Project Spotlight: Universal Login
If you ever used decentralized platforms such as Bitcoin or Ethereum (to name only a few), you probably installed a few Apps on your Desktop, on your Mobile, etc… Those includes so called wallets, dApps, etc…
The on-boarding process varies a little bit but mostly boils down to making a new account or set of accounts on the device . This new account is in fact a key pair (private key + public key) or a seed allowing the deterministic generation of multiple key pairs. Your new App will likely take care of storing the newly generated private key, more or less securely.
This point is critical as anyone able to access this private key has access to your account and can take actions on your behalf or transfer your funds.
Most users are not educated, do not have the time, do not want to bother following the best practises you are trying to teach with help of red banners and scary messages. And that’s ok, users are users… they want to use your App, not understand how it works.
But let’s make the bad assumption for a few minutes that Bob, our demo user, really cares and is a little crypto educated.
Bob installs the App on his phone and creates a new account. He picks a strong password, saves his seed carefully and starts enjoying his App.
Life is great.
Bob hears about this new other App but prefers using his Laptop this time. Same procedure, this time Bob is slightly less careful because let’s admit, the procedure is rather boring.
When it comes to installing the 3rd App, even Bob will start reusing passwords, saving his seed in a text files as sometimes even recommended, etc…
As a result, Bob has now 3 or more accounts, for 3 different Apps, on 3 different devices, this is barely manageable already. At that point, the temptation is huge to think about how easy it is to click one of the following single sign-on buttons and enjoy how simple they are.
Life is now great…ly centralized
What solutions exist today to make Bobs life both easier and more secure. As educated crypto user, Bob may want to use a Hardware wallet.
This solution has limitations too: - using a Hardware wallet requires an extra set of strange (OTG) cables and adapters to connector your phone to your hardware wallet - you are use your very secure hardware wallet with a very insecure device connected to the internet
As many challenges in the crypto-sphere, the issue is not new but its difficulty to address makes it unattractive for teams to work on in comparison to… copy/pasting and deploying an ERC20 token.
This is however precisely the challenge https://universallogin.io/ took on. Alex Van de Sande and the universal-login team decided to tackle the problem and work toward a better — yet still decentralized — solution.
The idea is well illustrated on the project’s site:
Instead of trying to increase the security on each device or within each App, their strategy is to:
have a single, decentralized, identity managed through a smart contract
accessible from many devices with various risk exposure
with various levels of access rights
Your identity is no longer bounds to some data stored into a device or managed by a major internet Megacorp but linked to a smart contract that can be accessed by your devices (multisig).
If you lose your phone? Simply revoke the access using another device. If an App requires an extra level of security? It can require you to confirm your action using one of the other devices you previously registered.
There are still key pairs on your devices, the difference now it that they do now store funds and tokens anymore, they store a temporary right to access your identity, the same identity used by various Apps, from various devices.
The project, even still young, is not only a concept, you can already play with it. Here is how it looks like when you visit https://example.universallogin.io/
The demo is running on Ropsten and uses Infura under the hood.
You will see a register/sign-in page guarding a simple hello world app called ‘Clicker’. Once logged in, you will be able to click a button in order to spend a virtual balance of Klicks. You earn those Klicks by registering and setting up your account.
This first page is using the ENS. You can either type a new name and register or let the app make a new account for you.
Making an account may look similar to what you have already seen. In that case, it is however not the process you know. Instead, the App will generate your Identity contract and attach the newly generated key pair to your freshly created Identity.
Creating a new Identity is very smooth as you only need to wait for a few seconds. You do not need to provide any personal information. You need neither a wallet or compatible browser, nor funds on any account.
At the end of the process, you will see, as an information, the address corresponding the key pair that has been generated on your device.
You can check Bob’s account: https://ropsten.etherscan.io/address/0xa09f0cb5c6ed4d16284865a7b12ca5972d60dacd
You will notice that Bob has a 0 ETH balance but did deploy a contract.
Bob has been granted 100 UNL, those are our “Klicks”
It is interesting to notice that the process does not require any password, any wallet or extension.
It seems that a few people went through that process already as shows Etherscan.io
You can now access the demo App and see that you have been granted a few Klicks (ULN):
The demo Clicker App also demonstrate how the settings page could look like:
If you used a browser in Incognito mode so far and close it, you will lose your access to the Identity. You can however recover the access easily after confirming from another device.
The project is still in active development:
and you will likely spot glitches as the network usage on my machine shows:
This project is however eye-opening on how the web3 will look like.