Another user authentication thread


#1

Do we really need oauth? It seems to me there’s already 1000 oauth options out there (twitter, facebook, google) that we could use to “verify” users. Also, I just don’t see anybody wanting to have to register with hifi every time they make a script that needs to know who a user is, especially if it is an open source script.

It seems to me if all we really need to know is a user is registered with hifi, a simpler approach would be just exposing digital signatures to script (the code is already there). Users don’t have access to their private key, but users do have an easily accessible public key. This would require revealing their avatar name, but since it is authentication this is information we sort of need anyway.

If data signing was exposed to script something like this:

var signature = myAvatar.signData(data)

the signature could be compared with their public key here:
https://metaverse.highfidelity.com/api/v1/users/Cracker.Hax/public_key

And there you go, you know all you need to know. Oauth would be good for things you need email addresses or phone numbers for, but right off hand I can’t really think of anything that would need that amount of security (in which case the app creator probably should have to register their app 6 ways from sunday). Even cryptocurrency has built-in security (they have to possess their private key).

Anyway for a metaverse that wants everything to be as anonymous as possible, I don’t think oauth is a very good solution. Might as well use facebook, google or twitter for that. Anything beyond verifying an avatar’s name isn’t really needed and even if it is, another oauth is redundant.


#2

Still not understand why people want and company’s think that the need to link Google, facebook, twitter or what every to there company login page. like a bank do.

It’s a terrible bad idea to use a central login on internet, What’s wrong with a safe seperate account ? The problem is still the user that to many times use a weak password.

But no, please keep it seperate.


#3

Once we start going through the details of determining ‘verification’ it gets complex.

There is verification of:

  • the avatar’s identity for:
    – message delivery
    – chat delivery
    – monetary transactions
    and then
  • the assets associated with the avatar to:
    – load an asset
    – be able to modify it
    – be able to include it in an assembly
    — read-only
    — modify permission
    — monetization and percentage to owner of asset
    (etc)

Codifying all that in some flexible and not too complicated form is essential.


#4

I think it is because they are afraid to implement security themselves, but in doing so you become reliant on somebody else who may have implemented it weakly. Also, the more steps you have in a security chain the easier it is to break the security somewhere down the line.