No announcement yet.

EOSIO Labs™ Release: iOS and Chrome Extension Authenticator Reference Applications

  • Filter
  • Time
  • Show
Clear All
new posts

  • EOSIO Labs™ Release: iOS and Chrome Extension Authenticator Reference Applications

    EOSIO Labs™ Release: iOS and Chrome Extension Authenticator Reference Applications

    [IMG]*hJkf5w9JEkMnVTmxlh8-PQ.jpeg[/IMG]Last month, we introduced EOSIO Labs™, an initiative centered on open innovation. Through EOSIO Labs we can contribute to the conversation around the future of blockchain technology with thought leadership, tools, and software. From the Assert Manifest Security Model to the Universal Authenticator Library, and our most recent release, the EOSIO Explorer, this initiative is well underway.
    To date, much of our Labs research has focused on key and password management and the EOSIO™ authenticator ecosystem, and for good reason. Blockchain authenticators as key managers serve, for users, as the gateway to interacting with blockchain-based applications. They are a critical component of the user’s security and overall experience, and, for that reason are critical to the mass adoption of blockchain technology.
    Today, there are several excellent authenticators in the EOSIO ecosystem. The community is innovating at an incredibly swift pace and blockchain-enabled experiences are becoming more and more accessible because of it. Nonetheless, more work is needed if we are to continue fueling widespread adoption and use of this technology.
    EOSIO Reference Authenticator Apps

    Today’s EOSIO Labs release ties several of our recently-announced tools, software, and thought leadership pieces together into one, cohesive experience that aims to address some of the security and usability concerns users currently face. We are excited to release the EOSIO Reference Authenticator Apps.
    To be clear, the implementations we are showcasing today are being released as experimental reference Open Source Software and not as proprietary products for uploading on app stores (and we discourage anyone from doing so). By releasing them in this way, we hope to encourage ongoing improvements to the security, interoperability and usability of authenticators by contributing working code and examples.
    EOSIO Reference iOS Authenticator App

    The EOSIO Reference iOS Authenticator App is an implementation on iOS that allows users to sign in and approve transactions from 1) web applications running in Mobile Safari and 2) other native iOS apps on the same device. Key management and signing take place in Apple’s Secure Enclave and/or Keychain and are protected with the device’s biometric authentication.
    To achieve this, the app leverages the recently-announced EOSIO SDK for Swift library and the EOSIO SDK for Swift: Vault Signature Provider.
    Example: Authenticating and Signing a Transaction from a Third-Party Mobile Web*App
    [IMG]*M0c-Q_cWfDMjDZ4Z[/IMG]EOSIO Reference Chrome Extension Authenticator App

    The EOSIO Reference Chrome Extension Authenticator is an implementation that allows users to sign in and approve transactions from web applications running in Google Chrome on desktop. Key management and signing take place in the Chrome extension secured by a passphrase.
    Example: Authenticating and Signing a Transaction from a Web App in Google Chrome on*Desktop
    [IMG]*dKpyDESVHTxveXF-[/IMG]Integrating Applications

    Web applications integrate with the EOSIO Reference Authenticator Apps using the Universal Authenticator Library and the EOSIO Reference Authenticator plugin for UAL. This release also includes an example web application called Tropical Stay which demonstrates how this works. Alternatively, apps can directly use EOSJS along with the appropriate signature provider.
    Native mobile applications are able to integrate with the iOS app using EOSIO SDK for Swift and the Reference iOS Authenticator Signature Provider for the*SDK.
    Key Features and Innovations

    Seamless, Multi-Chain Support

    During our research, we noticed that many popular authenticator applications support only one EOSIO based blockchain — for example, the EOS Public Network. Those that support other chains often require users to configure the authenticator with RPC endpoints or networks so that their authenticator can communicate with the chain(s) their app interacts with.
    This presents quite the challenge for ordinary users with complexity that will only increase as more EOSIO-based blockchains are launched. Indeed, it’s not hard to imagine a future in which applications operate their own app-specific chains.
    We set out to address this friction by making the EOSIO Reference Authenticator Apps entirely chain agnostic. In fact, the Authenticator Apps do not communicate with EOSIO nodes directly, at*all.
    This is achieved by ensuring that all of the information required to display and sign a transaction is passed in by the application proposing the transaction. [See: EOSIO Authentication Transport Protocol Specification.] After the transaction is signed in the Authenticator App, the signatures are returned to the proposing app. It’s the job of the proposing app to broadcast the transaction.
    There are no RPC endpoints to configure. Any EOSIO chain is supported. And it’s all secured by the Assert Manifest Security*Model.
    Works Without Requiring Users to Change Browsing*Habits

    Another observation we made was that many popular authenticators — especially those on mobile — require users to fundamentally change their browsing habits if they want to use blockchain-enabled web applications. In these authenticators, users are expected to browse these blockchain-enabled web applications from within the confines of a specialized, in-app blockchain web browser instead of just working with the users’ everyday web browser of choice. Furthermore, most authenticator apps on mobile platforms do not support inter-application transaction signing (i.e., signing transactions proposed by other native mobile*apps.)
    The EOSIO Reference iOS Authenticator App allows users to sign in and approve transactions from web applications running in Mobile Safari as well as other native iOS apps on the same device. This is accomplished using the EOSIO Authentication Transport Protocol and the Deep Linking URL Query String transport.
    Enhanced App Identification

    The EOSIO Reference Authenticator Apps demonstrate another key feature — that of domain-verified, chain-attested app identification. During selective disclosure (i.e., sign in) and transaction signing requests, apps are clearly identified to the user by an app name, icon and domain. These, along with other metadata, are retrieved from an application manifest served from the app’s domain and are asserted as part of the transaction. For more information on how this works, and its related benefits, see our previous EOSIO Labs Release: The Assert Manifest Security*Model.
    [IMG]*pWipmJf0cjiTCV8P[/IMG]Richly-Rendered Ricardian Contracts

    EOSIO provides for rich Ricardian contracts that plainly explain to users the action or actions they are agreeing to. Many wallets, however, do not take advantage of the ability to display these agreements to their users. And some resort to displaying the contents of the transaction to their users in formats which are intended to be parsed by computers, not humans (e.g., JSON,*YAML).
    Both the Chrome Extension and iOS Reference Authenticator Apps leverage the Ricardian Template Toolkit to provide users with a consistent, transparent, and user-friendly presentation of transaction data during the signing process. For more information, see our recent EOSIO Software Release: Ricardian Contract Specifications and the Ricardian Template*Toolkit.
    [IMG]*tNmiY87tgK1lhkDs[/IMG]The Future of Authentication

    While these reference implementations provide interesting, and hopefully compelling, solutions to some of the limitations and issues users face with blockchain wallets today, they are by no means the ultimate solution. We are submitting them to the community as part of the continuing conversation around what the user experience could be. There are still questions to answer, problems to solve, and possibilities to explore. For*example:
    • How do we provide a safe and intuitive whitelisting/autosign experience for users on mobile? The EOSIO Reference Authenticator Apps currently only support manual*signing.
    • If keys are generated in a secure element, such as Apple’s Secure Enclave, how do they get added to a user’s blockchain accounts in a seamless, secure and user-friendly way? And how does this work smoothly in a world with many EOSIO*chains?
    • If keys are stored irretrievably within a secure element, what happens when a user loses their device? How does backup and recovery work without a third-party custodian? And how can multi-device syncing be facilitated?
    • How do we abstract all of the complexity of blockchain away from everyday users who simply want to interact with their websites and apps without having to think about whether or not they’re backed by a blockchain. More generally, how do we bring the security and transparency benefits of blockchain to the masses without sacrificing convenience and usability?
    • Could a blockchain authenticator like this one replace passwords on the web entirely? Could tools like this become general-purpose authenticators that happen to also bring the power of blockchain to everyone using*them?
    Those last questions are especially interesting and are the topic of our recent article, “A Passwordless Future: Building Towards More Secure and Usable Authentication Systems.”
    We believe that the answers to many of these questions lie with the active and engaged EOSIO community. We hope that this open source release, and the many ideas that it brings together will inspire wallet developers to explore new ways of thinking about key management and signing for blockchain, and authentication more generally.
    Next Steps

    If you would like to try the EOSIO Reference Authenticator Apps out for yourself, here are a few resources to get you*started:If you have questions, suggestions, ideas, etc., get involved. We invite you to log issues or submit Pull Requests against these repos. Or fork them and innovate on your*own.
    Stay Connected

    If you are interested in providing feedback and working more closely with our team to improve the EOSIO for developers, you can send our developer relations team an email at
    You can also keep up to date with future updates by subscribing to our mailing list on the EOSIO Developer Portal. We are excited to be regularly improving the usability of the software for EOSIO developers as we continue to lay a foundation for the mass adoption of blockchain technology.
    All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by*them.
    Disclaimer: makes its contribution on a voluntary basis as a member of the EOSIO community and is not responsible for ensuring the overall performance of the software or any related applications. We make no representation, warranty, guarantee or undertaking in respect of the releases described here, the related GitHub release, the EOSIO software or any related documentation, whether expressed or implied, including but not limited to the warranties or merchantability, fitness for a particular purpose and noninfringement. In no event shall we be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or documentation or the use or other dealings in the software or documentation. Any test results or performance figures are indicative and will not reflect performance under all conditions. Any reference to any third party or third-party product, resource or service is not an endorsement or recommendation by We are not responsible, and disclaim any and all responsibility and liability, for your use of or reliance on any of these resources. Third-party resources may be updated, changed or terminated at any time, so the information here may be out of date or inaccurate. Any person using or offering this software in connection with providing software, goods or services to third parties shall advise such third parties of these license terms, disclaimers and exclusions of liability., EOSIO, EOSIO Labs, EOS, the heptahedron and associated logos are trademarks of All other trademarks referenced herein are the property of their respective owners.

    EOSIO Labs™ Release: iOS and Chrome Extension Authenticator Reference Applications was originally published in eosio on Medium, where people are continuing the conversation by highlighting and responding to this story.

    Read More on Medium...
    Cryptocurrency Trading Courses