This past weekend in Washington, DC at the B1June event, we announced EOSIO 2 updates on the horizon, which we hope will bring enhanced performance and support for the latest web authentication standards to EOSIO™. EOSIO 2, the next major version of EOSIO, will make using blockchain applications even easier for the masses.
Continuing in the spirit of open innovation through EOSIO Labs™, we have released a WebAuthn Example App to demonstrate how we intend to implement WebAuthn support for EOSIO.
This EOSIO Labs release follows suit of our recent releases focused on key and password management streamlining the EOSIO authenticator ecosystem. From the Assert Manifest Security Model to the Universal Authenticator Library, and our most recent release of iOS and Chrome Extension Authenticator Reference Applications, we are dedicated to exploring the future of seamless security on EOSIO.
Securing EOSIO blockchain applications with WebAuthn Support
WebAuthn is a new World Wide Web Consortium (W3C) standard accepted and pioneered globally by many major technology companies like Yubico, Google, and Microsoft, that enables secure authentication supported by all leading browsers and platforms.
To our knowledge, EOSIO is the first blockchain protocol to adopt the WebAuthn standard. As a new security standard approved by the W3C, we are excited to be pioneering its adoption within the blockchain community.
Bringing this standard to EOSIO opens up the possibility of more secure and seamless transaction signing for blockchain applications built on EOSIO. Rather than worrying about private keys, users will be able to sign transactions using their choice of standard hardware authenticators (rather than Chrome extensions or applications) such as the newly announced EOSIO YubiKey and built-in platform authenticators like fingerprint sensors and other biometrics.
More information about WebAuthn can be found at https://webauthn.guide.
WebAuthn Example Web App for EOSIO YubiKey Support
This example app is meant purely for demonstration purposes and should not be deployed in its current form into any production environments. It is meant to illustrate how an application running on a private EOSIO based blockchain could generate WebAuthn-compatible keys for users and request signatures from users with those keys to sign transactions.
This is facilitated by eosjs, a WebAuthn Signature Provider for eosjs, and the built-in browser Web Authentication API. The browser prompts the user to authenticate with their security key or built-in platform authenticator.
While users will have their choice of authenticator or biometric key that supports WebAuthn, we are excited to have announced that Block.one will be working with Yubico to provide EOSIO branded YubiKeys for EOSIO users and developers to use with blockchain applications. More information about the sale of EOSIO YubiKeys is available on the Build on EOSIO section of the EOSIO Website.
Existing Limitations to WebAuthn on EOSIO
As this is an example web app being released under EOSIO Labs, there are still a number of limitations we hope to work through before bringing this standard to full support in production environments. You can read more detail about these limitations in the WebAuthn Example Web App GitHub repository.
Most importantly, there is currently no way to display Ricardian contracts to users when using WebAuthn. For this reason, WebAuthn, when used in conjunction with EOSIO, should be used with caution and only on private chains and applications already trusted by the end user.
We will continue working to test and enhance WebAuthn support for EOSIO before its official release outside of EOSIO Labs. We believe that the answers to many of these limitations lie with the active and engaged EOSIO community. We hope that this open source release will inspire EOSIO developers to explore how this web security standard will impact the future of authentication on EOSIO based blockchains and applications.
If you have questions, suggestions, ideas, etc., get involved. We invite you to log issues or submit Pull Requests against this repo.
If you are interested in providing feedback and working more closely with our team to improve EOSIO for developers, you can send our developer relations team an email at email@example.com.
You can also keep up to date with future announcements by subscribing to our mailing list on the new EOSIO website. We are excited to be regularly improving the usability of the software for EOSIO developers as we continue to lay a foundation for the mass adoption of blockchain technology.
Disclaimer: Block.one makes its contribution on a voluntary basis as a member of the EOSIO community and is not responsible for ensuring the overall performance of the software or any related applications. We make no representation, warranty, guarantee or undertaking in respect of the releases described here, the related GitHub release, the EOSIO software or any related documentation, whether expressed or implied, including but not limited to the warranties or merchantability, fitness for a particular purpose and noninfringement. In no event shall we be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or documentation or the use or other dealings in the software or documentation. Any test results or performance figures are indicative and will not reflect performance under all conditions. Any reference to any third party or third-party product, resource or service is not an endorsement or recommendation by Block.one. We are not responsible, and disclaim any and all responsibility and liability, for your use of or reliance on any of these resources. Third-party resources may be updated, changed or terminated at any time, so the information here may be out of date or inaccurate. Any person using or offering this software in connection with providing software, goods or services to third parties shall advise such third parties of these license terms, disclaimers and exclusions of liability. Block.one, EOSIO, EOSIO Labs, EOS, the heptahedron and associated logos are trademarks of Block.one. Other trademarks referenced herein are the property of their respective owners. Please note that the statements herein are an expression of Block.one’s vision, not a guarantee of anything, and all aspects of it are subject to change in all respects at Block.one’s sole discretion. We call these “forward looking statements”, which includes statements in this document, other than statements of historical facts, such as statements regarding EOSIO’s development, expected performance, and future features, or our business strategy, plans, prospects, developments and objectives. These statements are only predictions and reflect Block.one’s current beliefs and expectations with respect to future events; they are based on assumptions and are subject to risk, uncertainties and change at any time. We operate in a rapidly changing environment. New risks emerge from time to time. Given these risks and uncertainties, you are cautioned not to rely on these forward-looking statements. Actual results, performance or events may differ materially from what is predicted in the forward-looking statements. Some of the factors that could cause actual results, performance or events to differ materially from the forward-looking statements include, without limitation: market volatility; continued availability of capital, financing and personnel; product acceptance; the commercial success of any new products or technologies; competition; government regulation and laws; and general economic, market or business conditions. All statements are valid only as of the date of first posting and Block.one is under no obligation to, and expressly disclaims any obligation to, update or alter any statements, whether as a result of new information, subsequent events or otherwise. Nothing herein constitutes technological, financial, investment, legal or other advice, either in general or with regard to any particular situation or implementation. Please consult with experts in appropriate areas before implementing or utilizing anything contained in this document.