BitPay Seeks to Decentralize Digital Identification with BitAuth

Screen-Shot-2014-07-01-at-6.41.20-PM
1 July 2014

Georgia-based bitcoin merchant processor BitPay has launched a project that leverages bitcoin technology to facilitate a decentralized authentication system.

Called BitAuth, the system uses cryptographic signatures in place of server-side password storage. This solves a common security problem for IT administrators, because a breach can potentially leak customer authentication information.

Bitcoin core developer and BitPay employee Jeff Garzik conceived some of the concepts that made BitAuth a reality.

Garzik told CoinDesk:

“Replacing passwords with digital signatures is not a very original idea. [But] digital identity is going to be a key technology for the future.”

The news follows BitPay’s previous foray into making technology improvements with cryptographic systems.

The company, which recently raised $30m in venture funding, released Bitcore in February, an open set of JavaScript libraries used to better interface with the bitcoin protocol.

How BitAuth works

BitAuth shares characteristics with bitcoin technology by using the same elliptic curve cryptography, but it introduces a system identification number (SIN), which is outlined on the Bitcoin Wiki.

The secp256k1 parameter elliptic curve used in bitcoin and used for BitAuth. Source: WikipediaThe secp256k1 parameter elliptic curve used in bitcoin and for BitAuth. Source: Wikipedia

Essentially, a SIN uses a cryptographic key pair to sign transactions with a server for authentication purposes.

With BitAuth, users would still authenticate with a conventional login and password combination. However, that information would only be stored locally, also known as client-side, and is only used to facilitate sending a private key to a remote server for access purposes.

To ensure that each authentication session is unique, every time a user releases a private key it is signed with a public key on a remote server and a nonce (a single-use randomized string) is generated as a session identifier.

Security issues

Web breaches exposing identifiable information have been a problem for large companies of late, as evidenced by major data losses affecting eBay, PF Changs, Target and Verizon. Furthermore, such events could potentially threaten the bitcoin industry.

Garzik said that BitAuth can reduce the issues that threaten digital identities, by attaching SINs to identities, or obscuring IDs with non-identifiable information.

Garzik told CoinDesk:

“[BitAuth] is as anonymous, or not, as you choose. At a minimum, public keys are revealed to external parties.”

Additionally, Garzik said that BitAuth’s trustless properties can enable an improved experience for everyone:

“What makes the SIN proposal unique is that [they] are decentralized, as anonymous as you want them to be, digitally secure, capable replacements for website username/password, and most of all, extensible to any system that may be covered by hashes.”

Not just a concept

The announcement is also notable given the recent criticisms levied by developers regarding the lack of improvements to bitcoin’s infrastructure. For example, experts like Mike Hearn have said that bitcoin as a software project is underfunded and needs attention to ensure continued progress.

BitPay’s Stephen Pair recently told CNBC that Visa and MasterCard will eventually ‘leverage’ bitcoin, a possibility that might be advanced by the creation of secure technical tools such as BitAuth and Bitcore for developers.

Those wishing to engage with BitAuth can now do so: BitPay has a GitHub repo dedicated to the project, and there is also a BitAuth chat room hosted on Gitter.

Disclaimer: CoinDesk founder Shakil Khan is an investor in BitPay.

Login image via Shutterstock