Skip to content

Companion app for authentication and share requests #45

New issue
New issue
Open
Open
Companion app for authentication and share requests#45
Labels
authenticationrelated to key management, signin processessecurity
@joepio

Description

@joepio
joepio
opened on Jun 29, 2021

Users need to store their agent's secret (which includes the private key) someplace safe, such as a password manager. However, this is still not optimal:

  • The secret is entered into the client app, which means that you need to fully trust the client and all its dependencies
  • A keylogger might help a hacker gain access to the secret
  • Storing the secret in the app is not easy to do safely, especially if the device is shared between users.

But still, I like the simplicity and the decentralized nature of the current authentication / authorization system.

One way to solve these issues (and some more) is to introduce a Companion App.

Atomic Companion App

This is a native app for smartphones that is responsible for storing the secret, signing commits, and granting other permissions.

Functionality

  1. Upon installation, the user (owner) can either generate a new keypair, or enter an existing secret. This can probably be done by scanning a QR code.
  2. When the owner tries to sign something, a notification is shown in the companion app. The owner presses accept, and the owner can use the client app
  3. The owner can temporarily grant access to some client to modify a resource / write things.
  4. If a data user wants to use some specific piece of information (e.g. access to some piece of profile data) stored on the server of the owner, the owner receives a notification and can approve of deny this.
  5. When the user's server goes down / becomes unavailable, the user receives a notification

Step 1 feels trivial, but step 2 is still kind of mystifying.

Approaches

User's Server is connected to companion app

  1. When the QR code is scanned, the companion app is linked to a server. A (websocket?) connection is opened, which allows the server to send updates to the companion.
  2. The owner enters their agent's subject, which links to their server.
  3. The client app (e.g. browser app) sends a connection request to the server. The server sees it has a connection to a companion app.
  4. Server sends a notification alert to the companion app over their Websockets connection

Use a browser extension

  • I don't like this

Connect over bluetooth

  • Even browsers can connect over bluetooth

Connect over wifi locally

  • This means the phone can be treated as a server

Metadata

Metadata

Assignees

No one assigned

    Labels

    authenticationrelated to key management, signin processessecurity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions