Tweedentity is out. Log into any ÐApp without usernames and/or passwords

Francesco Sullo
0xNIL
Published in
8 min readJul 2, 2018

Tweedentity is a minimalistic, self-claiming identity system which creates a bridge between decentralized apps and centralized social networks.

🍿 In case you missed the previous “episodes”, Tweedentity was introduced it in March. It is part of the 0xNIL project, which will use it to whitelist the participants in the second round of the Initial Free Offering of NIL tokens.

To know what Tweedentity is, take a look at the intro post:

Try it at https://dapp.tweedentity.com

🛠 How to set up your tweedentity

If you have MetaMask installed and you connect to the Ropsten Testnet or the Main Ethereum Network, the dashboard above shows the tweedentities that you can set. For now, Tweedentity supports only Twitter and Reddit.

Let’s say we want to set a tweedentity for Twitter.

Click on [Yes, please] to start. The app will show you the statistics for your wallet:

This is important because you want to use a wallet that has as little transactions as possible and, ideally, has only received a bit of ether anonymously, for example, via ShapeShift or ETH-Mixer.

Consider that after that you set up your tweedentity, anyone can trace your activity starting from that. For this reason, it is very important that your identity wallet is not connected with your other wallets.

As a rule of thumb, an identity wallet should be used only for identity.

Clicking [Use this wallet] you will be asked for your Twitter username:

Type it and click [Look up for Twitter user-id]. The app retrieves your basic Twitter data and asks you to sign a string like “twitter/999831763290472448” (where 999831763290472448 is the Twitter user-id):

Only you can sign that with that wallet and this will prove that you own that wallet without any doubt. Click [Sign it now].

In case you are repeating the operation and a correct signature for that string has been safely saved in the local storage, you can use it and speed up the process. In the following screenshot, you see MetaMask asking you to sign the string. Sign it.

When you have done, you have to post the signature on Twitter, using the Twitter account that you chose before.

Doing so, you prove that you are the owner of the Twitter account. Tweedentity does not uses the Twitter API, so you have to post it by yourself. Click [Open Twitter now].

Twitter.com will be opened in a new tab to allow you to easily post the tweet:

After tweeting, go back to the app and click [I posted it, continue].

The app will verify that there is a tweet (1) containing the expected signature, and (2) posted by the expected user. If so, you are all set:

Now you have to decide how much you are willing to spend to set your tweedentity. At the moment I took the screenshot above, the average price of the gas was 3 Gwei. Often it is lower, even just 1 Gwei. Sometimes, tho, is much higher. In this case, considering that you need about 400,000 gas to set a tweedentity, it can be worth to wait and set it in a better moment.

If you don’t care about waiting, you can set it at the current safe low price. It will probably require ~10 minutes for the entire operation, but sooner or later the transaction will be taken by the miners.

When the network is congested, for example because there is an ICO, the gas price can spike and be 40 Gwei or more. This would cause that your tweedentity, instead of 25¢, would cost $10.

Anyway, even if the price is temporary high, it is not really high because it’s only a one-lifetime cost. A tweedentity is forever.

Click [Set it now!]. It will open MetaMask for the transaction:

As you can see, in this case, at that gas price, you have to send 11¢ to the contract. This is necessary to cover the gas required by Oraclize to call back the contract to continue the operation after that it has called the API which retrieves the tweet and confirms that the tweet has been posted by that Twitter account and that the signature is correct.

It is fundamental that the smart contract and the oracle repeat all the verifications without trusting the ÐApp because we want a process that is as trustless as possible.

Click [CONFIRM].

The transaction is submitted and you will see the following phases:

Here, if you look at the transaction you will see that it has called the Oracle:

After an average of 2 minutes, the tweedentity has been set.
Now, if you like, you can delete the tweet.

Click [Go back to the dashboard]. Now, in your dashboard, there is your first tweedentity:

Let’s repeat the process for Reddit.

Click [Yes, please], type your Reddit username and sign the verification string. You have to post it in a comment.

To avoid spamming Reddit with “weird” comments, I have created a specific thread. If you click on the button, it will open Reddit in a new tab with that thread, so that you can comment like in the following screenshot:

When the process is completed, you have now two tweedentities ready to be used to login into any other ÐApp without the hassle of creating new usernames and passwords.

Of course, to obtain this result, ÐApps have to adopt it and here is where you can massively help, spreading the word.

🤔 How it looks like

Just connect to the Main Ethereum Network (or the Ropsten Testnet) and browse my profile at:
https://dapp.tweedentity.com/#/profile/0x70f41fe744657df9cc5bd317c58d3e7928e22e1b

🎶 How to integrate Tweedentity into a ÐApp

Let’s say that you are launching an ICO and need to whitelist your participants. Right now, probably, you will ask them to create an account on your website. Let me tell you that this is very annoying. If you integrate Tweedentity, as soon as the users open your ÐApp with the wallet active in MetaMask, you can retrieve their tweedentities from the blockchain. What you have to do is just to ask them which wallet they’d like to use to participate in the ICO (because they DON’T use the identity wallet for that) and any other data you need (KYC/AML, etc.). When they will be back they will sign into the app automatically, no risk of losing the password, no stress for the user.
Using Tweedentity makes everything simpler, faster and safer.

Of course, even if Tweedentity has been developed with ÐApps in mind, it can be used as a SSO by any web app.

The coming soon tweedentity.js will make the integration super easy. In the meantime, you could connect to the TweedentityRegistry on the Ethereum blockchain and read the data from there (like I do now in the ÐApp), using the ids to retrieve their data on Twitter or Reddit. It is resolved by the ENS domain tweedentity.eth and you can read its variables at
https://etherscan.io/address/tweedentity.eth#readContract.

While the stores won’t change in the future, because we don’t want to lose any data, the registry, the manager (which handles the stores) and the claimer (which receives a claim and confirms the ownership) can be upgraded to solve future issues and improve the system.

📛 Possible problems

It is not rare that, for example, a Twitter account is hacked. If this happens, the hacker can claim the ownership of the Twitter account on the blockchain. Of course, nobody can fix the mistakes people do because of their underestimation of security, but, in case something very bad happens, the unsetIdentity method in the StoreManager smart contract allows Tweedentity’s (future) customer service to unset a tweedentity, if it’s absolutely clear that there has been an abuse. This way the legittimate owner can set the right one.

⏰ What‘s next

I am working on tweedentity.js and I will put it under heavy test, very soon, to whitelist the wallets of those who’d like to participate in the second, and final, round of free distribution of the NIL token. Since you need a tweedentity to participate, be ready 😎

❤️ If you love to contribute

Fork the Tweedentity repository on Github and submit your changes:
https://github.com/tweedentity/dapp.

While I am quite sure that the smart contracts are safe, since I don’t have money to ask someone to audit the code, a voluntary audit of the /store section would be super-appreciated and rewarded with … NIL tokens.
I know, they don’t have any value. But I hope you are adventurous enough to ignore this small detail 😜

Also, you can develop other dapps on top of Tweedentity. For example, a search engine for tweedentities would be very useful. To do that you could watch all the events emitted during setting and unsetting and cache them in a database.

In any case, join the development community on Discord.

👏 If you like this post, please clap and share it!

🔔 To stay updated follow 0xNIL and Tweedentity on Twitter.

💬 Tweedentity will make a difference only if largely adopted. Spread the word!

--

--

Francesco Sullo
0xNIL
Editor for

Polymath. CTO at Superpower Labs & @MOBLANDHQ. Before founded @Passpack, and was at @Turo, @Yahoo, @Tronfoundationand others. More at https://sullo.co