Creating a Privacy-Preserving Login System
Today, the IOTA Foundation is opening a Request for Proposals (RFP) for an IOTA-based login system built on OpenID standards. The RFP invites developers or companies to apply for funding to build out solutions that combine IOTA Identity with the OpenID Foundation standards of OpenID Connect (OIDC) and Self-Issued OpenId Provider (SIOP). If selected, the developers or companies will be funded during the design and development of the open-source components.
The proposed technology will enable websites to accept users’ Decentralized Identifiers (DIDs) as an identifier and authentication mechanism. Using OIDC, websites can add Login With IOTA alongside less privacy-friendly alternatives like Google, Microsoft, and Facebook. Over 50,000 websites are already using this system with over one billion OpenID-enabled accounts. In addition, SIOP allows websites, with a bit of extra effort, to skip any centralized login infrastructure by allowing users to authenticate themselves directly with the website in a peer-to-peer manner.
We are launching the RFP to encourage other developers or companies to participate in the development of IOTA Identity tooling.
Applicants are asked to provide a plan, budget, and other information. At the end of the process, the IOTA Foundation may fund one or more projects to execute their plan in return for compensation. This compensation will be paid out in IOTA tokens from the Ecosystem Development Fund (EDF). Existing knowledge of IOTA or IOTA Identity is a bonus, but not required. We do, however, expect experience in the topic of OIDC.
Why do we need Login With IOTA?
The rise of E-commerce followed by Web 2.0 saw the web shift from a collection of pages with static content to a place where individuals interact with businesses, organizations, and each other. Hand in hand with this evolution grew a need for online authentication, leading many websites to utilize a combination of usernames and passwords to create local accounts for users.
While this reliance on “something you know” (i.e. the passwords) initially provided sufficient protection, websites storing that information became vulnerable targets for attacks, such as identity theft. To combat cryptographic attacks, complexity requirements were introduced, leading people to reuse their passwords across different websites, which actually weakens the security of users and websites. These and other developments put an increasing burden on websites to secure both the user data and their infrastructure and created a very poor user experience and often insecure environment.
Over time, user experience improved at the cost of privacy. User accounts became centrally registered through federated identity providers such as Google or Facebook, enabling providers to share information with websites (with the user's permission) without the information having to be entered repeatedly. Unfortunately, this solution also provided big tech companies with even more control over user data, as it became relatively easy for identity providers to monitor user activity on the web whenever users accessed accounts managed by the providers.
Login With IOTA will allow people to take back control over their data, while at the same time adding beneficial features and experiences to the websites. We aim to create a win-win situation where both websites and users benefit from using an IOTA Identity-based login system while removing power from centralized identity providers.
How does it work?
With an IOTA-based login, a random string of characters (such as “did:iota:9rK6DPF46MCEzgfLD8AHFsaTuMqvmRo6kbXfjqQJPJmC”) becomes your Decentralized Identifier (DID). You can prove ownership of your identifier through asymmetric encryption (“something you have”). Conveniently, you don’t have to remember your DID: your Self-Sovereign Identity (SSI) wallet manages it for you. Websites can utilize the DID internally to recognize you without having to know a username or email address. They may still request your personal information (such as a display name or an email address) but it is your choice to share this information. It will be the responsibility of the website to prove that they need this information from you and explain what you will get in return.
The envisioned system that will allow you to selectively share your email address will also allow you to share other information you would normally have to repeatedly provide, such as your address, phone number, or date of birth. The difference is that you only have to enter this information once in your SSI wallet, creating a much smoother experience when you visit websites that enable this technology, just like with centralized providers. But in this case, you remain completely in control over the data. In addition, this also allows you to share verifiable information using the Verifiable Credentials mechanism.
With Verifiable Credentials, not only can you share information, but you can also prove its validity. The information you share would have to be signed by a trusted third party such as a governmental agency or a bank, but you decide who you share this information with.
Being able to act on trustworthy information reduces the risk for websites, especially in the E-commerce industry.
Examples of verified information could be:
- Validated age range signed by your government.
- Proof of residency signed by your electricity provider.
- Proof of funds signed by your bank.
- Verified phone number or email address.
- A diploma or certificate signed by your university.
In the RFP, the IOTA Foundation encourages the development of two separate login systems: OIDC and SIOP. OIDC, which we have dubbed the Web2 login system, is what most people use regularly. Buttons such as “Login with X” contact the centrally-hosted identity provider to provide your information to a website.
IOTA Identity would enable us to mimic the same flow, allowing websites to reuse the very same implementation and technology that they are already using while massively increasing privacy. The architecture outlined in the RFP means that, instead of having full visibility and access to personal data, the centralized identity provider would act as a blind participant and establish a connection between the user and the website following OIDC standards. In the future, this would remove the necessity for identity providers to store your data. Instead, they will send the data requests back to the user, where the SSI wallet stores and shares the data, putting you in full control. This would be the perfect blind participant but requires either an always-online user-hosted database or that the data is only available when the user is online. While an online user requirement is fine for some use cases, it might limit others, therefore we expect that the identity provider cannot be perfectly blind at the start.
A Proof of Concept for a Web2 login has already been developed by Daniel Mader, an active contributor to the IOTA Identity X-Team. Using Keycloak and a self-built extension, Daniel showcased how a website could accept a DID for authentication while not requiring any additional changes to its internal systems. Daniel’s amazing work has been made open-source on GitHub and he has provided a detailed explanation and demonstration of his PoC in an Identity X-team meeting:
The second login system we seek is geared towards web3. Self-Issued OpenID Provider (SIOP) is a new standard in development by the OpenID Foundation that will improve the above-described login system with even more privacy. We have dubbed this the Web3 login system and it is very much still under research. This standard allows a similar user experience as the Web2 login, but without the need for a centralized identity provider.
SIOP allows users to directly authenticate peer-to-peer with the website without having to communicate with a centralized component. Afterward, the SSI wallet makes it possible to exchange Verifiable Credentials and provide any additional information that would normally be requested from the identity provider. While this solution is superior in terms of privacy, it also requires integration efforts by the website, probably hindering immediate mass adoption of the technology as of now. To provide solutions in the mid and the long term, the IOTA Foundation is therefore interested in both Web2 and Web3 solutions simultaneously.
How to participate in the RFP
Any individual or company can participate in the RFP. Starting today, the RFP is open for submissions until the 19th of April 2022. Please read the RFP carefully and submit a valid response containing all requested information to the email addresses provided in the RFP. If you have any questions, you can reach out to Jelle Millenaar via [email protected] or on discord.iota.org in the #Identity channel.
Make sure your submission contains a description of who you are, your experiences with either IOTA and/or OIDC, and what your plan is for the development of open-source tools to enable either a Web2 and/or Web3-based login system with IOTA Identity. Also, feel free to pass this RFP on to any party that may have the expertise to provide a solution, be it in the SSI, DLT, or OIDC ecosystems.
About the IOTA Foundation
The IOTA Foundation is a global non-profit foundation that develops next-generation decentralized technologies for a new digital economy in a connected world. It redesigns the way people and devices connect to share information and value, removing middlemen. The Foundation collaborates with a global ecosystem and partners to research and develop technologies that deliver sustainable, real-world impact. Together, they are shaping a new digital economy, removing unnecessary friction and unlocking human potential.
At the heart of the Foundation's mission is the Tangle, its open, feeless, and highly scalable distributed ledger. Designed to support frictionless value and data transfer, the Tangle is a DLT infrastructure for Web3 applications and digital economies. Unlike blockchain alternatives, the Tangle allows transactions to be added in parallel; it also boasts low resource requirements, as well as zero-fee and fast transactions with finality within seconds. The IOTA token is the native currency on the IOTA network. It is used to transfer value and data and enable feeless micro-payments.