The problem lazyAuth solves

Legacy Authentication

1. Signin with facebook/google → no control over data privacy
2. Signin with username/password → too many passwords to remember, weak passwords get exploited easily, open to XSS attacks

Authentication with LazyAuth

1. Simply login with your crypto wallet.

2. No external passwords to remember.

3. Privacy is controlled as all your data is linked only to the wallet address, not any social profiles.

How it works?

1. User sends the wallet address → server, server generates a message that will be signed by the wallet.

2. The wallet then signs the message, the signature along with the wallet address is sent to the server.

3. Using decrypting functions, the signature & the message is used to obtain the public key.

4. This public key is used to derive the address, and the resulting address is then compared to the address received by the server.

The above concepts are utilized to generate authentication states for users & the aim is to build a firebase/auth0 like SaaS providing decentralized login services.

Challenges we ran into

Technical Challenges

1. Ensuring that the nonce generated is truly random, we decided to implement the nonce generation on the server and then send it to the user rather than generating it on the client.

2. Earlier, the length of the generated nonce was smaller than 65bytes, thereby causing errors in the ethers library when decrypting the hashed signature, fixed that by appending the nonce to a user-welcome message.

3. As far as architectural challenges are concerned, the decision has been to go with redis over traditional sql based databases.