We've added TAPSIGNERs as our 2-factor authentication method for the megawatt.com app! 🧵👇 with a more technical explanation. In this demo, we're violating one of the Best Practices recommended by nostr:npub1wu4aye7ll0lnrrg638e90sehzsgpzx5t39t3mwl05aa0d0ap08esdz3vw0. Can you spot it? nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 nostr:npub1a7aycw7rg4vdyrls5seamqdql08qcde5676hn4ksyrvx9xaaeduscxt00e nostr:npub1guh5grefa7vkay4ps6udxg8lrqxg2kgr3qh9n4gduxut64nfxq0q9y6hjy nostr:npub1a2cww4kn9wqte4ry70vyfwqyqvpswksna27rtxd8vty6c74era8sdcw83a
Discussion
After our server authenticates your traditional username and the hash of your password, it returns a digest/nonce (a number that should only be used once) and the TAPSIGNER CVC/PIN code to the mobile app.
The app then prompts for your TAPSIGNER to be scanned. After a certificate check to verify the authenticity of the card, the Tapsigner signs the digest and the signature is returned to our server.
Our server uses a secp256k1 implementation to verify the ECDSA signature against the digest and the master xpub (public key) of the TAPSIGNER. If that signature is valid, the user is authenticated.
What is the Best Practice violation? Never store a PIN code! We're storing it on our server to provide a better user experience (UX) when scanning the TAPSIGNER. After entering a username & password, you wouldn't want to then have to enter the PIN on your phone.
If an attacker had your TAPSIGNER, they'd still need your username/password to authenticate and vice versa. We don't secure funds with these Tapsigners. They are only for 2-factor authentication, so the Best Practice violation seems like a reasonable trade-off for this use case.
One alternative is we could only use the TAPSIGNER for authentication. Just scan it, type in your PIN, & you're authenticated, no username/password needed. If you lost your Tapsigner, an attacker would still need to know your PIN to authenticate, which is now not on our server.
Will we implement this in production? We'll see, but it's been a fun project and the TAPSIGNER is a great product!
Check out megawatthq.com 👀 for all of your miner hosting needs! The company was founded at the Indy Bitcoin meetup, so get out there and support your local #Bitcoin groups. You never know who you'll meet.
Bad link in previous post LOL :-) -> use megawatthq.com