How I wish read.cash integrated CashID

8 163
Avatar for JonathanSilverblood
5 years ago

Read.cash has supported badger-specific cashid for a while now. I'm glad there's an option to login that, in theory, doesn't need username, passwords and emails. Sadly, the design and implementation means you still need a username+password as well as email, just to get started.

Sponsors of JonathanSilverblood
empty
empty
empty

Here's a quick mockup of how I would like the login-flow to look instead - Just a simple login at the top right corner, and if you click the text you get to the regular login screen like any user would expect:

If you hover the cashid icon though, you'd get this pop-up:

Scan the QR code with your smartphone wallet and you're logged in and ready to rumble!

Note: if you try to login with a new account, then the site should just create the account on the spot, and show you a "new user" tutorial / guide and in that let you set your account profile name and similar.

Of course this mockup is crude and ugly, but I just wanted to showcase what I think a good authentication flow is:

1) Don't leave the content - just authenticate

2) Don't be wallet-specific, follow the specification

3) Don't use email - it's from the 90's and we have better alternatives now.

5
$ 2.40
$ 1.00 from @Read.Cash
$ 0.50 from @emergent_reasons
$ 0.50 from @Cain
+ 6
Avatar for JonathanSilverblood
5 years ago

Comments

ReadCash is a very useful app, RedCash has been helping us make a lot of money. It is very easy to use, Creates an account, Thank you for the details about RedCash, I learned a lot from your post about RedCash.

$ 0.00
3 years ago

When CashID in Local.Bitcoin.com? 😎

$ 0.00
4 years ago

So would my phone wallet sign with the key and send information to the site letting me log in? The wallet will send something to the site?

$ 0.03
5 years ago

Yes, the website would issue a "challenge" that your wallet would sign with one of your keys. That key would represent your authentication secret for the site and it doesn't need to be a funded key - it can be a new derived key for the site specifically, or a key you're already using with history on it.

The key itself is never transmitted, it is only used to provide the signature to prove that you are in control of the key. The wallet would send the signature and request to an URL that is listed in the QR code and the URL would also include the information necessary to connect your authentication request to your active session on the website.

$ 0.15
5 years ago

Having to unlock and open an app on a second device just to login doesn't make much sense to me. Most users let their browsers or password manager autofill the login anyways, so for recurring login this is actually going backwards.

$ 0.00
5 years ago

For those users -this won't impact them - they click the login text and things work like it always has done, but...

For people who don't want to give up their email, see services get hacked or sell email information, only to receive spam and marketing emails - this would be good.

For people who won't want to give trust a password manager with their passwords (it is a 3rd party, after all), or who don't use a password manager and don't want to give up their password, or simply don't want to remember passwords in the first place - this would be good.

For those who are inconvenienced by the separate device and application startup time, just get an in-browser wallet like badger that already support cashid and press that "badger login" button - this is good for them too.

$ 0.05
5 years ago

Good point, valid reasons to not want to give out your email!

I don't think saying a password manager is a trusted party, but a mobile wallet is not, is fair.

$ 0.00
5 years ago

I'm not saying a mobile wallet is not a trusted entity - it is. It has the incentives to remain secure better aligned than a password manager though, and what it protects is slightly different.

Having it on a separated device is actually a good thing from a security standpoint as well - someone who hacks your computer can't arbitrarily make you take out your 2nd device; but they can start a browser on a virtual screen next to your existing screen, tell it to go to a site which triggers the passwordmanager to auto-login and then act on your behalf.

Generally it's slightly harder to break the security if you have the human forcibly involved - but nothing is ever perfectly secure and the human is a weak link in and of itself.

I'm just tired of using email and remembering passwords - we can do better, and I hope we will.

$ 0.05
5 years ago