Discussion about Sky ID


I’m already working on Sky ID, a new secure-by-design authentication system for Skynet. Before I finish, I want to hear your feedback.
Thanks to taek, redsolver, kreelud, Mortal-Killer, RLZL, and the others (sorry if I forgot someone, my memory is like RAM) we made an RFC for Sky ID:

  • You can choose any username you want

  • Make new account: you generate a master-key (random seed or a password with salt. Using a normal password is not recommended. If the password is to weak, we neet to print out that “this password is weak, a hacker can brake it in 10 days” or something like this) and derive a pubkey from it. You also save your personal data (pubkey, username, avatar, etc) to a SkyDB file signed with your private key.

  • Using Sia seed for login is not only secure, but it’s practical also: you can use you app-tokens to receive & store Siacoins separately, so apps can not spend other app’s funds.

  • Sign in to apps: the experience will be the same as when you use “login with Facebook”. It redirects to SkyID, and if you accept the connect, you will generate an app-token (private-key), so the app can sign anything and prove that the SkyID user signet this file, while it does not knows your master-key. Why Skapps are separated, the user only need to remeber for his master-key, because all app-tokens are generated from the master-key (see Hierarchical Deterministic Keys)

  • If you own your username on Handshake, you can put a TXT record on the Handshake blockchain with your public key to verify that you own the name. You then will be the only person with this exact username who has a green checkmark before that name on every app using Sky ID.

  • You can connect your Sky ID with an existing social account by

    • signing the username on that social media platform with a timestamp and the platform domain with your private key

    • And posting this signature on the social media page with your public id

    • Some proofs (for example Reddit) could be automatically verified by every client and then show a Reddit icon with the link to that account behind your Sky ID username on every platform using Sky ID. Other proofs like Twitter which can’t be automatically verified could be greyed out and you need to click on that icon to check the proof tweet yourself


Many of you asked why we need to force not to use average passwords and use seeds instead. On a normal centralized website, sha256(password+hash) is not public. On Skynet, it is public, so the only thing is to do to force to use strong seeds. Think about why Sia transactions are signed with seeds and why not passwords.

Salting still helps because it makes lookup tables more difficult.

1 Like

Yeah right, thank you, modified

That might actually be handy for the problem I mentioned earlier. If each app has its own key, you can require it to sign any upload/download requests and rate limit those things
(thinking mostly about portals controlled by the user)

Questions I have about the usage of Hierarchical Deterministic Keys

  1. How can the user revoke a sub-key? Content signed by a revoked key should be marked as such in every skapp (Example: the user registers on a compromised skapp and the attacker can use this key to sign content as the victim)

  2. How good is the hardware wallet support for HD keys? (Example: User just wants to use hardware wallet for “registering” on new skapps or account-related operations)

1 Like

Thanks for the great questions!

  1. Every pubkey and app-name (defined by the apps and verified by the users when connecting a new app) will be stored in a registry, so basically every user has it’s own pubkey list and everyone can verify it. If the user revokes a sub-key it will be marked as revoked, so again, everyone will see it. I’ll implement these thing to make it easier to integrate Sky ID. (Maybe there are other solutions, feel to free to share.)

  2. Ledger supports message signing so if the message is short enough, you can sign it and publish on skynet without revealing your seed stored on your hw. It is a very interesting idea, I love it, I’ll investigate it out how can we implement is without breaking the user experience. Time to buy a hw for me :laughing:

1 Like

One thing I’m more confident of as I continue thinking about an ID system is that all ID systems should boil back to a core seed that we give to the user. That seed should be generated by an encoding, not by hashing. If the seed is generated by an encoding, then all identity systems will be interchangeable at least at the deepest level.

If for example one app gets a seed by hashing a picture, and another gets a seed by hashing a username + password, those apps are incompatible (can’t use the same seed) because you can’t get the preimage for both techniques. But if each app has a reversible way to encode an image into a seed or encode a username+password into the seed, then a user can switch between them but keep the same seed.

Sorry, I think (and I hope) you misunderstood something. (I’m really sorry about not having great articles about it, but I just want to make it first as you did SkyDB)

SkyID is a skapp. When you register, it generates a random seed, call it master-key.
When you register/login to a skapp, you’ll be redirected to SkyID. It will generate new keys dedicated to this app. Every time you log-in, the app will receive the same keys thankfully to HD key generation.
There are no passwords anywhere, nor images. You only have 1 seed. You only need to login to SkyID and then connect apps with, just like when you login to a website with Facebook.

Ok got it, I was misunderstanding how it worked. Thanks for the call to explain it, I’m looking forward to see a demo!

Demo video: https://siasky.net/fAXJZ7KboODTcUsqZwOVtWNqInSe7rY7MnVHneSpO8guHQ

There are 3 levels of keys (HD keys):

  • SkyDB master-key
  • App keys (generated by SkyID skapp)
  • in-app keys (geenrated by the app)
1 Like

Good information thanks for sharing

admin edit: removing a link because it seemed to be spam