from Hacker News

One-Click Anonymous Login

by fapi1974 on 4/16/21, 6:59 PM with 97 comments

  • by minitech on 4/16/21, 7:33 PM

    Followed the links to here: https://github.com/bluenumberfoundation/humanid-documentatio...

    > To make it more difficult to brute force, when generating the humanID Account ID, we will concatenate the phone number with a Salt Key (another string that will be appended before the hash).

    > sha512hash ( Salt_Key + Phone Number ) = Hash Result

    This is a complete joke (a SHA-512 of a phone number can be brute-forced on a typical computer in a fraction of a second). I doubt the rest of the protocols and cryptography are any better.

    Also, phone numbers are not unique identifiers for people. Real people, malicious or not, have multiple or no phone numbers (or phone numbers that can’t receive SMS). I haven’t found a clear answer yet as to whether SMS verification is the only proof step but it seems like that’s the case.

  • by tootie on 4/16/21, 7:31 PM

    So, this doesn't look like they've actually broken any new ground here that you can't achieve with existing commercial products like Okta or Auth0. They're taking an extra step of asking you to store hashes of their hashes. Which actually feels less secure since if hackers get their hashes, that as good as getting clear passwords to login directly your site? I'm not actually clear on that.

    But either way, the diagram says they're hashing phone numbers, so presumably that means they authenticate by typing in their phone number which is a terribly password since you give you phone number out to people so they must also send a TOTP via SMS which is better, but not great. NIST has started recommending not to use SMS for out-of-band authentication. Either way, this whole chain of events just delegates authentication your mobile carrier. Same thing if you send a TOTP to an email address. It feels more seamless, but really you're just delegating auth to their email provider. No different that using OAuth.

  • by dang on 4/17/21, 1:11 AM

    The submitted title was "My company got pitched on anonymous sign in – curious to hear pros and cons". Submitters: please don't do that. If you want to add a question or a gloss on an article, that's fine, but do so by posting a comment to the thread.

    "Please use the original title, unless it is misleading or linkbait; don't editorialize."

    https://news.ycombinator.com/newsguidelines.html

  • by fundamental on 4/16/21, 7:16 PM

    At least looking at the archive.org version of the site it looks like just providing a way of building a username out of hash(phone number, website). I'm not seeing information about passwords or authentication and I wouldn't treat knowledge of someone's phone number to be at the same level of a password.

    So, to me it looks like marketing hype without substance. It would be useful for the site to be online and not giving 500 errors though to see if they had anything else.

  • by wideareanetwork on 4/16/21, 7:31 PM

    Users expect signin to work the way they expect it to work.

    I once implemented a non standard signin where all that was needed was an email link which kept you signed in.

    Users hated it.

    They actually went to the trouble of complaining and no doubt it lost me potential signups.

    These days I only ever do normal email and password signup.

  • by freeopinion on 4/16/21, 8:39 PM

    The site is toast, so I can't read how it works, but I will comment in general on 3rd-party auth.

    I refuse to use sites that require 3rd-party auth. If I have a problem logging in to your site, I want to reach out to you and get it resolved. I don't want you to say, "We don't have any ability to address auth issues on our own site. Take it up with <completely unrelated site>." I don't want my account with you to be suspended because I had a falling out with Facebook or Google or anybody else that is not you.

  • by nvartolomei on 4/16/21, 7:08 PM

  • by aww_dang on 4/17/21, 7:14 AM

    Expect more pushes for a fixed digital identity. Check the id2020 initiative. Gatekeepers are not fans of the pseudonyms we've been using since the early days of the Internet.

    >Our Vision: One Digital Identity per Human – both Anonymous and Accountable...billions of fake user accounts undermining our societies.

  • by arkitaip on 4/16/21, 7:16 PM

    What are the use cases for anonymous logins from a business POV? Even if you are legit pro customer privacy, this feels like it requires some fundamental changes in how your business perceives and treats its customers, not just their data.

  • by kwhitefoot on 4/17/21, 6:57 AM

    > Our Vision: One Digital Identity per Human – both Anonymous and Accountable

    Why would I want to use something that allowed me only one identity?

    And if I have to give away my mobile number it is hardly one-click.

    And a lot of the stuff that other comments have mentioned!

  • by kevincox on 4/16/21, 8:24 PM

    It seems like SMS-based auth, with the "gimmick" that I trust this website instead of your website.

    So already I won't use it because I don't want to authenticate via SMS. It also raises the immediate question of what happens when I change my phone number?

    But why should I trust this website more than your website? Unless your website is fully zero-trust it is probably better to trust you to throw away my phone number than handing my phone number to this company and other data to your company.

  • by leshokunin on 4/16/21, 7:04 PM

    Getting a 500 error

  • by ANEDI on 4/17/21, 10:20 AM

    There is interesting project called Idena.

    Prove you are human with validation as public turing test done on blockchain. There is simple one click login and it's used now on Gitcoin.

    Website: https://www.idena.io/

  • by Groxx on 4/16/21, 7:26 PM

    Prevent abusers, single stable identity per human, but you can't cross-reference the identifiers and they don't store anything.

    ... color me suspicious. I'd read the technical details, but I can't seem to find any through the wayback archive.

  • by RileyJames on 4/17/21, 4:04 AM

    Hmm this is something I’d like to implement in some sites. I’ve been considering integrating with something like ActivityPub to enable user accounts without “more user accounts”.

    Minimum viable user & social features.

  • by ksm1717 on 4/16/21, 7:22 PM

    Every entity I interact with online collects my data. The saving grace is that they don’t often compare notes. I do not want any entity to have all of my data, even if it has my ssn redacted

  • by bastianpurrer on 4/17/21, 5:35 PM

    one of the humanID founders here. Very much appreciate the feedback, and also appreciate those that addressed concerns before we could. Always open to those that want to help fix any technical issues they might find - the team is fully nonprofit & open source, you're more than welcome to help!

    Also, to be clear, while the site was down for an hour, the login never was, as we have set that up independently from the site.

  • by godelski on 4/16/21, 7:35 PM

    How's it actually work? How are you actually making the login anonymous? If a website is able to fingerprint us then are we still anonymous?

  • by johnhess on 4/16/21, 7:13 PM

    Are you interested in the technical pros/cons, or the pros/cons for your user community? What's your company do?

  • by iou on 4/17/21, 6:42 AM

    Why has this been up-voted so much? This is so bad compared to something modern like WebAuthN

  • by ChrisArchitect on 4/17/21, 10:50 PM

    clicked the 'Try' option. Got to the part asking for a phone number. Closed.

  • by supergirl on 4/17/21, 12:37 PM

    a lot of marketing and no substance. is it just like a jwt?

  • by avipars on 4/16/21, 7:16 PM

    site down

  • by endisneigh on 4/16/21, 7:30 PM

    I'd say the main con is that the site isn't reliable. I'm not being facetious. If you're going to use 3rd party sign on, being on the front page of HN shouldn't be enough to bring it down. Imagine if you posted your company's site instead of the underlying technology and your sign-in was negatively affected.

    My personal feelings, that aside, is that though many of us are privacy conscious, adding more and more dependencies to your site results in us having to trust more entities. Even if they don't store anything, we have to trust they aren't lying, that redirection is implemented properly, etc.

    I think the best thing you can do if you care about the privacy of your users is minimize the amount of information necessary. So if your site doesn't require email, don't take it. If a phone number isn't necessary, don't ask for it. Use usernames, only ask for an email when the user is doing something that would require it (e.g. they need a receipt).

    One thing that I love is when a site actually gives you a temporary username the minute you visit the "app" portion and you can use the site as if you created an account without having to do anything. That's usually a sign that the administrators really do care about you not jumping through hoops.