Decentralized Two-factor Authenticator - a 3rd Generation 2FA

Abstract:

  • a more secure mobile 2FA, an improved version of authenticators like Google Authenticator or Authy that will solve problems that the current Second Generation 2FA cannot.

Goal:

  • To provide a decentralized solution for the current 2FA problems
  • To be implemented by websites and banks that use the old 2FA system
  • To promote Elastos technology and ecosystem
  • To compete with the current centralize 2FA apps
  • Open source, to become the STANDARD protocol of 3RD Generation 2FA

Motivation:

  • The current 2FA apps (Authy or Goggle Authenticator) have major security issues that can’t be solved by the current 2FA system:

    1. Centralized Storage (Authy) - Hackers can tap into that storage and steal user data
    2. Website holds the secret key - which can compromise the security
    3. Phishing Scams - where hackers can create a fake site, and accept even wrong OTP and able to login or steal user information
  • That’s what the Elastos 3rd Generation 2FA dapp will solve:

    1. Decentralized Storage - Elastos HIVE
    2. Secret keys are stored and encrypted, and will only be decrypted and used inside the smart contract
    3. To prevent Phishing scams: first, the site will show the OTP and will be validated INSIDE the user app thru blockchain
      With this dapp, we aim to improve the current 2FA system and replace it on current websites and even bank apps. It will hopefully showcase what Elastos can do.
  • it has the potential to REPLACE the CURRENT 2FA system and showcase Elastos tech. There are hundreds of thousand sites and billion of users who
    still use the current Google Authenticator or other 2FA system as their 2FA security. Imagine the possibility if even 1/5 of that market use 3GEN, this will ultimately showcase
    what Elastos can do. I hope that the Elastos and Open-source Community will support this.

Implementation:

  • 1st week: develop smart contract
  • 2nd week: add backend and storage* support with API calls
  • 3rd week: create front-end design with QR scanner and implement DID system
  • 4th week: add the implementation logic and code for websites
  • 5th week: testing and debugging
  • 6th week: MVP finished
    *HIVE is the planned technology to be used, but it is not currently available nor stable. To show the viability of this dapp project and develop an MVP, a centralized storage solution will be used. When HIVE is publicly available and stable, it will be implemented immediately.

Team:

  • John M. : Mobile App Developer with more than 6 years of experience, knowledgable in server-side programming and web app development.

Relevance:

  • While designing the system, and searching for related projects, there’s one with the same implementation and goal, the currently proposed dapp is inspired by this project: Hydro Raindrop

3GEN 2FA vs Google Authenticator

First, let’s take a look at how Google Authenticator works
A user opens the Google Authenticator app and is displayed a temporary code
then the user enters the code provided on the website
but this makes sites using Google Authenticator an EASY PHISHING TARGET
the hackers create a fake phishing site that looks just like the normal site
every google code the user types in, the phishing site displays as successful
they ask to reset personal, credit card & bank data, stealing it in the process

3GEN will utilize Elastos Tech - DID, Eth Sidechain, HIVE
on the 3GEN app, codes are displayed on the site, then typed into the phone
the codes are One Time Password (OTP) and randomly generated
Phishing sites can’t guess the 3GEN code, so the authentication will FAIL EVERY TIME
3GEN will also use cryptography stored in your phone
unlike Google, if 3GEN users change/lose their phone, they can re-generate the app
3GEN will use HIVE to store the credentials of the sites on your list
hackers need to gain access to Elastos techs, the site keys, & your phone

ROADMAP:

  • MVP development
  • 3GEN compatibility with Google Authenticator
  • trinity dapp version
  • other features and plans will be added after the MVP

3GEN will be develop continuously after the MVP phase with the help and support of the community. And will always be OPEN SOURCE

17 Likes

Is it compatible with google 2FA?

Sadly not. The initial plan and design was to just provide a simple dApp Authenticator using TOTP and COMPATIBLE with the current 2FA system, HIVE Storage, Keys are provided and validated using smart contract, and not on the websites. But the bigger problem that this system faced is Phishing scam, so I decided to change the whole system and propose a more secure 2FA system. I will add the graphic presentations to better understand this proposal when it’s available, and update this topic

2 Likes

This is a great idea, and I think you are using the right Elastos tech. But it’s not quite clear how it will solve the phishing scam, can you provide more info on this?

Picture is a good way to understand this

Yes, I will add the pictures or video that will explain this 2FA system/process. Thank you for your interest!

2 Likes

I totally support this idea. It was my suggestion on CR some time ago along with Password manager feature (ElaPass) https://www.cyberrepublic.org/suggestion/5c4729d401d0df00aff689bb . However I think it is crucial to 2FA being compatible with Google 2FA. Basically replace all that exists today with Authy-like featured solution based on Elastos. Remember that if you create totally new 2FA, all pages that use 2FA would have to move to “new standard”, which is at current stage very unlikely. I would focus on dApp with awesome UI and Security so users can replace Authy/Google Authenticator right away and start using it :wink:.

3 Likes

Yes, that is true! And that was my initial plan before changing the system. I still intend to do that kind of dApp 2FA that is compatible with the old 2FA system, before introducing this new one. To be honest it is more easy to develop that dApp than this new one. I also think that by doing that, they will see the improvement of the new system and makes onboarding a little easier.

100% support :+1:t3:

2 Likes

Great idea and write up John

2 Likes

There is a Chinese doc for using Elephant wallet DID to login the 3rd web.
How to login via DID

I don’t completely understand the 2FA system, but I think if the website only wants to double-check the user identity, it can ask the user to bind a DID, the user can use elephant wallet to prove his identity.

Checking the user’s identity with the Elephant wallet is equivalent to 2FA.
Here is the Identity API doc

2 Likes

thanks Wili! I will put more info in this soon

Yes Thank you for this! I saw this before and will use this, DID authentication is like identity validation which one of the 2FA setup process. But what DID authentication lacks is phishing scam prevention. I know this idea is a bit complicated but I will post more info on this soon

I think this type of 2FA provides more layer of security than the DID authentication. I don’t understand it well but that’s what I think of.

1 Like

The first-round voting was started, you can vote for this proposal at the below URL.
https://voteforme.elaphant.net/didVote.html?hashStr=0e9c43aa69926650fa5215e5b011a87bd31c248f011e03d20c80d5bea1e92cb1

1 Like

Hello all, sorry for the delay. I was hospitalized for a week now. But here’s my late update, pls take a read again about my submission. I list the difference between Google and 3GEN and add some additional information like roadmap, motivation, goal. Thank you so much for supporting me!

3 Likes

Great Idea, you have my vote and support.

1 Like

The voting has ended. We are doing the final checking. If you have any questions, please contact us.

The first round voting:
https://voteforme.elaphant.net/didVote.html?hashStr=0e9c43aa69926650fa5215e5b011a87bd31c248f011e03d20c80d5bea1e92cb1

The all votes:
https://voteforme.elaphant.net/didTxList.html

Congrats on the win! I look forward to seeing this app developed.

1 Like

Congratulation you are the winner of the FundmyDapp competition , we will support your project with1500 ELA paid in three installments . But first please give us some information about you and your team.

  1. ELA address, for receiving the ELA.
  2. Your team members, name, Email, Github, role.
  3. The SNS account of your team members all. Includes Telegram, Twitter/Facebook/Wechat or others, if you have, we will only accept existing accounts, not new accounts.

Please supply this infomation as soon as possible.

After done this, please use your ALL SNS accounts to share a news about FundMyDApp for proving it is yours.

2 Likes