Welcome to the Blobaa Demonstrator.
Below you can find use case demonstrations using the Blobaa authentication mechanisms.

Travel Draw

The Travel Draw demo shows a use case where the Blobaa authentication mechanisms are used to firstly verify a company and secondly authenticate a user to that company with a set of certified data.

The hypothetical online shop MyShop has published a travel draw in which the pre-registered user (a user with a set of certified data, authenticated by a trustworthy authority) Max Mustermann wants to participate. To do so, he scans a QR code published on the website or a poster with the Blobaa app. The app automatically verifies the QR code and displays the collected data to the user. Max can then decide if he wants to submit his requested authentication data to participate in the draw. If so, he submits his data by confirming the authentication request and the app sends the requested data to the shop. If all went well, the user is now registered and can see his submitted data in the MyShop Admin Panel.

You can find a deeper technical description within the Travel Draw documentation page.

To try it out and impersonate Max Mustermann, follow the following steps:

  1. Open the Travel Draw Poster or go to the MyShop Draw Webpage.
    • The poster page simulates the announcement poster for the travel draw. It could be attached to a wall in a real world scenario.
  2. Scan the QR Code with the Blobaa app or send the QR Code data to the Demo Web App by click on the Blobaa app link next to the QR Code.
    • Since this is only a demonstration and the pre-registered user is a hypothetical person, a demo web application is provided to process the demo scenario without needing to install the Blobaa app. It uses the same logic as the real app.
    • The app verifies the information stored in the QR code and proves the authenticity of MyShop GmbH via the Attestation Protocol.
  3. Check the requested authentication data and confirm the data request (password: 1234)
    • To confirm the requested data, you must enter an app password. This ensures that no other user can confirm your data. Enter the default password: 1234
    • By confirming the transmission of the requested data, the app creates a claim based on the Claim specification, signs it as described in the Attestation Protocol and sends it to the MyShop backend.
  4. Backend verifies request
    • The backend verifies the received data (again with the help of the Claim and Attestation Protocol) and shows the registered users on the Admin Panel.

With this type of authentication a user can be sure that the company MyShop GmbH is valid and authentic. On the other hand, the company MyShop GmbH can be sure that the transmitted data is also authentic. As a side effect, a user can disclose (subsets of) certified data in a self-controlled and simple way.

Website Authentication

Due to fraudulent actions for the application of Corona Emergency Aid, in which the complete website of the NRW Ministry of Economic Affairs was copied and then manipulated and hosted under a different domain, data of up to 3,500 to 4,000 applicants were tapped. See WDR (german)
It is likely that these data should then be used to enter them with modified account details on the actual application page and thus access the emergency aid. See Merkur (german)

The fake website was accessible under the domain: wirtschaft-nrw.info and impersonated the official website: www.wirtschaft.nrw. The authenticity of the website could therefore have been verified by comparing the current website domain with the official one.

This is where the Blobaa project could be used as a 2nd security factor. If the domain of a website would have been signed by a trustworthy entity and made available on the website via a QR code, a website visitor could scan this QR code with the Blobaa app. The app could then check the authenticity of the QR code and show the official domain with a hint to compare the current domain with the one displayed. If these domains mismatch, one would have noticed that one visits a fraudulent website and could react accordingly.

You can find a technical description within the documentation page.

Try it out:

  1. Scan the QR Code below or the one on the homepage with the Blobaa app or use the Demo Web App.
  2. Compare the domain shown in the app with the domain of this page/the homepage.
  3. If they're matching you are visiting the official Blobaa demonstration page/homepage :).
Use the
Caution: Only for demonstration purpose

© 2020 Attila Aldemir. All rights reserved.

hosted with