StellarAuth • The best way to integrate Stellar into your apps

tyvdh · Sep 11, 2019

Summary

StellarAuth is a developer API and user application service for easily and securely assigning Stellar accounts to your users from within your app. Kind of like Authy (2FA) for Stellar, but also a lot like a combination of Sign In with Apple and Apple Card. Essentially it’s a secure way to give your users a Stellar account which you can send requests to and they can accept or decline in an intuitive interface. You won’t store secrets, we don’t have access to secrets and the user won’t have to deal with anything they're not already familiar with.

Goals

StellarAuth is a simple yet ambitious project borne out of the frustrations and dangers of creating, securing and providing access to thousands of Stellar accounts across various apps and services. The goal is simply to assign a Stellar account to each of your users in a similar fashion to how they might add 2FA to their account. The user can claim their Stellar account after which your app can send XDR requests to that key for the user to transparently accept or reject right from within a separate Authy-like application. This offloads the security concerns of storing thousands of key secrets without unloading that risk in raw form to the user. Their experience remains familiar via a singular passcode entered locally on their device. No one entity can gain control of any key but all must work together to send and sign transactions. It’s a beautiful and elegant solution which will simplify and secure your applications and allow you to focus on running your business and your users to simply use your apps.

Timeline

We’ve already got a strong start and an alpha version on the testnet is ready for poking. As time progresses, feedback comes in and hopefully funding is acquired the service will mature with more robust features and use cases. By year’s end we’re looking to be integrated into a few production applications and be working closely with developers to ensure our service is meeting their needs and solving the problem of Stellar account management in a variety of use cases.

Description

“What does your project enable users to do?”

Managing large numbers of Stellar accounts is tedious when done well and dangerous when done casually. StellarAuth inserts itself into this problem by providing an intuitive and powerful solution of allowing developers to assign users a Stellar address without requiring them to store any secret or private information. Those secrets are transparently handed back to the user packaged cleanly inside an intuitive and familiar 2FA like native application.

“Why is your project valuable for Stellar?”

Building with Stellar is pretty easy. Securing Stellar accounts on the other hand is very hard and yet it’s imperative you get it right in the case your application is successful. Developers cannot afford to get security wrong. It looks bad on them and it looks bad on Stellar. Aside from the benefits of simplifying the security issue however StellarAuth also provides an intuitive onramp into the Stellar ecosystem for users unfamiliar or disinterested. Most of your users simply won’t care or be qualified to store secrets, sign transactions, pass over xdrs, remember 24 word pass phrases etc, they just want to use your app. StellarAuth provides a simple onramp and ongoing access into the ocean of benefits Stellar offers without your users ever even needing to know the name Stellar. This is huge, adoption has been one of the biggest barriers Stellar has faced to date and StellarAuth provides an elegant answer.

“How does your project utilize Stellar?”

StellarAuth is a utility on top of Stellar. It’s a Stellar project through and through. From the Keystore files encrypted by a user’s passphrase to the XDR endpoints to send your users transactions, every corner of StellarAuth is a Stellar project aimed at getting people to user Stellar, whether they realize it or not.

Links

Homepage: https://stellarauth.com
API Docs: https://www.notion.so/stellarauth/StellarAuth-085c9270636b4196979dc49cf296cf03
API Code: https://github.com/TinyAnvil/stellarauth-serverless
Data Faker Service: https://stellarauth-faker.glitch.me
- Generates a demo app key which once scanned will automatically verify and send 5 example transactions arriving over the course of five minutes
Web App: https://demo.stellarauth.com (For testing only, will not support the public network)
Desktop Apps:
- Windows: https://tyvdh.keybase.pub/StellarAuth.exe
- Mac: https://tyvdh.keybase.pub/StellarAuth.pkg
Mobile Apps:
- Android: https://play.google.com/apps/testing/com.stellarauth
- iOS: https://testflight.apple.com/join/Slcgw56c

tyvdh · Sep 12, 2019

Example Use Cases

Ultimately any app with users and permissioned requests will find StellarAuth useful. Some key use cases I've envisioned include:

Better passwordless login
- Email and sms are risky and getting riskier. StellarAuth is secure in a similar vein of 1Password and Lastpass
More fine grained 2FA
- Not to mention just not having to fool with passing codes around. Send request, get request, accept/decline request, done
Crypto wallets can run all their services without having to store any private key information
- No more hacks! Everyone is storing their own keys privately and individually.
Games can manage user in-game assets without having to store any private key information
- Think of the time and risk devs will be able to save when they don't have to fool with creating or storing accounts. Just send xdr requests.
IoT devices can securely pass requests to users (unlock door, turn on coffee, order pizza, etc.)
Sane multi signature coordination requests. All board members must accept a transaction before the action can be validated

There are of course an infinite number of other use cases but at the end of the day StellarAuth is just Stellar transaction requests. What's cool about that is there are two levels of validation, signed and submitted. A transaction doesn't have to make it to the ledger necessarily. At level 1 we're just looking to see that the requested signer(s) have signed the transaction. At level 2 StellarAuth is actually submitting that request to the Stellar network. It's up to your app to interpret what a successfully signed transaction means. So for login you could send a throw away Inflation operation xdr request just to get a signature from the user which once successfully signed you could interpret as validation to log that user into their account. StellarAuth makes primary use of Stellar's private/public key signing system and secondary use of their actual asset and operation use for those who need it.

Hopefully this makes sense as it's a bit of a different way of thinking and making use of the Stellar tech stack but it's perfect for this stuff and allows for an insane number of use cases. Happy to answer any questions and discuss any concerns. This is an ambitious project and I'm super excited to get it off the ground and into the hands of eager developers.

tyvdh · Sep 14, 2019

A slightly in depth dive into StellarAuth and how it works for both developers and their users.

MisterTicot · Sep 14, 2019

That's a new way to handle delegated signing. Quite interesting.

I'm looking forward to dig even more into the tech details.

tyvdh · Sep 23, 2019

For those interested here's a behind the scenes article covering some of the StellarAuth internals and guiding philosophies. https://galactictalk.org/d/2151-stellarauth-behind-the-scenes

tyvdh · Oct 5, 2019

Built a nifty little Glitch demo utilizing StellarAuth in a passwordless flow.
https://sa-glitch-demo.glitch.me/

Again there are a million different ways you could implement StellarAuth into your user authentication flows but passwordless login or 2FA replacement is a great one!

tyvdh · Oct 8, 2019

Just launched an actual homepage!
https://stellarauth.com