Skip to content

The login process

The process of authentication is complicated for both the end-user and the developer. Due to eavesdropping by clever hackers, a simple username and password is considered insufficient to truly prove you are you.

The most complicated part for developers is keeping the user experience from becoming too cumbersome to use. This goes double for cases where you want to know the correct person is logging in, but without ever looking at their ID. It's even more complicated if you don't plan on storing their ID information in any databases.

This is where the Unbox/XYZ value proposition comes in, for both the developer and the end user: an anonymous login with no passwords. That is, giving the end user the ability to log in anonymously while certifying they are who they say they are, such that the funders can be sure they're funding the right person.

This is accomplished on the back end using the classic OAuth 2.0 Authorization Code Flow, except with the added level of security provided by Proof Key for Code Exchange (PKCE).

Meanwhile, on the front end, instead of a username and password, the end-user uses their mobile device to anonymously submit proof of identity in the following manner.