How to confirm ownership of a Bluesky account?

[aaronfc]

Hey,
I am a developer at Gravatar.com and we want to allow users to verify ownership of a Bluesky account.

Most of our current integrations are based on OAuth (which I know is not part of Bluesky yet). I have also seen some conversations about support rel=me, but looks like it's not available either.

AFAIK the only way to do this would be to ask for username/password to the users and then use atprotocol to confirm those. For security/privacy concerns we don't want to do that.

Is there any other way?

Thanks in advance.

[bnewbold]

Hey, this sounds great! I love gravatar, thanks for working on it.

If OAuth is an established pattern for you, i'd probably recommend waiting for that. We don't commit to specific timelines publicly, but we have done a lot of work on it and it is finally coming together, will hopefully be rolling out in stages in the next few weeks.

If you don't want to wait, the "app password" system is designed as a stop-gap until OAuth is ready, and you could do that today. It isn't super ergonomic though.

We have also been meaning to support rel=me and similar account inter-linkage for a while now, and just haven't gotten around to it quite yet. I don't have a timeline for that, sorry. An independent developer could build something like that any time and could beat us to it.

[aaronfc]

Great news! We will wait until OAuth is ready :)

Any PR/milestone I can track to know when it becomes available?

[bnewbold]

We'll probably do a blog post from https://docs.bsky.app/blog and smaller updates in the app from @atproto.com.

[aendra-rininsland]

This topic more broadly ("how do you confirm ownership of a Bluesky account?") has come up constantly the last few days as more of the British media and political classes join the platform.

I'm divided between thinking the DNS-based verification is sufficient and effective for verifying account authenticity (indeed, I use this to great effect for the News feed), and realising that the vast majority of users have never built a website, and won't ever build a website, and at this point see the open Internet mostly as a pre-mobile relic, so are unaware of the challenges of building authenticity mechanisms in a decentralised space and have little motivation to engage with those challenges. Edit: This post by retr0id makes the point well.

An idea I have that Bluesky could implement without an excessive amount of development effort (at least, I suspect as much when compared to recently added features like DMs and 3rd party labellers):

• Create OAuth SSO apps on all the major social networks with the most minimal possible scope.
• Let users login to those networks via OAuth to establish account ownership.
• Have a section of the user profile depicting and linking to whichever social platforms the user has authenticated with.

I've long thought about building a singular independent platform that provides this functionality in a cross-platform capacity but I honestly have way too much on right now to even consider building such a thing myself. The advantage to this being a first-party capability on Bluesky is that UI affordances similar to the "blue tick" system could be added to the client, allowing for users to quickly ascertain whether an account posting is the same account from another site, without having to rely on a separate verification provider.

Another upside is this would enable users to login to Bluesky using familiar SSO credentials from other platforms.

Prior art I'm contemplating for this is mainly Keybase; at one point I ran a Mastodon instance for journalists that leveraged Keybase to verify all the users on the instance were in fact the journalists they said they were (it's really a shame Keybase got acqui-hired by Zoom, they were doing such cool stuff). Edit: Discord's "Connections" system is pretty much exactly what I'm suggesting here in many ways.

Downsides I can think of:

• Would need to periodically re-evaluate credentials to ensure they're still valid (Keybase struggled with this IIRC)
• Would require IDPs to work — at the moment, I'm not sure that Twitter can even be used as a SSO IDP anymore.

Alternatives I can think of:

• Centralised identity verification à la Twitter. I would hate this, most of the people I enjoy following on Bluesky would hate this, it concentrates trust authority into a single point of failure and it would add excessive administration burden on Bluesky PBC while repeating many of the same mistakes Twitter made with its verification process. Although I'm strongly against this, many people who've recently joined the platform do not share this apprehension and will continue to push for something like this in the absence of better functionality.
• Don't do anything. Perhaps users just need to learn how domain names work better, and the challenge is more in teaching users how to find authenticity signals in the existing affordances. My experience having to constantly explain how I verify the orgs on the News feed, however, leads me to believe that this is perhaps a greater challenge than perhaps has been previously considered. Further, given many people lack personal or professional open web presences, establishing authenticity in this way means building trust signals from scratch, leaving opportunities for bad actors to exploit. The danger of not doing anything is that users begin leveraging existing affordances like 3rd party labellers to do things they're poorly suited for (though I've long held that professional bodies doing account-level informative labelling of their members would be supremely valuable, I feel an ad-hoc community led initiative that's effectively "Aegis for identity verification" would be potentially disastrous).
• As alluded to in the previous point, 3rd party labellers could be another way to accomplish similar things, but the trust provider would need to be some sort of well-known centralised organisation (a professional body for e.g. journalists; government bodies for politicians). As well, the upper limit on labellers a user can subscribe to would mean that using this affordance for verification could potentially diminish its utility for moderation (if you need to follow 6 professional bodies to ensure the people you're following are members of those orgs, that means you can subscribe to 6 fewer labellers intended for non-verification purposes).
• I've mentioned XFN Rel-Me authentication previously, which works fairly well on Mastodon. I feel this is a separate feature, because the platforms needed for verifying previous account ownership (namely Twitter) are unlikely at this point to implement rel="me" profile links whereas they have a business need to provide SSO (i.e., reducing login friction).

[aendra-rininsland]

Thank you for the extremely thoughtful and considered reply @pfrazee, lots of stuff worth considering there. 💚

To clarify, I'm not talking about the social proof model per se, precisely because of the public data access issues you mention. What I'm suggesting is probably closer to how Discord's "Connections" work than to Keybase's proof model given that. Tbh it's kind of a nicer system than Keybase's anyway because it doesn't require polluting your timeline with posts intended to only be read by machines.

Also, apologies, in hindsight I definitely should have opened a new discussion! I admittedly wasn't entirely sure whether it was completely in line with the original discussion but didn't want to open what might've been possibly been considered a duplicate issue. If you're able to fork discussion to another issue, please do so!

[pfrazee]

NW at all, my goal wasn't to call you out, just to make sure everyone has clarity and also explain why I was polluting your proposal's feedback.

To clarify, I'm not talking about the social proof model per se

Ah yes indeed, I should have read more closely. Yeah essentially what you're pitching is attestations being published by Bluesky. If we ignore the mechanics involved for producing attestations, the "broader picture" system is that there's a root entity (bsky.app) which the system is configured to trust. Other roots could be added to the framework.

The benefit of the attestation process you're suggesting is that it's a scaleable and low-cost process which is accessible to anybody. The downside is that the attestation is not strong enough to reduce to a single verification badge without additional verification by Bluesky. At best it could be listed as verified account-links in the profile.

[snarfed]

Amusing side note: Way before bsky.app or ATProto (or even ADX?) existed, Bluesky team ran a public contest for this kind of bidirectional proof model: https://web.archive.org/web/20220319151052/https://blueskyweb.org/blog/satellite . I even submitted an IndieWeb-based entry. Memories! Good times.

[marypcbuk]

essentially what you're pitching is attestations being published by Bluesky

I actually saw what looks like a mini version of this being discussed by Aaron today through adding a link in a twitter bio; "We are checking through higher profile MPs and journalists to ensure that there aren’t any impersonators due to the influx of U.K. accounts. If you either post from an existing account or briefly change the bio then we can validate your identity through an existing account."
Don't know if that's a formalised enough process to generalise out like this suggestion?

[mackuba]

We would then bake into the app a set of trusted domains & domain-patterns which would reflect my "great identity signals" rule above, something like ["*.gov", "*.edu", "bsky.team", "github.com", "nypost.com", ...]. Any matching domain would get badged, and their verifications would be surfaced in the app as verification badges as well.

Yeah I was thinking about something more or less like this the other day:

I was thinking about something like that - like, keep a hardcoded list of "legit" gov domains like senate.gov, parliament.uk, gov.pl etc., wouldn't be that many of those, and then any subdomain of those to any depth level gets some kind of UI indication than a parilament.uk subdomain wouldn't get?

So like, if you're a senate.gov you get some kind of "gray checkmark" that says "official government account" without having to do anything else than verifying the domain, and Bluesky doesn't need to do anything manually for a specific user/institution.