EOS Geneva and EOS PASS

Website login identification based on an EOS account key pair

An underlooked functionality of the EOS blockchain is its powerful native multi key / multisig functionalities. It lets you register and revoke additional keys with all sort of permission, such as using a specific key pair linked to your EOS account for website login identification

We implemented a solution for website login identification via a Chrome extension on the client side. You can have a look at our demo video: https://drive.google.com/file/d/14jTG2eWlhRvT6GGPBIXQNhUQLNwa9_rM

In our case, we registered a key with the “eospass” permission on account eoshopschwiz with the following cleos command:

cleos — url https://api.eosgeneva.io set account permission eoshopschwiz eospass EOS69uvyZZd6zCqtBaRCPrBbECydznY7Wx9gZ8gmE8Rh2VVtvN2a9

You can check the corresponding key/permission on https://eospark.com/account/eoshopschwiz by expanding “Permissions”

The EOS PASS protocol is the following:

1) When the client gets the index page of an EOSPass service, the server generate a random nonce that is sent to the client’s browser. In the PHP implementation here, the nonce is the session ID provided by PHP. This is a random 27 characters (0–9a-z) string (~130 bits entropy). This nonce is only valid during 30 seconds after the generation. The “login-URL” is provided as a link to the client’s browser, such as <a href=”eospass://SERVERDOM/login?x=NONCE”><button>LOGIN</button></a>. The client now needs to sign the message of the href, what we call here the “login-URL”

2) On the client side, after a verification that the message to sign like “eospass://eospass.eosgeneva.io/login.php?x=NONCE” is coherent with the domain of the current page, the login-URL message is signed with the EOSPASS private key, and is returned to the server together with the account name. The signature sent is done with a POST query to the login.php endpoint, using JSON data : {‘uri’:loginURL, ‘account_name’:ACCOUNT_NAME, ‘signature’:SIGNATUREEOS}

3) When receiving a POST signature, the server retrieves (from any public EOS node API) the public key address of the given user account (the “eospass” permission public key). Then, it checks the signature of the loginURL based on this eospass public key

4) If everything is OK (signature valid, nonce valid and exists for this user, loginURL looks right), the server grants the user for this session, and can serve a user page, such as user.php

Here is some code for reference implementation :

Server side implementation in PHP
https://gitlab.com/sebarmled/eos-pass

Python library to check the EOS signature (required by the PHP code)
https://gitlab.com/sebarmled/EOSCheckSig

Client side chrome extension for the users (web, JS, ContentScript)
https://gitlab.com/sebarmled/ext-chrome-eos-pass

To install the Chrome extension :

1) Go to the Extension page list in Chrome (menu -> More tools)

1) Activate “Developer mode” in top right

2) Click “LOAD UNPACKED” to load the extension files

Test live on https://eospass.eosgeneva.io/