We have three goals for identities on our platform:

  1. Prevent identity hijacking. All E2E chat apps today (including Signal) rely on identity hijacking for account recovery. We take a different approach to account recovery (our backup service) so that we can guarantee to our users that we can't hijack their accounts.
  2. Allow free use for newbies. You'll be able to log in with your ETH wallet to Comm and use your ENS name as your username. But most people have yet to be onboarded to Web3, and so we want to offer an alternative system to allow people to set up an account with a username and password.
  3. Allow pseudonymous use. We don't require linking an email address or phone number.

Log in with ETH

The primary way for users on Comm to register an account is through their ETH wallet. We're looking to integrate with the ongoing work from the login.xyz folks as well as the upcoming WalletConnect 2 launch.

In the initial version, we'll use a simple Message Signing Request to validate that the user controls their ETH wallet. This will be the mechanism for registration, log-in, and account recovery.

Log in with username / password

As an alternative for Web3 newbies, we'll allow people to sign up for a Comm account using a username / password combo. We're still figuring out a long-term plan on how to avoid naming collisions with other name systems we may want to integrate with.

In order to avoid leaking passwords to our backend services, we'll use an asymmetric PAKE (OPAQUE specifically) to verify credentials.

Identity hijacking

On-chain identities are impossible to hijack. Logging in with ETH solves this trivially, but we also want to solve it for the username / password case. We're still thinking through the solution there, but it will probably involve roll-ups.