SteemConnect V3 Beginner's Guide

in #hive-1113908 months ago (edited)

image.png

SteemConnect was the first tool created as a standard interface to integrate sign ins into various dApps of the Steem ecosystem, as well as manage posting authorizations users allow to certain dApps.

It was initially created by the Busy team with the backing / endorsing of the Steemit team and, as far as I know, in a Steemit repository.

image.png

I don't know who manages the repository now, but on SteemConnect site we can see the contributors, led by @fabien.

What I know is that they have a SPS proposal added by @fabien about 5 months ago, which wasn't funded at any time during this period, as far as I remember, but always had quite high support.

On the list of things they include as deliverables, if the Steem proposal were to be accepted is this:

Make interface more friendly, improve naming

And I find this very important, because between V2 and V3 of the interface, security was increased but at the expense of UX which dropped significantly.

At the same time, one other reason I find that SteemConnect should receive funding is that we need it as an alternative to the ever more popular Steem Keychain, which I admit I prefer as well, in their current states. But such important interfaces need viable, secure and easy to use alternatives!

After these initial considerations, let's go back to our guide.

Before we start, if you are new to Steem or still have trouble understanding how the private keys work, I advise you to read this page (you can insert your username in the link instead of mine if you want a personalized page), where Steemit team has done quite a good job explaining them, in my opinion. If you still have questions, about this or other Steem-related subjects, you are always welcome to ask in the SteemHelp community.

Using SteemConnect - Introduction

In the screenshot above from the homepage of Steemconnect we can see:

With SteemConnect, you're always in control of your private keys: we neither store nor have access to them.

What they mean is they don't store your private keys on their website or access them if you store them encrypted on your computer, through one of the options available.

There are four ways you can use SteemConnect:

  1. without storing any private key, and entering it every time you are asked
  2. by storing your private posting key encrypted on your computer and entering a password instead of the private posting key itself
    2.1. using the desktop app
    2.2. using the browser extension (only for Chrome)
    2.3. using the browser's local storage (gets "cleaned" by tools like CCleaner, so you'll have to re-store the keys after using such tools)

Let's take them one by one.

Unlike Steem Keychain which was designed to store any private key except the owner private key, SteemConnect is designed to store only the private posting key, which is used more often and has fewer permissions than the active key.

For the cases when one needs to enter the private active key for the same account, it's better to do it just once, without storing the private key, thus using the option 1 above.

Using SteemConnect without Storing the Private Key

Let's say I want to log in to busy.org. After clicking log in, I am redirected to SteemConnect, which greats me with this page:

image.png

which tells me who (busy.org) wants to do what (log in request - requiring private posting key).

It is a good general practice to take a look at the URL from where such requests are being made and that the connections are secure:
image.png

Then I click on Continue and I'm asked to enter my Steem username and Steem password (i.e. master password) or private key. I never enter my master password, but it's a matter of habit, because it won't be transmitted anywhere, in this case it will be used to extract the required private key from it.

Personally I prefer to enter the private key directly. In this case I know the private posting key was required (I was announced on the previous page), so I entered that.

image.png

I don't tick the 'Keep the account on this computer' checkbox, because I don't want to store my private key in this case.

Then I click Get Started.

Now we have two possibilities. If I previously allowed Busy.app to have the posting authority for my account, then I'll see this step directly:

image.png

I click on Log in and finished the login process. Still seems kinda long, huh?

Well, it's longer if the dApp doesn't have my posting authority, and that's the second possibility.

Posting authority allows a dApp to post on your behalf. It's the only way you can post something or vote through a dApp without being asked to enter your private posting key every time.

I'll revoke my posting authority to busy.org (you'll see how later), then go over the sign in process again.

When I reach the "Get Started" point, after I click it, instead of going to the page above, there are a few more steps, during which I am required to grant posting authority to busy.app. Here's how it goes:

image.png

Firstly, just like when I began the log in process, I am told what we are doing: authorize busy.app to post on my behalf. If I hit Continue (and I will), I will need my private active key to finish this operation of granting busy.app posting authority.

I am already familiar with this page, requiring me to enter the username and private key, except now I need my private active key, not the posting key to complete it.

image.png

After clicking "Get started", I am presented with a final page where I have to decide whether to authorize or not busy.app to post on my behalf.

image.png

When I hit "Authorize" the authorization is broadcasted on the blockchain, and the login process continues with the last step I described above, when I didn't have to grant post authority as well.

Using SteemConnect and Storing Your Private Posting Key Encrypted on Your Computer

I listed above three options to store your private posting key with SteemConnect. Let's remind them:

  • using the desktop app
  • using the browser extension (only for Chrome)
  • using the browser's local storage (gets "cleaned" by tools like CCleaner, so you'll have to re-store them after using such tools)

Essentially, the main difference between the three options is the availability of your stored private posting key.

If you use the browser's local storage -- meaning you don't download any extension nor install any desktop app -- the setback is tools that do maintenance tasks on your computer such as CCleaner will empty this browser local storage. At least it does for me (I know it should be persistent), and I end up re-storing my accounts for SteemConnect after I use CCleaner.

The browser's local storage is also linked to the browser used. When you switch the browser, you need to add the accounts for that browser as well.

The latter issue would be for the extension as well, except SteemConnect only has one extension available, for Chrome so far (with plans for a Firefox extension in their Steem proposal).

The desktop app, on the other end, doesn't depend on the browser, but some people may not like installing new desktop apps on their systems.

I haven't installed the Chrome extension, but the desktop app and the process through the SteemConnect website and the browser's local storage works almost the same way from a user's perspective.

I'll describe it for the browser's local storage case, since it's probably the most commonly used.

Let's login to busy.org interface again, but this time I'll store the account I use so I can reuse it the second time I need its private posting key.

I go through the login process as before, up to this page:

Except now, instead of clicking on Get Started, I tick the checkbox to 'Keep the account on this computer'. The button's text also changes to 'Continue', and I click it.

image.png

On the next page, I'm asked to enter and confirm a keychain password, which is required to "unlock my account for usage".

Please note that this is SteemConnect keychain, it has nothing to do with Steem Keychain! Also note that this is not your Steem master password nor one of the private keys of your account!

Just choose a random, but secure password. Best use a random password generator for this. You can easily find a ton of them online.

Tip: If you are extra cautious, use different passwords for your different stored accounts. But for a better user experience you can use the same password for all your stored accounts. Steem Keychain only has one password with which you unlock it, not one password for each account, so that would be similar.

After I entered and confirmed my password,

image.png

I finally click on Get started. And then I continue the log in process.

What happens the next time I try to log in? I have a list of usernames to choose from, and my newly stored account is right there.

image.png

Instead of entering my username, I choose it from the list and also I don't have to enter the private posting key, but I do have to enter the SteemConnect keychain password associated with the stored account. To be easier to use, apply the tip above and all you have to handle is one password, but make it a strong one.

Other than that, the login process is the same, except the button text shows now "Log In" instead of "Get Started".

But what if you need to log in with a different account, which is not in the list of accounts you have stored?

That's a good question. Once you store at least one account on SteemConnect keychain, you are presented with a list of usernames to choose from, and no obvious way to enter a new account.

Well, to do that, you have to choose the "Import" button at the bottom:

image.png

That will bring you to the page from where you can add a new account or just log in with a new account, just like we presented at the beginning.

What if I need to complete an operation which requires my private active key, and I have my account stored with my private posting key, as instructed before?

SteemConnect is best suited to store your private posting key. So what happens if you store it, but you need to complete a STEEM transfer transaction, or a power up, or a delegation, or a less often used operation like granting or revoking the posting authority, like we have seen above?

Then you need to enter this private active key once, to complete the transaction, but without storing the private key.

To do that, you choose the "Import" button, as shown at the previous question, and continue by adding your username and private active key, and without ticking the checkbox to 'keep the account on your computer', because you already have it stored on your computer, with the private posting key.

Can I remove one of my stored accounts?

Yes you can. Choose Settings at the bottom of any page in this process

image.png

On the page that shows up, click Accounts at the top

image.png

Then click on the garbage can at the right of the account you want to remove.

image.png

That's it!

Revoking posting authority in SteemConnect V3

First of all, when would you need to do such a thing?

Well, it doesn't hurt to do it every once in a while. Some projects end up dead or broken and it's a security risk for you to keep granting them your posting authority.

Other projects end up rogue or get hacked. It's important to revoke their posting authority ASAP.

In general, revoke posting authority to all (d)Apps you don't use often. The worse thing it can happen is you'll be asked to re-authorize them, the first time you try to use them.

I'll describe this process using the example I presented throughout guide: busy.org.

Let's revoke the posting authority I granted to busy.app for my account.

For that we go to this link (I'm not aware of a way to reach the link through the interface):
https://beta.steemconnect.com/auths

We will be required to log in to SteemConnect, with the private posting key.

Once logged in, I see a list of the dApps I granted posting authority to. One of them is busy.app. I'll revoke it by simply clicking on the Revoke button at the right.

image.png

The operation requires the same key level as the one needed to grant posting authority. Meaning the private active key, as I'm informed here:

image.png

After I click Continue, on the next page I enter my account username and my private active key and click Get Started.

image.png

A final page, informs me that if I click "Revoke" I'll actually revoke the posting authority. Which I did.

image.png

You can check the transaction on the blockchain, if you are curious or extra cautious. You have a link to it at the end of the operation.

image.png

Final Words

SteemConnect should be familiar to most steemians, but to new users learning how to use it can be challenging. And I've seen users who are not so new who aren't very familiar with it.

While Steem Keychain is easier to use, there are websites which don't support it and there were situations when small bugs appeared (as they do in SteemConnect too) which made it unusable for a short period of time or for a certain website.

It's important to have a secure, up-to-date and easy to use alternative for whatever reasons. And to know how to use it.

Sort:  

Thank you for this educative and comprehensive tutorial @fadrian.

It should be added that, currently, SteemConnect is the only way to authenticate without entering your private key on smartphones, as Chrome extensions are not supported on mainstream Android browsers.

Thank you for adding this information @arcange! There is SteemWallet app created by @roelandp, with Steem Keychain, if using its embedded browser. I haven't tested it though.

Can anyone explain why Busy.org and Steempeak.com do not have one simple option of login with a posting password?

Let me try.

Every time you do something on the blockchain with your account, your (appropriate) private key is verified to see if you have the right to do so with your account. The blockchain doesn't know it's your account unless it verifies this way.

On general Steem interfaces (like Busy or Steempeak you mentioned), you need to do many operations: log in, post, vote, comment, maybe vote for witnesses and so on. Each of these operations needs to be verified.

Without a mechanism to make things easier, this would make the entire user experience a living hell, with you needing to confirm every single minor transaction (operation).

Now, there are two ways of making things easier.

  • the SteemConnect way
  • the Steem Keychain way

In the SteemConnect way, you AUTHORIZE an application of your liking (Busy, Steempeak or another) to post on your behalf.

While this may seem more than needed, it is one way to effectively just log in to your application and start doing things like posting and voting and commenting, without dealing with confirming transactions every time. But you have to authorize the application first to post on your behalf, and for that you need your private active key, and that is a one-time operation.

In the Steem Keychain way, you don't give any authorization to any application, and for every operation the Steem Keychain browser extension will act as a middle man between you and the application. And every time when the interface asks for the needed private key verification, Steem Keychain verifies it and returns a result to the application.

On Steem Keychain you can decide whether you are asked every time to confirm all operations for a given application (website), or allow an operation and let Steem Keychain know to do the same with all future operations from the same application (logins, posts, comments, votes).

In the future there may be a way for these applications to have simpler user interfaces for a category of users which don't have a full blockchain account (yet), but use the application.

I hope I haven't lost you with an explanation that was more detailed that what you might be looking for.

Thanks for the effort, @gadrian, but I did not ask how the apps are working. My question was: “why Busy.org and Steempeak.com do not have one simple option of login with a posting password?” You know, just for posting and voting, like you can do it at the official Steemit.com page.

You mean without SteemConnect, to enter the private key directly?

Yes.

Because that's not safe/recommended.

I would understand if you said “more convenient”, @gadrian, but… Why it would one password on SteemConnect be more secure than four different level passwords at Steemit security management? What if user exposes this one password to the smartphone data thieves?

Why not leave the option just for posting password for those who want to live dangerously? Like we did do it on Steemit.com? Why not let people decide on their own what is more secure for them?

Why it would one password on SteemConnect be more secure than four different level passwords at Steemit security management?

The private keys are encrypted on your own device. Someone needs access to your device, and nobody is crazy enough to even bother trying to break the encryption. That's why the most common attack vector is phishing or hunting user errors.

Plus, if you would have read my guide you would know on SteemConnect only private posting key are stored, not any of the others.

Why not let people decide on their own what is more secure for them?

Most people don't give importance to security until they lose their accounts and it may be too late for them.

The most dangerous thing to a user's account is the user himself.

If you want to live dangerously, be my guest, but overall an application has to take a responsible approach.

This is exactly what we need on STEEM! More tutorials and HowTo's... In this case, SteemConnect isn't really user-friendly, so thanks in the name of all newbies!



Made in Canva

@thisisawesome Moderator


This is Awesome Content, and it will be manually curated with an upvote of 65% from @thisisawesome (will be done today), and it will also be included in our Awesome Daily report in category Awesome CTP Curation for more visibility.

The goal of this project is to "highlight Awesome Content, and growing the Steem ecosystem by rewarding it".

That's true, it's not user friendly and even more, I've seen more than once users confused about how to handle situations like using their private active key to complete an operation which requires it, when you already have an "an account saved", obviously with its private posting key.

@tipu curate :)

Upvoted 👌 (Mana: 0/3 - need recharge?)

Thanks, appreciate it!