Ever struggled to explain all the hoops (keys, password, login methods, etc.) to new comers when they signup? This new improvement will change everything...
Ecency utilizes Hivesigner as one of the Login methods on both Website and Mobile app. In this slightly technical post, we would like to explain new additions.
Hivesigner OAuth2 is very powerful, it is not only allowing us to secure all our internal APIs with security it needs from brute force and other attacks, but also making sure your keys are secure and doesn't fall into hands of hackers and abusers. Only you have access to your keys.
OAuth2 flow
OAuth2 login flow works quite simple, user clicks on Hivesigner button, goes to Hivesigner.com, logins and redirected back to application with access_token. So applications integrating Hivesigner have to be able to understand redirects coming from Hivesigner.com with access token. And extract access token to verify and log user in. All applications which has Hivesigner.com, already have this path and logic. None of the apps will have your private keys/password, only access token. Access token is basically a message signed with your private key that verifies who you are.
API security
User obtaining/generating access token from Hivesigner to use Ecency and we verify those access tokens before allowing access our sensitive data through our API. This is super, right? Hive itself is securing 3rd party APIs such as ours. Also with that access token you are able to do all social activities on Hive apps.
1-Click login
Now, how our onboaring system works? Our onboarding generates random keys and destroys them right away and send details out via email.
Since we are utilizing access token already in our applications and we are also onboarding people, we came up with idea of getting access token from Hivesigner and include that into email as well. Destroy all details before email is sent out. This allowed us to include access token into email and use OAuth2 redirect path which our applications already understand.
In result, we got literally 1-Click login system.
In picture above you can see how our new onboarding emails look like after this change. No more copying password and username into clipboard, enter details manually on website or mobile app. You got email from signup, click on Try 1-Click login, you are already inside Ecency.com or Ecency mobile application. Security note, 1-Click login link works only first 7 days, after that it won't work. You will have to use your credentials, at that point new access token will be generated by website/app usual way.
Other changes
We have made few other changes into onboarding flow. In most recent website and mobile app releases, we have simplified and unified Signup pages, so your experience in both platforms will be same. Improved username checks as well as lowered IP quality checks on backend.
We continue to serve our web3 community by providing one of the best onboarding experience.