{"id":13537322,"url":"https://github.com/sakurity/securelogin","last_synced_at":"2025-04-12T18:51:15.627Z","repository":{"id":85940010,"uuid":"83187797","full_name":"sakurity/securelogin","owner":"sakurity","description":"This version won't be maintained!","archived":false,"fork":false,"pushed_at":"2019-06-27T20:53:31.000Z","size":54644,"stargazers_count":1219,"open_issues_count":16,"forks_count":35,"subscribers_count":38,"default_branch":"master","last_synced_at":"2025-04-03T21:14:27.159Z","etag":null,"topics":["2fa","authentication","oauth2","password-manager","passwords"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sakurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-02-26T06:20:26.000Z","updated_at":"2025-01-15T08:54:59.000Z","dependencies_parsed_at":"2023-03-04T11:15:18.837Z","dependency_job_id":null,"html_url":"https://github.com/sakurity/securelogin","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sakurity%2Fsecurelogin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sakurity%2Fsecurelogin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sakurity%2Fsecurelogin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sakurity%2Fsecurelogin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sakurity","download_url":"https://codeload.github.com/sakurity/securelogin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248618225,"owners_count":21134200,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","authentication","oauth2","password-manager","passwords"],"created_at":"2024-08-01T09:00:57.626Z","updated_at":"2025-04-12T18:51:15.607Z","avatar_url":"https://github.com/sakurity.png","language":"JavaScript","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","JavaScript","JavaScript (485)","others"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的"],"readme":"# Do not use! SecureLogin for existing web is not maintained and soon will be part of a whole new approach based on a blockchain. \n\nReasons:\n\n1. Lack of incentive from website admins to implement this protocol and put initial friction on shoulders of the users\n\n2. The web and Chrome app versions compromise on security too much, and the desktop version is way too heavy. New version is getting rid from electron and uses pure node.js\n\n3. New protocols are not being adapted if you don't give 10x improvement. SecureLogin by itself wasn't 10x. \n\nNow SecureLogin is merely 'login' \u003ca href=\"https://github.com/fairlayer/fair\"\u003ea method exposed in Fairlayer blockchain\u003c/a\u003e. A website can request it, and after the user confirms the JS gets back a token consisting of pubkey and signature of current origin. Difference from original SecureLogin:\n\n* No more provider \u0026 client. Client different from provider is only useful for OAuth like interactions, which would be a long way after making this popular for traditional login\n\n* No more secret \u0026 hmac given separately - pubkey does the signing job.\n\n* No more timestamp - if you managed to obtain the signature once, you could do it again.\n\n* No more scope - scope could be useful in financial apps only, and fairlayer itself has payments inside.\n\n__So it's not dead, but re-incorporated as simple API into something that has much more potential, has monetization model and fixes much more important problem than merely authentication on the web.__\n\n\n\n------\n\n## SecureLogin Protocol\n\n[![Join the chat at https://gitter.im/secureloginpw/Lobby](https://badges.gitter.im/secureloginpw/Lobby.svg)](https://gitter.im/secureloginpw/Lobby?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n\n### Abstract\n\nBefore you dig into details, try the demos: \u003ca href=\"https://cobased.com\"\u003eRails demo\u003c/a\u003e, \u003ca href=\"https://passport-securelogin.herokuapp.com\"\u003eNode.js demo\u003c/a\u003e\n\nSecureLogin is a decentralized authentication protocol for websites and apps. Classic passwords/2FA are poorly designed, hard to backup and inconvenient to use. SecureLogin is an all-in-one solution that creates a cryptographic private key from your email and master password to sign in everywhere and helps you to forget about passwords.\n\n\u003ca href=\"https://medium.com/@homakov/securelogin-forget-about-passwords-c1bf7b47f698\"\u003eBlog post on 1.0 release and our Principles.\u003c/a\u003e\n\nHere are major problems it solves:\n\n1. __Password reuse__: SecureLogin's #1 goal is to fix password reuse and simplify authentication process. It should work for everyone, not only for geeks.\n\n2. __Convenience__: existing onboarding process is a disaster for conversion: Email, confirm email, password, confirm password, wait you need one digit and one capital letter, think of a new password, sign up and go to email box to click \"Confirm My Email\" a 1000th time in your life. **With SecureLogin, it's just two clicks.**\n\n3. __Centralization__: Currently every account depends on an email, which can be used to set a new password. Email is very centralized - majority uses services like Gmail. This is even worse for SMS, which is owned by telecom corporations. This attack is currently exploited in the wild only against political activists, but there's no need to wait for someone to hack a major email/SMS provider – __with SecureLogin there's no central authority, no central server and no way to hijack your account__.\n\n4. __Man-in-the-Middle__: interaction of the user computer and the server is often compromised in between: broken HTTPS, CloudFlare, malicious browser extensions, Man-in-the-Browser and XSS can be prevented when the user explicitly signs every critical transaction. \n\n5. __Malware__: SecureLogin 2.0 with Doublesign stops malware trying to act on behalf of your account – usually to steal your money. Doublesign is like a \"two man rule\" - the server must verify two signatures of \"scope\" which includes every detail of the transaction e.g. SWIFT, amount, currency, account number or Bitcoin address. The entire transaction is signed on both devices (usually desktop + mobile) so compromise of one of them wouldn't be enough to empty your bank account (unlike how it is now).\n\n6. __Phishing__: Many security experts tend to say phishing is the problem of the users not looking at the URL they type their password on. It's totally wrong. We belive phishing is an extremely important problem and we built-in the protocol in a way to make phishing impossible: every message is either sent to a Web/Extension via postMessage, revealing real `event.origin` or to a native app via `ws://127.0.0.1:3101` revealing `Origin` header.\n\n### SecureLogin vs X\n\nSecureLogin is not a OAuth or Single Sign On like Mozilla Persona or Facebook Connect, not a password manager, not a new 2FA option. It's all three in one protocol.\n\nLet's list all popular auth methods and some esoteric ones to see how they deal with these problems for normal users. \n\nPlease note, password managers are not in the table because there's no such thing as a \"password manager auth method\" - a manager is merely not enforceable. However there is tiny 1% of password managers __users__.\n\n\nScheme | Decentralization | Usability | Anti-Malware | Anti-Phishing | Cost / Scalability\n--- | --- | --- | --- | --- | ---\nStandard | Email provider can set new pw | Poor | No | No | **Free**\nStandard + TOTP | **Decentralized** | Poor UX and backups | Delayed, not prevented | No | **Free**\nStandard + U2F/Yubikey | **Decentralized** | Worst UX, no usable backup | Delayed, not prevented | **No phishing** | $18+ per dongle\nStandard + SMS / Authy / Duo | \"2nd factor\" is a CA. Vendor lock-in | Overhead UX | Delayed, not prevented | Not fixed | $3+/mo/user Duo, $0.1/Authy request, $0.05/SMS\nMagic Links on Email / Mozilla Persona | Email provider is CA | **Greatly improved UX**: (see Slack or Medium) | No | **No phishing** | **Free**\nOAuth / OpenID / SAML / SSO | Identity provider controls your account. Vendor lock-in | **Best UX: 2 clicks** | No | **No phishing** | **Free**\nSecureLogin |  **Decentralized** | **Best UX: 2 clicks** | 2.0 has scope-specific signatures | **No phishing** | **Free and Open Source**\n\n\n# How it works?\n\n\u003ca href=\"https://github.com/sakurity/securelogin-spec\"\u003eSee Protocol Specification\u003c/a\u003e (being finalized now)\n\nCheck out \u003ca href=\"https://github.com/homakov/cobased/blob/master/app/controllers/application_controller.rb#L33-L76\"\u003ereal verification Ruby code for our Playground\u003c/a\u003e. **Please get in touch** for any help with implementation.\n\n### Add SecureLogin in 5 minutes\n\n\n\n\n\n#### Implementations\n\n##### Ruby (Reference implementation)\n\n`gem install securelogin`\n\n- [Rails demo](https://github.com/homakov/cobased)\n\n#### Libraries\n\n##### Node.js\n\n- [node-securelogin](https://github.com/andrewda/node-securelogin)\n- [passport-securelogin](https://github.com/andrewda/passport-securelogin)\n\n##### Go\n\n- [securelogin](https://godoc.org/github.com/vladimiroff/securelogin)\n\nHelp needed for implementations for top 20 of [hot frameworks](https://hotframeworks.com/)\n\n## FAQ\n\n### 1. Password managers already exist, what's the point?\n\nFirst, market penetration rate of password managers is a joke - less than 1%. You may use it, some of your friends may use it, but the rest of the world does not and will not. They are not enforceable on your users. \n\nSecond, they are very inconvenient, especially on mobile. They try to look like a human, looking for inputs and prefilling them. SecureLogin makes websites to implement well defined authentication protocol instead. \n\n**Most popular managers are not even open source and cost money.** Using closed-source software is a giant no-no for this kind of product.\n\nBut more importantly, they do not solve the problem that all our accounts belong to centralized email services via \"Reset my password\" functionality.\n\n### 2. Master password is single point of failure in this system\n\nYes, like in all password managers, there's no way to recover your private key without a password or recovery key. \n\nThere's a common **misunderstanding that email is any different**: try to reset your Gmail password now (backup email doesn't count as it's just turtles all the way down).\n\nIn the end of any authentication scheme there will be a password that you just cannot forget. In SecureLogin we removed unnecessary levels of \"backups\" and \"recovery codes\", our scheme boils down to one master password, not to master password **and** backup file/paper/SIM card/email account etc. \n\n### 3. The web version is easier to use. Why install native apps?\n\nAlthough the web version exists, no one should use it for anything serious. Users should install native clients which don't depend on the securelogin.pw web server and generate private key much faster than JavaScript.\n\n### 4. Is it open source? Will it be free in the future?\n\nThe protocol and the client are completely open source. They are free now and they will remain free in the future. There is no monetization plan except the one where Sakurity gets more clients for saving the Internet from a two-decades long problem.\n\nIt is not even technically possible to start charging money for anything: the protocol works client side, no external servers, no API. It's not a promise, it's a fact.\n\n### 5. Is it only for websites? What if we have a mobile app?\n\nIt supports desktop and native apps as well. But due to the fact that custom protocols are not registered in a public repository like domains, provider/client parameters are limited to web origin format. You're free to pass `sltoken` back to your app:// from your web-based `client` URL.\n\n### 6. Can it be trusted? What if there's a backdoor?\n\nCurrently it's ~600 LOC in JS and 200 LOC in HTML. Most programmers can audit it in an hour. There are instructions to build it for all platforms, and we're doing our best to implement reproducable builds as soon as possible.\n\n### 7. How do I change master password?\n\nJust click inside the app and change it. See wiki https://github.com/sakurity/securelogin/wiki/How-password-is-changed\n\n## Compatibility \u0026 known issues\n\nThe core functionality of SecureLogin is based on opening the native app, getting a signed `sltoken` and returning user focus back to the same page. It's not easy at all.\n\n### macOS\n\nChrome, Firefox: great. In Full Screen mode it's possible to focus back using alert() in Chrome (in Firefox alert does not focus)\n\nSafari: OK. No way to avoid 'Do you want to allow this page to open “SecureLogin.app”?' dialog every time. 3 clicks required. Requires extra HTTP server for proxy page.\n\nTorBrowser: `SecurityError: The operation is insecure` when trying to open `securelogin://`\n\n### Windows 10\n\nEdge: does not support custom protocol handlers like `securelogin://`. At all. They don't provide any roadmap. Use the Web version.\n\nChrome, Firefox: great.\n\n\n### Linux\n\n\n\n### iOS\n\nAll-in-all iOS and Safari are quite hostile to the flow SecureLogin uses on all other platforms.\n\nIt takes **5 clicks** to get through regular login experience, while just 2 for all other platforms:\n\n1. SecureLogin button. opens a window that has another button to open SL client\n\n2. clicking second button opens third window (yes, it's required) where Safari finally asks to open the App\n\n3. Confirm opening, now HTTP \u0026 WS servers are running. 2nd tab is redirected to :3102/proxy.html and sends a message to WS with auth request\n\n4. Confirm request inside the app\n\n5. Press tiny \"Back to Safari\" sign in top left corner of the screen.\n\nOnly 1 and 4 are required on other platforms. Due to bad UX and Safari not following the spec we drop iOS app for now. Users should use the web app (security of a native app on iOS is actually imaginary - the platform is way too closed down). We will iterate back to it and try to fix it with Action Extension for Safari (the way 1Password works right now). \n\n### Android\n\nChrome: great.\n\n\n\n\n\n## Chrome Extension\n\nIf you want to, side-load the CE directly from this repository. Preserve `\"key\"` inside manifest.json - it keeps chrome-extension URL static.\n\n`zip -r www.zip www -x *.git*` \n\nDon't forget to ignore .git when packing for Chrome Store.\n\n## Cordova\n\nCordova is used for iOS and Android platforms. It's not exactly a smooth platform, and there will be native clients in the future, but it does the job.\n\n```\ncordova create sl SecureLogin\ncd sl\n\ncordova platform add android\ncordova platform add ios\n\ncordova plugin add https://github.com/Crypho/cordova-plugin-scrypt.git\ncordova plugin add cordova-plugin-customurlscheme --variable URL_SCHEME=securelogin\ncordova plugin add cordova-plugin-splashscreen\ncordova plugin add cordova-plugin-whitelist\ncordova plugin add cordova-plugin-device\n```\n\nPlugins are ready, so last step is replacing www with our codebase:\n\n```\nrm -rf www\ngit clone git@github.com:sakurity/securelogin.git www\n```\n\nNow you can use `cordova run ios` / `cordova run android`\n\n## Electron\n\nElectron is employed for macOS, Windows and Linux apps.\n\n\u003ca href=\"https://github.com/sakurity/securelogin-electron\"\u003eUse this repository.\u003c/a\u003e Here are some useful commands for building packages for distribution.\n\nOutside of Mac App Store\n\n```\nelectron-packager . \"SecureLogin\" --osx-sign --overwrite --arch=x64 --icon=www/electron.icns\nelectron-installer-dmg SecureLogin-darwin-x64/SecureLogin.app SecureLogin\n```\n\nFor Mac App Store\n```\nelectron-packager . \"SecureLogin\" --platform=mas --osx-sign --overwrite --arch=x64 --icon=www/electron.icns\n\nelectron-osx-flat SecureLogin-mas-x64/SecureLogin.app\n```\n\nFor Windows\n\n```\nelectron-packager . \"SecureLogin\" --overwrite --arch=x64 --platform=win32\n```\n\n\n\n## Roadmap\n\nSee Issues and Projects.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsakurity%2Fsecurelogin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsakurity%2Fsecurelogin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsakurity%2Fsecurelogin/lists"}