You. — the decentralized password manager
You. is a password manager leveraging decentralized storage and messaging that authenticates Web 2.0 and Web 3 logins with your mobile device.
You. allows for a seamless login experience by leveraging human friendly security technologies to login all with minimal disruptive interaction by using biometric authentication like FaceID to unlock the secure enclave of a mobile device accessing the stored passwords.
Prototype built at ETHBerlin
We were always discussing that there should be a better way to manage passwords and if possible in a decentralized way without compromising on security. That’s why we set out at ETHBerlin and build You. — the decentralized password manager which in the end was well received across the whole hackathon.
🏆 ETHBerlin Open Track
🏆 3Box Storage Bounty
🏆 Consensys Grants Security Bounty
So what are the next steps..?
After ETHBerlin we are working on brining the prototype to a functional MVP. To make this possible and sustain the development resources on our end while still maintaining an open source status for the project, we are asking you to contribute through the Gitcoin Grants page to the project if you’re interested in seeing this come to fruition.
More information can be found there, as well as a tentative roadmap with the next phases.
Okay.. but how does You. actually work?
You. provides a secure Chrome Extension, which communicates with your You. app installed on your phone. Whenever there is a login field and a password available, the chrome extension recognizes it and triggers a push notification, you then need to confirm the login with your biometrics, after the confirmation your browser logs you successfully into the web service.
You. has 3 components
Mobile Application
This is the actual password manager and the bridge between your passwords and you. Using the secure enclave unlocked with biometrics the user becomes the authentication. Whenever a new login request reaches the device the user is prompted to approve the authentication. If the approval was positive using 3box messaging the encrypted credentials are sent to the Chrome Extension who will input them in the form.
Chrome Extension
This component is responsible to detect sites that contain login fields and the password manager has a credential for. The latter is done by using a Cuckoo filter which is shared from the mobile application. The Chrome Extension itself does never have access to all passwords at the same time, only the ones forwarded by the mobile application.
Push Notification Oracle
This component is responsible to trigger a push notification on the mobile device. The communication with this oracle happens using 3box messaging feature. The workflow is that a Mobile Device registers a given Ethereum address with a push token. Then when the Chrome Extension gets a login request, it will forward the details to the push oracle, who sends a push notification to the mobile application.
These three components communicate to each other using only secure 3box messaging. All persisted data is encrypted using an advanced crypto system that allows for:
- multi party sharing using Diffie Helmann
- complete recovery using Ethereum account
- secure storage of sensitive data on public context
- cuckoo filter lookups of entries
We’re looking forward to all your feedback, let us know what you think.
You. Devpost | You. GitHub | AirGap Telegram | AirGap GitHub | Twitter
