The client-facing implementation of Phoenix Authentication is a natural successor to legacy two-factor authentication solutions. Applications like Google Authenticator and Authy rely on access to shared secrets, secrets that are vulnerable to hacks and data breaches. With Client Phoenix Authentication, user's secrets never leave their device. And on the backend, we're using the blockchain to eliminate reliance on trusted third parties while ensuring that users will still be able to verify sign-in and other requests with the click of a button.
Unfortunately, message signing in Ethereum is implemented inconsistently across software packages. Our view is that only message hashes should be signed, not raw messages, and that the Ethereum signed message prefix can optionally be appended to the message hash before it's hashed again. Please see the table below for a summary:
Acceptable | Message | Encoding |
---|---|---|
✅ | "123456" |
keccak256("123456") |
✅ | "123456" |
keccak256("\x19Ethereum Signed Message:\n32", keccak256("123456")) |
❌ | "123456" |
keccak256("\x19Ethereum Signed Message:\n6123456") |
Notes: Arguments to keccak256
are tightly packed. The output of the above encodings are:
Output |
---|
0xc888c9ce9e098d5864d3ded6ebcc140a12142263bace3a23a36f9905f12bd64a |
0x5f7d8a4ff77887137c0e2f0b7f157f4b41bbc2950dbe9453b1342f6d28b820cd |
0x2912723b3ed60c075b271f075d881d82fa5de112b6c25f7dfa4cab85de25045a |
- This folder has a suite of tests created through Truffle
- To run these tests:
- Download the code
- Navigate to the
phoenixAuthentication-client
folder in your terminal - Make sure you have Truffle and Ganache installed:
npm install -g [email protected] ganache-cli
- Install web3 and ethereumjs-util:
npm install [email protected] ethereumjs-util
- Spin up a development blockchain:
ganache-cli --seed --port 8555
- Run the test suite:
truffle test --network ganache
Copyright 2020 The Phoenix Technology Corporation under the GNU General Public License v3.0.