WEB3 authentication flow

Question

I'm currently developing dapp in .NET. Im using the request accounts and personal sign so I get user`s address and encrypted signature. Then I sign him via Identity. It works. But my question is about the security, I think that's not exactly safe? Should I add some more security steps? For example add nonces or current date to message, and then when user logs in check if it's the same as he signed in first time? I mean how do I guarantee that someone who is impersonating someone address is not gonna log in as him? For now the signed message will be different because of different private keys used to encrypt the message in personal sign. But maybe hacker can impersonate both address and signed message?

Thanks for help and I would be grateful for some documentation or books.

Answer 1

I think that's not exactly safe? Should I add some more security steps

Actually, application security itself a big topic which includes a diverse scope. Although there's no straight forward answer or solution to your concern but there might be a lot of steps or mechanism out there we could consider in order to ensure application security.

Should I add some more security steps? For example add nonces or current date to message, and then when user logs in check if it's the same as he signed in first time?

Well, the more security steps the less change to have security wholes. Instead of only current date you could also Include a nonce or timestamp in each authentication request to prevent replay attacks. This ensures that each signed message is unique, even if it's signed with the same private key.

But maybe hacker can impersonate both address and signed message?

If your application is publicly open then you could consider multi-factor authentication to add an additional layer of security. This could involve a combination of something the user knows (password), something the user has (device), or even you can make white list IP and bind the complex user info and before allowing login to your system you could match them all.

For instancec you can check use IP, Device Info, Browser info and then you can read those while authorizing the user. You can do as following:

private async Task<DeviceInfo> GetCurrentDeviceIdentifier(HttpContext httpContext)
  {
      
      var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
    
      using (var client = new HttpClient())
      {
          var response = await client.GetStringAsync("https://api64.ipify.org?format=json");

         
          var ipAddress = JObject.Parse(response)["ip"].ToString();
         
          var combinedIdentifier = $"{ipAddress}_{userAgent}";
          //var hashedIdentifier = ComputeHash(combinedIdentifier);

          var _deviceInfo = new DeviceInfo();

          _deviceInfo.BrowserInfo = userAgent;
          _deviceInfo.MAC = GetMacAddress();
          return _deviceInfo;
      }
  }

Output:

Note: Above way, would attach additional security layer within your application.

Another important thing I would personally point you that, anonymous user or stranger login attempt not for getting the access only, they would probably want to take away your data. So never keep the data simple as ID or similar to this. So that once the change the next ID and get the data there. No never. Encrypt it so even they can access thus, only one data can be exposed not all.

However, as I told you its a huge stuff to deal with, gradually need to think of it and continuous improvement could make the system more secure and stable.