Blockstack Wins Patent for Its Dapp Single Sign-On Product

muneeb-ali
1 April 2020

Blockstack, the control-your-data decentralized web developer, has patented the process behind its single sign-on for every dapp system, Blockstack Auth. 

The patent covers Blockstack’s method for cryptographically signing into dapps with a single digital identity, without requiring a third party to authenticate. 

The system received USPTO’s approval on March 24 following an uncharacteristically short eight month wait – most applications sit for about 32 months, according to Erickson Law Group – and exactly three years after Blockstack’s 2017 release of the Auth developer version

Blockstack Auth aims to be Web 3.0’s one-password-to-rule-them-all, the patent documents show. It’s functionally similar to Google and Facebook’s massively popular one-click sign in processes that integrate with hundreds of thousands of websites.

“But the underlying data flow is unlike” the big tech’s OAuth protocol-reliant authentication services, the patent description reads. Those third-party platforms remove user control by checking all information against their centralized servers. Serverless Blockstack Auth gives it back – through public key cryptography. 

The process works by exchanging JSON web tokens between the dApp and the Blockstack browser. At sign in, the dApp generates an “ephemeral transit key” whose public portion it sends to the browser through an “authRequest” token. The browser in turn encrypts an “app-private key” with that public portion, which it then returns to the dApp in an “authResponse” token.

“This inventive realization obviates the need for a server-side identity provider,” the patent read.

The patent’s language is at times nearly identical to Blockstack’s March 10, 2020, explainer article on Blockstack Auth, with verbatim subheadings and subtle differences attributable to the less declarative voice with which applicants write submissions.

(For example, the patent reads: “These tokens can be related to JSON Web Tokens (JWT), and they can be passed via URL query strings,” whereas the GitHub-editable March 10 explainer reads: “These tokens are JSON Web Tokens, and they are passed via URL query strings.”)

Open source, closed ownership

The granting, Blockstack’s first, gives legal clout to the Public Benefit Corporation’s universal login tool for the decentralized web. But intellectual property rights bring more than just legal protection for the GitHub-loving Blockstack. It also prompts thorny questions about partitioning off ideas in a space, and by a company that claims to put open-source at the “heart of everything we do.”

Two days after the patent’s issuance, Blockstack CEO Muneeb Ali opened a forum to discuss “Blockstack PBC and patents.” CoinDesk was directed to the forum after reaching out to Blockstack for this story.

“We don’t want to be in a position where some other (large) company files a patent similar to the work PBC and the community is doing,” he wrote, pointing to the “recent surge” of big tech companies, such as IBM, that file seemingly endless reams of blockchain patent applications.

Ali wrote that Blockstack may file patents on its core team’s efforts – purely for “‘defensive’ reasons.” He left the door open on transferring patents to the independent Stacks Foundation, procuring a defensive patent license, or even pledging to never initiate enforcement, as Tesla did in 2014

The discussion partially answers questions raised in November 2017, when Twitter user @lightcoin, who had come across a separate Blockstack patent still waiting for approval, called on the firm to explain its patent strategy.

“Patents are like nuclear weapons: the best way to prevent them from being abused is to not create them in the first place,” @lightcoin said.

At the time Ali said Blockstack had to stake its claims before others did. He promised to “post about our future patent strategy” at a later date.

The debate is similar to one crypto exchange Coinbase faced. CEO Brian Armstrong said in the past that he believes “patents should be abolished” but, like Blockstack, sees it as necessary to build a portfolio for “defensive” reasons.