Open in app

Sign in

Write

Sign in

Privacy-Preserving Social Login with Hypersign

Vikram Anand
10 min readNov 20, 2020

Introduction

Access to websites today, is increasingly filtered through what are called ‘Social Logins’ — Sign in with Facebook, Google, Amazon and so on. These are becoming an increasingly common mechanism for authentication to provide increased levels of of security and convenience for both, the website [also known as service providers]as well as the users.

The benefits to both parties are numerous such as, enabling service providers to quickly onboard users without requiring them to go through cumbersome registration processes whilst offering a smooth, safe and familiar user experience whilst freeing the users from wasting precious time entering personal details over and over for each website they visit. Moreover, the users are also saved from remembering multiple usernames and passwords to each website they need access to.

Finally the cherry on the cake goes to the service providers as they get access to personal user data directly from social login providers (also called Identity Providers or IDP) to build user profiles in their internal databases.

However, not all is hunky dory in the world of Social Logins, theres two major challenges that have been identified with this mechanism. Most of the social logins providers [like Facebook, Google amazon] rely on password-based authentication; and we are well aware of the problems with passwords, such as forgetting passwords, password hacks and so on.

The identity provider stores the personal data of millions of users and that becomes a honeypot for hackers.in addition, the identity provider also has the ability to [intentionally or unintentionally] misuse user data without the their consent.

Data mining is a process to turn raw data into useful information. By using software to look for patterns in large batches of data, businesses can learn more about their customers to develop more effective marketing strategies, increase sales and decrease costs. Data mining depends on effective data collection, warehousing, and computer processing.

Data mining involves exploring and analysing large blocks of information to glean meaningful patterns and trends. It can be used in a variety of ways, such as database marketing, credit risk management, fraud detection, spam email filtering, or even to discern the sentiment or opinion of users.

The Facebook and Cambridge Analytica scandal is a public matter and not really a secret. Millions of Facebook users were compromised by Cambridge Analytica, predominantly to be used for political advertising by accessing user data and injecting messaging and advertising to sway voters.

Imagine the of impact this has on our lives, it does not just affect a service provider but can even dictate the future outcomes of a nation and it is clear that this phenomena is here to stay.

Cambridge Analytica harvested around 1.5 million Facebook users personal information without their knowledge or consent. This is a serious issue for conscious users who are concerned about privacy and protection of their personal data as they have to fully trust Identity Service Providers on how they store and manage data.

“Facebooks knows that buying a ticket using ‘MakeMyTrip’ or even shopping on ‘Amazon’, and that becomes a privacy concern for users”.

The Enterprise and Social Logins

When it comes to businesses, social logins are not the most popular form of verification as it does not clearly identify the person accessing the sites. This can be due to various reasons such as a user who has shared their credentials with a family member and now the family member is also using that credential. In another scenario, the credential may have been compromised and now and the hacker is logging into the website. Enterprises need to be very clear about who is accessing their applications as it is mandated by law for them to know their users.

In order for the enterprises to be compliant with the laws of a country and allow users to access their sites; there needs to be a minimum criteria that needs to be satisfied. The law dictates that in order for a user to be able to lawfully access a business’s website, there needs to be at-least three information criteria that needs to be fulfilled to allow a user to log into a website:

  1. What you know ? — There must be a ‘shared secret’ [like a password] between the user and the business.
  2. What you have ? — The user needs to prove that they really are the real owner of the the log in credentials.
  3. Who you are ? — Using personalised verification tools like biometrics or even facial recognition to allow authentication.

Additionally, the business also have to add another layer of authentication such as OTPs (One Time Passwords) for increased security.

There are other risks involved for business such as simply way too many users trying to access the IDP system causing it to crash as it is unable to support a large number of verification requests at once.

There are a multitude of challenges related to authentication, specially related to social logins and its cost to the service providers — a user loss is a loss in business.

Considering a a user might not be able to use the service if they are not able to authenticate to the IDP. Imagine an e-commerce site where a user wants to log in to shop, however is unable to, due to some reason or the other, if the user is unable to log in, how much can it impact the user experience and consequently the business ?

Problem Statement

There are two sides to the story:

Problem for the End-user :

  • Control: Users have no control over their personal data. Although users create their own credentials, the actual data resides with the IDPs which gives them the ability to misuse user data.
  • Consent: These IDPs more often than not, do not have the consent of the user before sharing their data. i.e. case of Cambridge Analytica.
  • Tracking: IDP providers can even track where and what user is doing

Problem for the Service provider :

  • High trust: The Service providers have to trust IDP with how they store and manage their users’ data.
  • Too much dependency: The provider has to be dependent on the Issuer because the issuer needs to be online when a user trying to access the provider’s system.

There has to be a concrete solution to these kinds of problems, where such entities who do not respect the privacy and have no intention to protect user data.

On the flipside, not all identity providers are evil, they ask for user information in order to provide a better user experience, for example, no registration required every time a user access a new application.

It is not that we can remove the IDP completely (that’s what we had right? before the times of the SSO [Single Sign On]). The role of IPDs is crucial since they verify data and as a result, the service provider gets pre-verified data hence both SP and user need to go through the verification process again. But the question is :

“Can we provide a seamless user experience whilst keeping better security and privacy measures in mind?”

Hypersign

Hypersign is a privacy-preserving protocol to protect user data and mitigate risks of data breaches. The protocol built using the latest technology stacks like advanced Public Key Cryptography and Blockchain to provide secure, scalable, and tamperproof solutions to the end-user as well as the service provider. The Hypersign protocol works on the concept of the Issuance-verification paradigm which can be fit into many different use cases. One such use case is identity and access management.

Most of the concepts are self-explanatory in the above figure. Notice, the user directly shares his data (step 5) with the service providers, from the user-agent (such as mobile device), as opposed to earlier where IDP used to share that. This gives full control to the user about his data. Moreover, this data is verified by IDP (step 2) hence the provider can trust the data as long as he trusts the provider. Finally, data are cryptographically signed not just by the issuer but also by the provider (steps 2 and 4) which gives a guarantee about the data authenticity and integrity to the provider.

Hypersign-Superhero integration for Single Sign-On

Although Hypersign comes with its own mobile authenticator app, we wanted to prove that how easily the protocol can be implemented with existing solutions so that they can leverage the benefits of Hypersign protocol in their ecosystem without making any changes. Hence we integrated with Superhero.

What is Superhero?

Superhero is a decentralized social networking web application built on top of AeTernity blockchain. In Superhero, a user can make posts and curate others’ posts if they like using cryptocurrency. Think of Facebook on the blockchain with a tipping feature instead of likes. Because Superhero is a decentralized application, it comes with a Superhero mobile wallet where an end-user can store their private key use it to sign transactions on the blockchain when they curate any content.

Architecture

Let us understand the above architecture with the user journey below.

User journey

  • Once Hypersign is integrated, two new features get added to the Superhero wallet, profile, and credentials. A user downloads the wallet and enters his details on the profile page. The userData goes to the Superhero server.

HOME PAGE

PROFILE PAGE

  • The Superhero server verifies the user-data, say by sending an email or sending OTP on phone depending on what data needed to be verified. In this step, the Superhero server acts as a stateless server — meaning it does not store the user data. Based on this data, the Superhero server issues a cryptographically signed document (called SuperheroAuthCredential) to the user via email.
  • The end-user downloads SuperheroAuthCredential from his email into the mobile app by scanning a QR code. Further, the end-user can view the credential detail in the app itself.

CREDENTIAL LIST PAGE

CREDENTIAL DETAIL PAGE

  • Now, whenever the end-user wants to authenticate himself into a website, he can use this credential to be able to login into the website using a QR code scanning mechanism. He can further use the same and different credentials to login into more than one website hence using an SSO environment. Take a look at the figure below.

BEFORE LOGIN

AFTER LOGIN

Key differentiator

Conclusion

  • We eliminated passwords, so no password related problems at all.
  • Users now being able to share the verified data directly with the service provider. Hence privacy is protected.
  • The IDPs verifies user data and provide credentials without storing any user information hence data is protected as the IDP system can not become a honey pot for hackers.
  • The user still be able to log in even though the IDP system is down or not working as the issuer can verify the issued credentials on its own hence the system is scalable.
  • No multi-factor authentication complexity is required because the private key in a wallet does answers the question of What I have?. Further, if biometric is implemented in the mobile app then it also answers the question Who I am?. Hence the system is secured.
  • Finally, a user feels confident in using the authentication mechanism, hence the system is trustworthy.

— — — — — -

Follow us

Telegram: https://t.me/hypersignchain
Twitter: https://twitter.com/hypersignchain

— — — — — — — — — — — — — — — — — — — — — — — — — —

Hypersign is a product of Hypermine Labs

Authors:
Vikram Bhushan
Vishwas Anand
Irfan Khan

About Hypermine:
Hypermine is an avant-garde technology and research organization that is dedicated to building trust and transparency in the real world.

Using ‘Distributed Ledgers’ as our core technology coupled with ‘Machine Learning’, we are creating digital economies to create a new world for enterprise, government, and consumers.

Our vision is to create a world where privacy is a fundamental right, where our data is secure and belongs to us. A global currency that has real value; where piracy does not exist and freedom of expression is encouraged. Where wealth is shared to reduce poverty and all governance is transparent and trusted to make life better for everyone.

This document is copyright and belongs to Hypermine ©, 2020.
All Rights Reserved.

— — — — — — — — — — — — — — — — — — — — — — — — — —

#authentication #verification #digitalsignature #authorization #decentralization #rsa #encryption #blockchain #bitcoin #cryptocurrency #crypto #btc #ethereum #defi #crossfi #bitcoinmining #money #trading #business #bitcoinnews #bitcoins #investment #cryptocurrencies #coinbase #blockchaintechnology #litecoin #entrepreneur #forextrader #cryptonews #cryptotrading #eth #bitcoincash #invest #binaryoptions #investing #trader #binance #bhfyp #identity #digitalidentity #securitycamera #programming #seguridad #military #it #cctvcamera #alarm #cybercrime #love #camera #iot #ethicalhacking #secure #instagood #safe #sicurezza #safetyfirst #closeprotection #hackers #userdataprotection #dataprotection #securityservices #a #network #innovation #software #tactical #networking #privatesecurity #selfdefense #coding

Ssi
Authentication
Sso
Identity
Facebook

--

--

Vikram Anand

Written by Vikram Anand

59 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams