15 November 2014 by Guy Halford-Thompson

Bitcoin Public Key Based Login for Unobtrusive User Accounts

We recently implemented a soft login system at https://quickbitcoin.co.uk/ using only your bitcoin public key to remember your details. This is the first implementation of this system that we have seen and provides a far less intrusive way of setting up user accounts.

When you buy bitcoins in the UK from Quickbitcoin you are required to give us some basic contact details so we can email you about your order. Additionally we have recently started asking for ID on every order due to the high number of fraud attempts and to comply with Anti Money Laundering laws.

As we never had user accounts on our site we never saved your details and one of the biggest complaints we have had recently is from people who are fed up with uploading their ID documents on every single order. To fix this we decided to reinvent the standard web login and use nothing but your bitcoin public key to remember you.

Now, the first time you place an order with Quickbitcoin we ask for your details and ID as normal. From then on, if you reuse the same bitcoin address for your subsequent orders, you can skip this step and go straight to paying for your bitcoins, significantly speeding up the order process.

Public key based login systems allow for very simple account registration for users of certain types of sites. As public keys are... well - public... we cannot display any of the saved information back to the user. This creates unobtrusive and automated user registration with the added advantage that if a user forgets their login details they can easily get a new account.

This system only works on sites where accessing someone else's account has no negative effect. For example if an attacker were to enter your public key to place an order with Quickbitcoin, none of your information would be leaked to the attacker, and if he pays for the bitcoins you will receive them anyway leaving the attacker out of pocket and becoming slightly richer yourself in the process.

Public key based login could be used on many e-commerce websites and would be very easy to implement providing advantages such as securely remembering your address for subsequent orders, however there are a couple of reasons I wouldn't expect Amazon.com to come and join the party any time soon.

  • As user accounts effectively become throwaway and as attackers can easily 'login' to anyone's account, online stores would be unable to target advertising at you based on your previous purchases else it could leak private information. Of course users may prefer this as advertisers often go way too far in invading people's privacy.

  • Credit card details are normally stored with your account making '1 click payments' a reality. Although attackers can only buy goods to be sent to your saved address from your account, they would be able to spend your money and spam you with gifts your didn't want leaving you bankrupt.

The first issue can often be put aside for smaller e-commerce sites that don't try to intrude on your privacy. The issue with storing payment details can not only be solved by people paying in bitcoin and other cryptocurrencies, but if more people were to throw aside their credit cards in favour of bitcoin a large proportion of online fraud could be avoided.

Note that from the user's perspective this new login system provides both a seemless and optional way to register with a website. If they prefer not to be remembered they can simply use a different public key next time round.

If you want to try it out for yourself make your way to https://quickbitcoin.co.uk/ to place an order and register your account.

comments powered by Disqus