We’re currently using OmniLedger for logging in to our Matrix-chat and to the c4dt.org website as users. This is explained in more details here:

matrix login page with CAS login

There were two elements missing:

  1. Automatic signup — in the current signup process, the C4DT admin team needs to create users and then send the links.
  2. Recovery of users — the browser stores the user ‘password’ (in fact it’s a cryptographic private key). Depending on how your browser is configured, this password might get deleted automatically. For example automatically deleting the history and site data of visited websites will trigger removal of your OmniLedger password.

Automatic Signup

Now you can visit https://login.c4dt.org and enter a user-name and an email-address. The system then makes sure this email is not registered yet. If it’s a new email, it creates a new user and sends the signup-link to the user via email.

Once you receive the email with the signup-link, you can click on it. The signup-link contains your user-id and an ephemeral password (private key). As the browser loads the webpage, it creates a new private key and stores it in the browser. For this reason you should allow the browsing history and storage of website data for login.c4dt.org. If the browser cleans the history, it will delete your private key! If that happens, go on to the next section.

Now that you have your OmniLedger account, you can use it to explore the OmniLedger blockchain. But the most interesting part for now is to join us in the matrix.

Recovery

Unfortunately it is quite easy to lose the private key. As the key is stored in the browser, it can happen that the browser removes the key. For example clearing the history removes the private key. Or if you use the browser in incognito mode, then the browser will delete the private key once you close it.

To make it easier to recover your OmniLedger account, you can now simply enter your email address on https://login.c4dt.org. The system will create a new device entry for your account and send the recovery-URL to your email. Once you receive that, you can proceed by clicking on the URL. The browser will open the login-page and replace the ephemeral private key with a new random private key.

Security considerations

The service responsible for the signup and recovery process has a limit of 100 signups and recoveries per day. This should prevent spamming of existing email addresses in the signup and/or recovery process. If we see abuse of the system, we might also restrict the number of recoveries for a single account.

Both when signing up and when recovering an account, the system creates an ephemeral key. This key is valid until you click on the URL in your email. Once you click on that URL, the login-page creates a new random private key. Then it replaces the ephemeral key with the new key. Now the URL is not valid anymore, because it contains the ephemeral key, which doesn’t allow to connect to your account anymore! So the URL you receive is only valid once!

When the system creates a new account, it sets the Recovery accounts to the Email recovery account. As long as this entry is present, the system can recover the account. If you don’t trust the recovery system, you can simply remove the Email recovery account from the recovery accounts. But of course if you lose your private key, you’ll lose your account! You can also add another user you trust as a recovery account.