Passwordless Authentication using Cryptocurrency

Frank Kilkelly
Photo by Mark Basarab on Unsplash

Today’s authentication systems are moving away from traditional password-oriented solutions. An example would be biometric authentication using a fingerprint. Due to a fingerprint’s uniqueness you can be sure that the person authenticating themselves are who they say they are.

A fingerprint’s uniqueness has parallels to wallet seeds in cryptocurrency. When you create a wallet for receiving cryptocurrency you generate a seed in a secure manner. If generated correctly and depending on the size of the seed, it is almost guaranteed that this exact seed will never be generated again. So for all intents and purposes it is unique.

If a wallet seed is kept secure then any activity observed from the wallet can be deemed to be from the person who generated its seed. If they have funds in their wallet they have a huge incentive to keep the seed secure.

As a wallet seed is unique it can be used as a substitute for a username / password combination in a traditional authentication system. To avoid exposing the wallet seed during the authentication process, you can instead send some funds from the wallet to prove you own it.

A website can receive these funds and create a linked account for you. Any future activity observed from the wallet can be used to access the newly-created linked account.

Which cryptocurrency should be used?

For authentication purposes a cryptocurrency should be evaluated under two categories: speed and cost.

Speed

When a user authenticates themselves on a website they expect it to be reasonably fast. If it takes longer than 5 seconds it’s bad UX and the user will end up frustrated. Therefore we cannot use cryptocurrencies with a long transaction confirmation time. These include, most notably, Bitcoin.

Cost

Paying for authentication is something that is completely foreign to website users, if not totally unacceptable. However in our example sending some funds is necessary to prove ownership of the wallet seed. If we can refund the funds then it may not be an issue. However the majority of cryptocurrencies have fees associated with any activity on the network. Therefore the ideal cryptocurrency for authentication should be fee-less to transact with.

Nano makes it possible

Taking into account speed and cost as our two deciding factors, the only choice that makes sense to use currently is the digital currency Nano.

Nano logo
Nano logo

Speed

Nano is extremely fast. Recent figures put the median transaction confirmation time at 0.2 seconds [1]. This is more than adequate for authentication purposes.

Cost

Nano is fee-less to transact with. Therefore offering refunds after authentication would return the exact amount of funds the user sent initially and would not leave them out of pocket.

Explaining the demo

As a proof-of-concept I’ve implemented a demo of this authentication system using Nano, available at https://nanocharts.info/passwordless/. It allows you to register and sign in to an account. This is accomplished 100% with Nano, no usernames or passwords are necessary.

‘Register with Nano’ and ‘Sign In with Nano’ buttons
‘Register with Nano’ and ‘Sign In with Nano’ buttons
‘Register with Nano’ and ‘Sign In with Nano’ buttons.

How it works

To register or sign in you must first specify your Nano address. You will then be asked to send a random amount of Nano between 0.000001 and 0.000099 NANO to one of a special range of Nano addresses designated for authentication purposes. The random amount is required as a security measure (see section “Attack vector — Squatting”).

The authentication system will listen on the network for a send transaction containing your Nano address and random amount of Nano specified. If it finds this transaction, this proves that you are in control of the Nano address. If this is a registration attempt then a linked account is created. If this is a sign in attempt you will be signed in to the linked account. The Nano amount sent is automatically refunded if it exactly matched the amount of Nano requested.

You can see an entire flowchart of the authentication process below.

Flowchart for the registration and sign in processes in the passwordless Nano authentication system
Flowchart for the registration and sign in processes in the passwordless Nano authentication system
Flowchart for the registration and sign in processes in the passwordless Nano authentication system

Weighing up the strengths and weaknesses

No authentication system is perfect. Let’s review the good and the bad of this system.

Strengths:

  • No need to remember a username and password. Just have your Nano wallet on hand.
  • Secure if implemented correctly. You would need to lose control of your wallet seed to lose control of your linked account. Since you will have some funds tied to your wallet seed you are more likely to keep it secure.
  • Registration spam prevention. If it was in the service’s terms and conditions to keep the funds sent during registration i.e. not refunded, then it would cost a spammer Nano every time they created an account. Hence it would not make economical sense for spam accounts to be created.
  • Registration funds as revenue. Some services charge a registration fee to become a member. With the authentication system detailed above, the funds sent during the registration process could be deemed as the registration fee i.e. not refunded. This way a service could do away with a separate system just for collecting registration fees and instead roll it into the Nano authentication system. Keeping the registration funds would have to be made clear to new users registering.
  • Brute force attack vector is made redundant. Since there is no password system, an attacker cannot use brute force guessing attacks to gain access to an account. Also it’s next to impossible to guess a wallet seed.

Weaknesses:

  • “Squatting” attack vector, see section below.
  • Privacy concerns if implementation is weak. If someone knew the receiving Nano address used by the website to check authentication amounts coming in from the network, then you would know which Nano addresses are signing in, how many times they sign in and the sign in dates. To counter this a wide range of authentication Nano addresses should be used by the website. Ideally a new Nano address should be used by the website with each authentication attempt. In the proof-of-concept demo created for this article, multiple Nano addresses are used for authentication purposes.
  • User must enter a long and cumbersome Nano address. If they have the Nano address on hand to copy and paste this is less of a problem, but users like the convenience of simply typing in their username and password.
  • Implementation of authentication system must be robust. As refunds will be performed, the code and hardware behind the system must be able to handle network issues. If a refund fails due to some unforeseen error the user refund must be attempted again shortly afterwards to maintain a user’s confidence in the system.

Attack vector — Squatting

While a user is only able to sign in if they control the wallet seed associated with the linked account, it is possible for a malicious user to attempt to squat on a Nano address. This is achieved by entering a Nano address you don’t control and if that address happens to authenticate itself within a certain time period then the system would grant access to all listening browsers.

To guard against a squatting attempt the authentication system asks you to send a random amount between 0.000001 and 0.000099 NANO, and imposes a 2 minute time window in which to authenticate. If a send transaction with exactly the random amount Nano requested appears within the time limit then the system will grant access. Otherwise the authentication attempt will fail.

If a squatter was to open 100 simultaneous squatting attempts in their browser in an attempt to exactly cover the entire 0.000001 — 0.000099 NANO range of random amounts, then it’s still possible to squat. However they would need to refresh these sessions every 2 minutes to account for the authentication time window.

One way to make squatting near impossible is to increase the range of random Nano amounts that can be sent. However most wallets don’t allow you to send amount less than 0.000001 NANO so the current range is a compromise between security and requesting only smalls amount of Nano. If the range could somehow in the future be increased to say something like 0.000000000000001 to 0.000001 NANO (1 billion possible amounts) then it would be near impossible to squat.

Conclusion

This article presented an alternative to traditional password-based authentication systems by using cryptocurrency as a means for a user to prove who they say they are. Care should taken during implementation to account for privacy concerns and make sure refunds are paid out, but it’s possible that such an authentication system could be used on a small scale today.

This authentication system wouldn’t be feasible without a strong cryptocurrency underpinning it. The secure, ultrafast and fee-less qualities of the Nano cryptocurrency make this possible.

Sources:

[1] https://www.repnode.org/network/propagation-confirmation — Median Confirmation Time reading taken on 24th August 2019

Thanks:

Thanks to Nano community managers Dotcom and Joohansson for their help with testing and DPoW integration.

Frank Kilkelly

Written by

Full-Stack Developer http://monivea.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade