Hi ?
I'd like to present Stellar Authenticator to the Stellar Building Challenge. It is both part of the wider project of implementing the CosmicLink protocol and a tool I need as I plan an ICO on Stellar network and felt I'll need something to secure better investor & users.
Stellar Authenticator has been designed to securely & easily sign Stellar transaction.
I felt a need for it after seeing that a increasingly number of Stellar-based service ask for my private seed. I thought this is a flawed development model as secret key propagation will lead to multiple attacks that'll hurt the whole network and each of us. Each time I want to use a new service, I'm facing the issue of trust. It seems that solving this would benefit everyone.
I designed Stellar Authenticator as a solution similar to Google authenticator and so on. The idea is having an app that exclusively focus on signing transaction and securing private keys. By keeping the codebase tiny & simple, we make it easier to audit. It should offer encrypted backup on the cloud, as a way to protect casual and non-tech users from loss. It should be compatible with any service that wish so. It should make account creation & authentication as easy as possible.
The idea behind this authenticator & cosmic link implementation is that only one application should ever have potential access to your private key. To achieve this, Stellar Authenticator allow you to sign either XDR or Cosmic links, that any service is able to produce. Stellar Authenticator will come in two flavors: as web application and as phone application. Both work with the same Javascript/HTML5 codebase in order to ease code reviewing. Phone apps will be embeded in Android/iOs wrappers built automatically with adobe phonegap.
One core activity of the development is inventing new ways to harden the security of the authenticator. Those protections will have to be implemented gradually as the incentive for building an attack goes up with the user base. When needed, I'll implement mechanisms that enforce peer review & auditing before releasing new versions of the code. I'm expecting some of the services handling Stellar Authenticator in the future to adopt a code reviewing routine and I'm thinking about ways to thanks them for the work.
In the future, I'd like Stellar Authenticator to be a way to log-in into Stellar services aswell. I'm still thinking about how to achieve that.
Of the three projects I'm presenting, Stellar Authenticator is the more demanding one and as such still need some serious effort before I release the first Alpha. However, I plan to have it available on each platform before the 15th.
I signed my first url-formatted transactions today and want to bring you something clean & polished enough for testing.
To be done before Beta (hopefully end-march)
- File-based backup of the seeds
- First level of security features
- Support multi-operation transactions
- Better malformed links handling
- Better interface
- Build phone application packages & release
- Off-line signing
- Support testing network
To be done before first stable release (hopefully end-june)
- Support Ledger blue & Ledger nano S
- Internationalization / translations
- Paper & Cloud backup
- Linking several wallet services
- Log-in capabilities
- Signing text/files (interesting advanced feature for free)
- Support a hardened federation protocol
- Handle multisignature collection through a dedicated portal (link external service?)
- Support private network
- Second layer of security features
To complete this effort, I'm coding two other project that I also present for SBC (both under MIT license):
CosmicLink, a redirecting service toward choosen authenticator service :https://galactictalk.org/d/1118-cosmiclink-stellar-transaction-into-url-website
CosmicLib, easing cosmic link support & implementation for any javascript-based service: https://galactictalk.org/d/1056-cosmiclib-stellar-transactions-into-url-library-javascript
A month ago I wrote a proposal based on ideas shared here that led me to work on those projects:
https://galactictalk.org/d/819-a-standardized-way-of-handling-stellar-transactions
