Dive Into the Mechanism of EverID

Web3 is booming, and Arweave is becoming a popular infrastructure choice for developers. PermaDAO is a community where everyone can contribute to the Arweave ecosystem. It's a place to propose and tackle tasks related to Arweave, with the support and feedback of the entire community. Join PermaDAO and help shape Web3!

Author: Evelyn @ Contributor of PermaDAO

Translator: Evelyn @ Contributor of PermaDAO

Reviewer: Xiaosong HU @ Contributor of PermaDAO

EverID is the identity account system for managing crypto assets in the everPay network. It allows users to quickly create everPay crypto asset accounts through various methods such as a crypto wallet address or email address. The beta version of EverID is currently available at http://beta.everpay.io and is in the invitation-only phase with plans for further expansion. Many people are curious about how EverID implements registration using an email address. This article will go through what EverID is, the signature mechanism of wallet addresses, and the FIDO2 authentication system-based EverID.

What is EverID

EverID is the identity account system for managing crypto assets in the everPay network. Its introduction significantly lowers the barrier for users and bridges the gap between Web2 and Web3, making it easy for users in traditional industries to have non-custodial accounts and manage their assets.

EverID's account management has two main mechanisms: the first is the wallet address-based account, consistent with the way other blockchain projects use wallets; the second is the account based on the FIDO authentication system, through which users can use email addresses or biometrics and other ways to quickly create an everPay crypto asset account. This greatly reduces the threshold for users to use Web3 asset accounts.

Next, we'll start with the wallet's signature mechanism and move on to EverID's own FIDO-based operation. Everyone interested in EverID will be able to learn more about EverID's operation mechanism and its reliability through this article.

Wallet Signature Mechanism

Wallets seem to be an essential tool for every user when using blockchain products. So, how does the mechanism work for users to manage their assets using wallets?

Specifically, each user needs to use the wallet software to generate a public-private key pair based on an asymmetric cryptographic algorithm when creating a wallet. The public key is the user's wallet address, which can be disclosed to the public; while the private key needs to be stored in the user's device or other secure media. Among them, the private key can generate the public key through the SHA256 algorithm, but there is no way to deduce the private key through the public key.

When users want to transfer tokens, they need to use the private key to sign each transaction to ensure the security and authenticity of the transaction. The miner will verify the correctness of each transaction through the transaction signature, and only the verified transactions will be packaged on the blockchain. In the blockchain network, other users can view the user's transaction records or transfer money to the user through the wallet address (public key), but only the user with the corresponding private key can complete the transaction.

Why is this mechanism needed? Asymmetric encryption algorithms ensure the security of user data and transactions, avoiding the theft or tampering of assets. The person who owns the private key has the right to dispose of the assets.

Downloading the wallet APP is the first step for almost every newcomer to Web3, and it is also a roadblock for novice users to navigate Web3. The tedious operation process of downloading a wallet and the cognitive threshold of private key management bring multiple obstacles to users. But is there a simpler way to manage assets? The answer is yes, and the simpler solution is a FIDO-based account system.

The EverID is based on the FIDO account system

FIDO is known as Fast Identity Online, a set of identity authentication framework protocols. FIDO can improve Internet security and user experience, solve common user authentication problems, and provide users with more advanced, safer, and more convenient authentication, directly solving the problem of relying too much on traditional passwords. Authentication using the FIDO standard significantly reduces the risk of identity theft and other cyberattacks, while also making it easier for users to authenticate themselves using their electronic devices and applications. FIDO's account system can be integrated with a variety of applications and services, and through the use of biometrics (e.g., fingerprints or facial recognition) or physical security keys, etc., it is possible to authenticate the user's identity.

FIDO2, officially released in 2019, is the second version of the FIDO family of specifications. It consists of two parts: CTAP (Client to Authenticator Protocols) and WebAuthn.

• CTAP: allows authentication on FIDO2 enabled browsers and operating systems via USB, NFC, or BLE using an external authenticator (e.g. FIDO security key, mobile device) to provide a password-less, secondary authentication, or multi-authentication experience;

• WebAuthn: defines a standard Web API built into browsers and platforms to support FIDO authentication.

EverID uses WebAuthn to help users manage assets more easily and securely.

Implementation Mechanism of WebAuthn

In the WebAuthn architecture used by EverID, there are four roles involved, which are

1. Relying Party: The service provider, i.e., the website

2. User: The user who is ready to register or log in.

3. Authenticator: Usually refers to a biometric device built into a mobile phone or computer device, an external USB hardware device, etc., which is responsible for generating secret key pairs and performing asymmetric encryption.

4. User Agent: Usually refers to a browser or an APP application used by the user, which is responsible for interacting with the authenticator.

Each of these roles is critical and their interactions ensure the security of the user's assets.

Similar to wallet generation and signing, WebAuthn is divided into two parts: registration and verification.

• Registration: the process by which the user applies to everPay (the relying party) to add an authenticator

• Verification: the process by which the user authenticates with everPay (the relying party) using the registered authenticator

We will now describe in detail how each of these two parts works.

The initial account registration process

The first time a user uses everPay, he/she can register a FIDO-based EverID account without a wallet address. The process works as follows.

1. open the everPay website in the browser to register EverID

2. the user agent (browser) sends a registration request to everPay

3. everPay returns the relevant registration information (e.g., email address, account name, etc.) to the user agent (browser)

4. the user agent (browser) receives the data and calls the authenticator, which is requested to create a secret pair (pass key)

5. After receiving the request to create a secret key pair, the authenticator (mobile phone or computer device) will ask the user to perform biometric identification or use a PIN code to confirm that the user is present and agrees to register. After verification, the authenticator creates an asymmetric public-private key pair and stores it.

6. After the authenticator creates the secret key pair, it returns the public key and other non-private data to the user agent (browser), which in turn returns it to everPay (the relying party).

7. Once everPay (the relying party) receives the data, it performs a series of checks and verifications to complete the user's enrollment.

As you can see in this process The security of the account is still controlled by a public-private key pair, similar to a wallet, where the private information such as the private key will be stored in the authenticator's device. Better still, users can operate without registering a wallet address, greatly reducing the process of having an account. Next, let's take a look at how transactions are verified when they are sent.

The verification process of initiating a transaction

The process of user transaction is similar to the verification process of wallet address, which mainly consists of signing and verifying the transaction, and the specific operation mechanism is as follows:

1. the user enters the everPay website and initiates a transaction

2. the browser sends an authentication request to everPay, and everPay responds to the user's transaction information

3. the browser passes the transaction information to the authenticator

4. the authenticator receives the request, prompts the user for biometric or PIN verification, and signs the data with the private key saved during registration

5. the authenticator returns the authenticated data and signature to the browser, which in turn returns it to everPay

6. everPay receives the data, verifies that it is correct, and then performs a series of transactions

Why do we need EverID?

Currently, for ordinary users, the threshold of entering the crypto industry is high particularly due the poor interaction experience, users need to spend a lot of time completing the wallet registration, let alone managing their private key, completing the chain transfer, and other complex operations. All these are obstacles to the large-scale adoption of blockchain technology. Compared with the traditional Web3 wallet, EverID has the following advantages:

• Lower user threshold
  Users no longer need to understand the complex blockchain knowledge and backup private key through complicated operations as in the past; EverID simplifies the cumbersome operation process and the cognitive threshold as much as possible while guaranteeing the security of assets through the blockchain technology, you can have a Web3 account by registering through your email address. Web3 accounts can be opened by simply registering via email, allowing more traditional users to experience the new digital financial network of Web3.

• No need to keep the private key In crypto wallet management, the private key held by the user is the only Web3 identity ID and signature method, however, many users are prone to losing or leaking their private keys, which leads to loss of assets.EverID manages the user-created IDs with reliable key preservation technology by using the WebAuthn authentication standard, so that you don't need to bear the burden of private key management anymore. No more private key management burden.

• Better User Experience With EverID, you can quickly access the everPay network and experience real-time, gas-free Web3 transfer transactions.

Future Planning

EverID is still in the BETA stage and needs to be improved according to the market demand and technology development. After that, the EverID team will continue developing the following features:

1. Expanding account types: In addition to the currently supported wallet address and email address, we will continue to expand the support for more account types, such as social media accounts, phone numbers, nicknames, and so on, so that users can choose more convenient ways to authenticate their identity.

2. Improvement of account cancellation and recovery mechanism: In order to ensure the safety and convenience of users' digital assets, we will improve the account cancellation and recovery mechanism. Users can choose to migrate their digital assets or cancel their accounts.

3. Provide SDK service: We will provide SDK service for existing blockchain applications, so that other projects can quickly integrate EverID and facilitate users to manage digital assets.

4. Enable cross-platform sharing: We will work on cross-platform sharing, so that users can use the same EverID identity account for management on different digital asset management platforms, and reduce users' operation costs.

In The End

We believe that Web3's financial infrastructure has the potential to reach the user and transaction volumes of traditional financial services, and serve even more users, and until then, we continue to refine the everPay payment protocol. Lower the threshold of users and provide a more secure service. Let more users take ownership of their assets into their own hands.

🔗 关于 PermaDAO：Website | Twitter | Telegram | Discord | Medium | Youtube