Last month, we introduced EOSIO Labs™, an initiative centered on open innovation. Through EOSIO Labs we can contribute to the conversation around the future of blockchain technology with thought leadership, tools, and software. From the Assert Manifest Security Model to the Universal Authenticator Library, and our most recent release, the EOSIO Explorer, this initiative is well underway.
To date, much of our Labs research has focused on key and password management and the EOSIO™ authenticator ecosystem, and for good reason. Blockchain authenticators as key managers serve, for users, as the gateway to interacting with blockchain-based applications. They are a critical component of the user’s security and overall experience, and, for that reason are critical to the mass adoption of blockchain technology.
Today, there are several excellent authenticators in the EOSIO ecosystem. The community is innovating at an incredibly swift pace and blockchain-enabled experiences are becoming more and more accessible because of it. Nonetheless, more work is needed if we are to continue fueling widespread adoption and use of this technology.
Today’s EOSIO Labs release ties several of our recently-announced tools, software, and thought leadership pieces together into one, cohesive experience that aims to address some of the security and usability concerns users currently face. We are excited to release the EOSIO Reference Authenticator Apps.
To be clear, the implementations we are showcasing today are being released as experimental reference Open Source Software and not as proprietary products for uploading on app stores (and we discourage anyone from doing so). By releasing them in this way, we hope to encourage ongoing improvements to the security, interoperability and usability of authenticators by contributing working code and examples.
The EOSIO Reference iOS Authenticator App is an implementation on iOS that allows users to sign in and approve transactions from 1) web applications running in Mobile Safari and 2) other native iOS apps on the same device. Key management and signing take place in Apple’s Secure Enclave and/or Keychain and are protected with the device’s biometric authentication.
Example: Authenticating and Signing a Transaction from a Third-Party Mobile Web App
The EOSIO Reference Chrome Extension Authenticator is an implementation that allows users to sign in and approve transactions from web applications running in Google Chrome on desktop. Key management and signing take place in the Chrome extension secured by a passphrase.
Example: Authenticating and Signing a Transaction from a Web App in Google Chrome on Desktop
Web applications integrate with the EOSIO Reference Authenticator Apps using the Universal Authenticator Library and the EOSIO Reference Authenticator plugin for UAL. This release also includes an example web application called Tropical Stay which demonstrates how this works. Alternatively, apps can directly use EOSJS along with the appropriate signature provider.
During our research, we noticed that many popular authenticator applications support only one EOSIO based blockchain — for example, the EOS Public Network. Those that support other chains often require users to configure the authenticator with RPC endpoints or networks so that their authenticator can communicate with the chain(s) their app interacts with.
This presents quite the challenge for ordinary users with complexity that will only increase as more EOSIO-based blockchains are launched. Indeed, it’s not hard to imagine a future in which applications operate their own app-specific chains.
We set out to address this friction by making the EOSIO Reference Authenticator Apps entirely chain agnostic. In fact, the Authenticator Apps do not communicate with EOSIO nodes directly, at all.
This is achieved by ensuring that all of the information required to display and sign a transaction is passed in by the application proposing the transaction. [See: EOSIO Authentication Transport Protocol Specification.] After the transaction is signed in the Authenticator App, the signatures are returned to the proposing app. It’s the job of the proposing app to broadcast the transaction.
There are no RPC endpoints to configure. Any EOSIO chain is supported. And it’s all secured by the Assert Manifest Security Model.
Another observation we made was that many popular authenticators — especially those on mobile — require users to fundamentally change their browsing habits if they want to use blockchain-enabled web applications. In these authenticators, users are expected to browse these blockchain-enabled web applications from within the confines of a specialized, in-app blockchain web browser instead of just working with the users’ everyday web browser of choice. Furthermore, most authenticator apps on mobile platforms do not support inter-application transaction signing (i.e., signing transactions proposed by other native mobile apps.)
The EOSIO Reference iOS Authenticator App allows users to sign in and approve transactions from web applications running in Mobile Safari as well as other native iOS apps on the same device. This is accomplished using the EOSIO Authentication Transport Protocol and the Deep Linking URL Query String transport.
The EOSIO Reference Authenticator Apps demonstrate another key feature — that of domain-verified, chain-attested app identification. During selective disclosure (i.e., sign in) and transaction signing requests, apps are clearly identified to the user by an app name, icon and domain. These, along with other metadata, are retrieved from an application manifest served from the app’s domain and are asserted as part of the transaction. For more information on how this works, and its related benefits, see our previous EOSIO Labs Release: The Assert Manifest Security Model.
EOSIO provides for rich Ricardian contracts that plainly explain to users the action or actions they are agreeing to. Many wallets, however, do not take advantage of the ability to display these agreements to their users. And some resort to displaying the contents of the transaction to their users in formats which are intended to be parsed by computers, not humans (e.g., JSON, YAML).
Both the Chrome Extension and iOS Reference Authenticator Apps leverage the Ricardian Template Toolkit to provide users with a consistent, transparent, and user-friendly presentation of transaction data during the signing process. For more information, see our recent EOSIO Software Release: Ricardian Contract Specifications and the Ricardian Template Toolkit.
While these reference implementations provide interesting, and hopefully compelling, solutions to some of the limitations and issues users face with blockchain wallets today, they are by no means the ultimate solution. We are submitting them to the community as part of the continuing conversation around what the user experience could be. There are still questions to answer, problems to solve, and possibilities to explore. For example:
Those last questions are especially interesting and are the topic of our recent article, “A Passwordless Future: Building Towards More Secure and Usable Authentication Systems.”
We believe that the answers to many of these questions lie with the active and engaged EOSIO community. We hope that this open source release, and the many ideas that it brings together will inspire wallet developers to explore new ways of thinking about key management and signing for blockchain, and authentication more generally.
If you would like to try the EOSIO Reference Authenticator Apps out for yourself, here are a few resources to get you started:
If you have questions, suggestions, ideas, etc., get involved. We invite you to log issues or submit Pull Requests against these repos. Or fork them and innovate on your own.
If you are interested in providing feedback and working more closely with our team to improve the EOSIO for developers, you can send our developer relations team an email at email@example.com.
You can also keep up to date with future updates by subscribing to our mailing list on the EOSIO Developer Portal. We are excited to be regularly improving the usability of the software for EOSIO developers as we continue to lay a foundation for the mass adoption of blockchain technology.
All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Disclaimer: Block.one makes its contribution on a voluntary basis as a member of the EOSIO community and is not responsible for ensuring the overall performance of the software or any related applications. We make no representation, warranty, guarantee or undertaking in respect of the releases described here, the related GitHub release, the EOSIO software or any related documentation, whether expressed or implied, including but not limited to the warranties or merchantability, fitness for a particular purpose and noninfringement. In no event shall we be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or documentation or the use or other dealings in the software or documentation. Any test results or performance figures are indicative and will not reflect performance under all conditions. Any reference to any third party or third-party product, resource or service is not an endorsement or recommendation by Block.one. We are not responsible, and disclaim any and all responsibility and liability, for your use of or reliance on any of these resources. Third-party resources may be updated, changed or terminated at any time, so the information here may be out of date or inaccurate. Any person using or offering this software in connection with providing software, goods or services to third parties shall advise such third parties of these license terms, disclaimers and exclusions of liability. Block.one, EOSIO, EOSIO Labs, EOS, the heptahedron and associated logos are trademarks of Block.one. All other trademarks referenced herein are the property of their respective owners.
EOSIO Labs™ Release: iOS and Chrome Extension Authenticator Reference Applications was originally published in eosio on Medium, where people are continuing the conversation by highlighting and responding to this story.
Write a post
Are you sure you want to delete this post?
Are you sure you want to delete this comment?
Purchase has been completed.
닉네임을 설정 후 작성해주세요.