Welcome to the Blobaa Demonstrator.
Below you can find use case demonstrations using the Blobaa authentication mechanisms.
The Travel Draw demo shows a use case where the Blobaa authentication mechanisms are used to firstly verify a company and secondly authenticate a user to that company with a set of certified data.
The hypothetical online shop MyShop has published a travel draw in which the pre-registered user (a user with a set of certified data, authenticated by a trustworthy authority) Max Mustermann wants to participate. To do so, he scans a QR code published on the website or a poster with the Blobaa app. The app automatically verifies the QR code and displays the collected data to the user. Max can then decide if he wants to submit his requested authentication data to participate in the draw. If so, he submits his data by confirming the authentication request and the app sends the requested data to the shop. If all went well, the user is now registered and can see his submitted data in the MyShop Admin Panel.
You can find a deeper technical description within the Travel Draw documentation page.
To try it out and impersonate Max Mustermann, follow the following steps:
With this type of authentication a user can be sure that the company MyShop GmbH is valid and authentic. On the other hand, the company MyShop GmbH can be sure that the transmitted data is also authentic. As a side effect, a user can disclose (subsets of) certified data in a self-controlled and simple way.
Due to fraudulent actions for the application of Corona Emergency Aid, in which the complete website of the NRW Ministry of Economic Affairs was copied and then manipulated and hosted under a different domain, data of up to 3,500 to 4,000 applicants were tapped. See WDR (german)
It is likely that these data should then be used to enter them with modified account details on the actual application page and thus access the emergency aid. See Merkur (german)
The fake website was accessible under the domain: wirtschaft-nrw.info and impersonated the official website: www.wirtschaft.nrw. The authenticity of the website could therefore have been verified by comparing the current website domain with the official one.
This is where the Blobaa project could be used as a 2nd security factor. If the domain of a website would have been signed by a trustworthy entity and made available on the website via a QR code, a website visitor could scan this QR code with the Blobaa app. The app could then check the authenticity of the QR code and show the official domain with a hint to compare the current domain with the one displayed. If these domains mismatch, one would have noticed that one visits a fraudulent website and could react accordingly.
You can find a technical description within the documentation page.
Try it out: