As it was announced by developers earlier, new login feature supposed to be released for two platform versions of blockchain messenger—iOS and Web applications of ADAMANT.
Now, when the user community has already seen such possibility after the latest iOS update, it only remained to wait for updates in PWA version. And, finally, today night, in project’s official blog was released the next update on this topic.
Note: PWA — abbreviation of Progressive Web Application, app version that can be used at any fine-updated browser.
As stated in the release, new login possibility provides an extra level of encryption and helps to login easier. Now, when a user opens the tab, he or she don’t have to enter a passphrase each time.
It’s worth reminding, that account in messenger called “ADAMANT” is being created only by 12-word passphrase, just like in most of the cryptocurrency wallets. No emails or phone numbers are needed. Representatives of ADAMANT call it the best way to use the messenger anonymous and secure, not depending on email services or mobile operators. So, earlier, each user use to often write his or her long phrase of words to log into the account.
What good is a password?
“Logout on tab close” is ADAMANT’s option by default (you can find it in Settings). It means that you have to enter your passphrase each time after closing the tab.
Previously, if you chose not to log out (unchecked the checkbox), the browser locally stored all the data on user’s device (including passphrase). When user opened the tab again, he was logged in automatically. It’s easier but less safe: an intruder could gain access to the account if he gets physical access to the device. Now ADAMANT’s PWA is safer — users with “Logout on close tab” option turned off will be required to enter the password.
In unpleasant case, when user will forget password, developers have noticed the mistakes of other projects in social networking or messaging sphere, by putting passphrase above all. Thus, you can reset the password with it when you need to.
Some technical details from introduced source code
It is hard to forget about geeks, so here are some details on how it works from inside:
When a password is assigned, PWA calculates the special pkdbf2 hash which is used for encrypting nacl.secretboxof passphrase and local user’s data.
Because of limitations of browser’s Local Storage, it was moved to IndexedDB. This allowed devs to increase the encryption speed.
It means, when a user is using password, the correspondence is stored locally and encrypted. Security of this data depends on the complexity of your password partly.
When you (theoretically) are not using a password, the web application will not be storing data on the device. But you should remember that data is always stored in your browser (in the Session Storage) while the application is working. It is cleaned when you’re closing the tab. However, in case of an unexpected power outage, it might not happen.
An important thing
Password is more convenient than a passphrase. But users have to use a really strong password if they want to get an adequate level of security. Intruders can capture password in unsafe environments or get it using social engineering. For such cases let’s remind ourselves about “Secure Messengers Do Not Exist” article in blog of ADAMANT, where everything is well-explained.
Also, here are some cybersecurity notes from the official release:
- when you create a password, it is recommended to use a combination of upper and lower case letters, numbers and symbols;
- do not use same passwords for different sites, apps and services;
- do not use obvious passwords such as phone numbers, birth dates, names of relations or easy-to-remember keyboard combinations.
More security-logical rules:
- When you use the PWA, you have to be sure that you trust your browser and OS;
- In case of a power outage, user’s data (including passphrase) could be saved on PC or browser;
- Physical access to your device is the real issue. Use passwords and lock all your devices when you’re not using them. Turn on encryption for hardware.
How to set the password?
If you will use this blockchain messaging application, here are some tips on how to set up the custom password, using this feature:
- Go into the Settings:
2. Use the “Logout on tab close” checkbox:
3. The window for setting a password will appear. Enter a strong password and accept the security agreement:
4. Now you can access the ADAMANT Messenger using a password if you close the tab:
5. Forgot your password? Use the link below to remove it (passphrase required).
When you log in using password, you are aware of the possible reduction of security level.
It is also recommended to find out more on ADAMANT Messenger Terms of Service.
This and other versions of apps can be found on the main site of the project: https://adamant.im/#adm-apps