milestone in itself, with its own success criteria and delivered value.

Stage 1: specs and awareness

 - [4 weeks] Finalize and publish the specs of "Sign-in with Cardano" based on various open standards (oAuth2, EIP-4361, W3C DID specs)

 - [ongoing] setup a Discord channel for shared interest in Cardano based Authentication/Authorization ; Discuss with Cardano wallet providers for integrating the Sign-in with Cardano feature, plan for integration, beta test, etc…

Stage 2: develop a light Cardano wallet for an integration Proof of Concept

 - [8-10 weeks] Integrate into the Authenly app a minimal solution for a light Cardano wallet

Stage 3: develop the Sign-in with Cardano libraries and a first back-end integration sample

 - [4-6 weeks] Sign-in with Cardano JS plugin (client side)

 - [4-5 weeks] Sign-in with Cardano backend integration code for NodeJS (with full npm install)

 - [1 week] Implement a sample NodeJS web app making use of the Sign-in with Cardano backend and client libraries.

Stage 4: security assessment

 - [4 weeks] security assessment of the entire open source stack by a third party reputable contractor and/or public body of similar reputation

Stage 5: dissemination

 - [1 week] publishing into official production (iOS first, then Google Play) the Authenly app with its "Sign in with Cardano" built-in capability. This will likely be the first solution deployed of "Sign-in with Cardano" to be both end-to-end and production-ready.

 - [2 weeks] providing assistance to wallet providers for their integration

 - [4 weeks] community events, marketing, discord channel

Phase 1: $6,000

Phase 2: $12,500

Phase 3: $12,500

Phase 4: $12,500 (mostly to external contractor)

Phase 5: $6,000 (2/3 of which will be marketing budget)

Eric: https://www.linkedin.com/in/ericduneau/ - 20+ years in software, was CEO/CTO of a $30m software business. Sold the business in 2019, has since reconverted to Cyber & Crypto projects. Eric has built most of the Authenly's passwordless authentication solution from the ground up (cloud / app / libraries) and is moving Authenly towards full decentralization.

Tiffany: https://www.linkedin.com/in/tiffany-duneau/ - PhD in Quantum Computing at Oxford Uni in progress ; Tiffany has developed the security framework of Authenly ; She will provide input on the "Sign-in with Cardano" security frameworks and initial security reviews.

Some small parts of the project (such as final security assessment, and some marketing budget) will and/or may be subcontracted, but we do not yet know who will be given this responsibility. This will be decided at a more advanced stage in the project.

[AUDITABILITY]

Stage 1a and 3: Daily github commits

Stage 2: Weekly Beta releases on iOS TestFlight until final beta

Stage 4: Proof of assessment by third party

Stage 1b and 5: Proof of social activity (tweets, discord…) and proof of integration by wallet providers

The project is defined in stages so that each stage can have its own success criteria.

Stage 1: Defining the open standard for "Sign-in with Cardano" is a reusable specification based on existing open standards for the benefit of the whole community. The later implementation of those specs will be carried out during this project by the same team, but it could be that another team wants to pick up those same specs and make their own implementation, which is a totally fine and equally successful alternative for this stage.

Stage 2 will be done when the Authenly app is operational on iOS Test Flight with the integration of an ADALite compatible wallet, and at least the ability to sign messages on-chain.

Stage 3 will be successful when a sample web app will show proof of login via a Cardano wallet (at this stage either ADALite if they have integrated "Sign-in with Cardano", or alternatively the Authenly app integrated with ADALite).

Stage 4 will be successful when the security assessment of all open source code developed in stage 3 has passed security review.

Stage 5 will be successful when "Sign-in with Cardano" is implemented seamlessly by at least one major Cardano wallet provider, opening the way for web2 and web3 developers to integrate the solution into their app.

This is a NEW project.

SDG Rating

SDG goals:

Goal 9. Build resilient infrastructure, promote inclusive and sustainable industrialization and foster innovation

SDG subgoals:

9.b Support domestic technology development, research and innovation in developing countries, including by ensuring a conducive policy environment for, inter alia, industrial diversification and value addition to commodities

Key Performance Indicator (KPI):

9.b.1 Proportion of medium and high-tech industry value added in total value added

proposertoolsdg

==================