SteemConnect was the first tool created as a standard interface to integrate sign ins into various dApps of the Steem ecosystem, as well as manage posting authorizations users allow to certain dApps.
It was initially created by the Busy team with the backing / endorsing of the Steemit team and, as far as I know, in a Steemit repository.
On the list of things they include as deliverables, if the Steem proposal were to be accepted is this:
Make interface more friendly, improve naming
And I find this very important, because between V2 and V3 of the interface, security was increased but at the expense of UX which dropped significantly.
At the same time, one other reason I find that SteemConnect should receive funding is that we need it as an alternative to the ever more popular Steem Keychain, which I admit I prefer as well, in their current states. But such important interfaces need viable, secure and easy to use alternatives!
After these initial considerations, let's go back to our guide.
Before we start, if you are new to Steem or still have trouble understanding how the private keys work, I advise you to read this page (you can insert your username in the link instead of mine if you want a personalized page), where Steemit team has done quite a good job explaining them, in my opinion. If you still have questions, about this or other Steem-related subjects, you are always welcome to ask in the SteemHelp community.
Using SteemConnect - Introduction
In the screenshot above from the homepage of Steemconnect we can see:
With SteemConnect, you're always in control of your private keys: we neither store nor have access to them.
What they mean is they don't store your private keys on their website or access them if you store them encrypted on your computer, through one of the options available.
There are four ways you can use SteemConnect:
- without storing any private key, and entering it every time you are asked
- by storing your private posting key encrypted on your computer and entering a password instead of the private posting key itself
2.1. using the desktop app
2.2. using the browser extension (only for Chrome)
2.3. using the browser's local storage (gets "cleaned" by tools like CCleaner, so you'll have to re-store the keys after using such tools)
Let's take them one by one.
Unlike Steem Keychain which was designed to store any private key except the owner private key, SteemConnect is designed to store only the private posting key, which is used more often and has fewer permissions than the active key.
For the cases when one needs to enter the private active key for the same account, it's better to do it just once, without storing the private key, thus using the option 1 above.
Using SteemConnect without Storing the Private Key
Let's say I want to log in to busy.org. After clicking log in, I am redirected to SteemConnect, which greats me with this page:
which tells me who (busy.org) wants to do what (log in request - requiring private posting key).
It is a good general practice to take a look at the URL from where such requests are being made and that the connections are secure:
Then I click on Continue and I'm asked to enter my Steem username and Steem password (i.e. master password) or private key. I never enter my master password, but it's a matter of habit, because it won't be transmitted anywhere, in this case it will be used to extract the required private key from it.
Personally I prefer to enter the private key directly. In this case I know the private posting key was required (I was announced on the previous page), so I entered that.
I don't tick the 'Keep the account on this computer' checkbox, because I don't want to store my private key in this case.
Then I click Get Started.
Now we have two possibilities. If I previously allowed Busy.app to have the posting authority for my account, then I'll see this step directly:
I click on Log in and finished the login process. Still seems kinda long, huh?
Well, it's longer if the dApp doesn't have my posting authority, and that's the second possibility.
Posting authority allows a dApp to post on your behalf. It's the only way you can post something or vote through a dApp without being asked to enter your private posting key every time.
I'll revoke my posting authority to busy.org (you'll see how later), then go over the sign in process again.
When I reach the "Get Started" point, after I click it, instead of going to the page above, there are a few more steps, during which I am required to grant posting authority to busy.app. Here's how it goes:
Firstly, just like when I began the log in process, I am told what we are doing: authorize busy.app to post on my behalf. If I hit Continue (and I will), I will need my private active key to finish this operation of granting busy.app posting authority.
I am already familiar with this page, requiring me to enter the username and private key, except now I need my private active key, not the posting key to complete it.
After clicking "Get started", I am presented with a final page where I have to decide whether to authorize or not busy.app to post on my behalf.
When I hit "Authorize" the authorization is broadcasted on the blockchain, and the login process continues with the last step I described above, when I didn't have to grant post authority as well.
Using SteemConnect and Storing Your Private Posting Key Encrypted on Your Computer
I listed above three options to store your private posting key with SteemConnect. Let's remind them:
- using the desktop app
- using the browser extension (only for Chrome)
- using the browser's local storage (gets "cleaned" by tools like CCleaner, so you'll have to re-store them after using such tools)
Essentially, the main difference between the three options is the availability of your stored private posting key.
If you use the browser's local storage -- meaning you don't download any extension nor install any desktop app -- the setback is tools that do maintenance tasks on your computer such as CCleaner will empty this browser local storage. At least it does for me (I know it should be persistent), and I end up re-storing my accounts for SteemConnect after I use CCleaner.
The browser's local storage is also linked to the browser used. When you switch the browser, you need to add the accounts for that browser as well.
The latter issue would be for the extension as well, except SteemConnect only has one extension available, for Chrome so far (with plans for a Firefox extension in their Steem proposal).
The desktop app, on the other end, doesn't depend on the browser, but some people may not like installing new desktop apps on their systems.
I haven't installed the Chrome extension, but the desktop app and the process through the SteemConnect website and the browser's local storage works almost the same way from a user's perspective.
I'll describe it for the browser's local storage case, since it's probably the most commonly used.
Let's login to busy.org interface again, but this time I'll store the account I use so I can reuse it the second time I need its private posting key.
I go through the login process as before, up to this page:
Except now, instead of clicking on Get Started, I tick the checkbox to 'Keep the account on this computer'. The button's text also changes to 'Continue', and I click it.
On the next page, I'm asked to enter and confirm a keychain password, which is required to "unlock my account for usage".
Please note that this is SteemConnect keychain, it has nothing to do with Steem Keychain! Also note that this is not your Steem master password nor one of the private keys of your account!
Just choose a random, but secure password. Best use a random password generator for this. You can easily find a ton of them online.
Tip: If you are extra cautious, use different passwords for your different stored accounts. But for a better user experience you can use the same password for all your stored accounts. Steem Keychain only has one password with which you unlock it, not one password for each account, so that would be similar.
After I entered and confirmed my password,
I finally click on Get started. And then I continue the log in process.
What happens the next time I try to log in? I have a list of usernames to choose from, and my newly stored account is right there.
Instead of entering my username, I choose it from the list and also I don't have to enter the private posting key, but I do have to enter the SteemConnect keychain password associated with the stored account. To be easier to use, apply the tip above and all you have to handle is one password, but make it a strong one.
Other than that, the login process is the same, except the button text shows now "Log In" instead of "Get Started".
But what if you need to log in with a different account, which is not in the list of accounts you have stored?
That's a good question. Once you store at least one account on SteemConnect keychain, you are presented with a list of usernames to choose from, and no obvious way to enter a new account.
Well, to do that, you have to choose the "Import" button at the bottom:
That will bring you to the page from where you can add a new account or just log in with a new account, just like we presented at the beginning.
What if I need to complete an operation which requires my private active key, and I have my account stored with my private posting key, as instructed before?
SteemConnect is best suited to store your private posting key. So what happens if you store it, but you need to complete a STEEM transfer transaction, or a power up, or a delegation, or a less often used operation like granting or revoking the posting authority, like we have seen above?
Then you need to enter this private active key once, to complete the transaction, but without storing the private key.
To do that, you choose the "Import" button, as shown at the previous question, and continue by adding your username and private active key, and without ticking the checkbox to 'keep the account on your computer', because you already have it stored on your computer, with the private posting key.
Can I remove one of my stored accounts?
Yes you can. Choose Settings at the bottom of any page in this process
On the page that shows up, click Accounts at the top
Then click on the garbage can at the right of the account you want to remove.
Revoking posting authority in SteemConnect V3
First of all, when would you need to do such a thing?
Well, it doesn't hurt to do it every once in a while. Some projects end up dead or broken and it's a security risk for you to keep granting them your posting authority.
Other projects end up rogue or get hacked. It's important to revoke their posting authority ASAP.
In general, revoke posting authority to all (d)Apps you don't use often. The worse thing it can happen is you'll be asked to re-authorize them, the first time you try to use them.
I'll describe this process using the example I presented throughout guide: busy.org.
Let's revoke the posting authority I granted to busy.app for my account.
For that we go to this link (I'm not aware of a way to reach the link through the interface):
We will be required to log in to SteemConnect, with the private posting key.
Once logged in, I see a list of the dApps I granted posting authority to. One of them is busy.app. I'll revoke it by simply clicking on the Revoke button at the right.
The operation requires the same key level as the one needed to grant posting authority. Meaning the private active key, as I'm informed here:
After I click Continue, on the next page I enter my account username and my private active key and click Get Started.
A final page, informs me that if I click "Revoke" I'll actually revoke the posting authority. Which I did.
You can check the transaction on the blockchain, if you are curious or extra cautious. You have a link to it at the end of the operation.
SteemConnect should be familiar to most steemians, but to new users learning how to use it can be challenging. And I've seen users who are not so new who aren't very familiar with it.
While Steem Keychain is easier to use, there are websites which don't support it and there were situations when small bugs appeared (as they do in SteemConnect too) which made it unusable for a short period of time or for a certain website.
It's important to have a secure, up-to-date and easy to use alternative for whatever reasons. And to know how to use it.