Leprechaun
Leprechaun (aka “Metakgp Profile”) is a service that authenticates a KGPian's identity. The goal is to allow a KGPian to prove that they own a certain roll number, without handing over any trusted credentials to Metakgp (like passwords), or requiring manual intervention (like photo ID checking). We can do this by using proof-of-control over the ERP account associated with that roll number.

Note that this does not provide access to user data in ERP, like timetable or grades.

How does this work?

  1. User asserts that they own 11CS30040 and the email address foobar@gmail.com.
  1. Leprechaun combines the roll number and email, and uses that along with a random seed to generate a one-way hashed “challenge token” presented to the user, which it also stores in its database with an expiry.
  1. User is asked to change one of their ERP security questions to include the challenge token. This is publicly visible to everyone (which is why the email was hashed in the previous step).
  1. Leprechaun then checks if the challenge token is present on the asserted roll number’s ERP security question, through a publicly available ERP endpoint. If yes, an email is sent with a verification link to the asserted email address.
  1. When the user clicks on the link, the challenge is passed. They may now remove the challenge token from their security question if they wish.

The other supported operation is to “reset” all connections, in case the email account is compromised. This requires going through the challenge flow.

At no point does the user need to create a password, or hand over credentials for any other service. The whole point is that if they can prove that they control the ERP account for a roll number, then we can associate an email address with that roll number, and use the email to orchestrate sign ons across any other metakgp service.

What can you use it for?

Once a roll number has a verified email address, we can use this information to:
  1. Automatically and securely grant membership to mftp
  1. Derive name, department, branch, hall etc. for authorised services connected to Leprechaun, like the wiki or mfqp or dashboard (something like fb permissions).
  1. Provide automatic opt-ins for notices from hall and department noticeboards.
  1. Single Sign On across multiple metakgp services (not necessary yet)
  1. Authenticated polls/petitions (like change.org) (credit: Rohan Sharan)
  1. ???

Basically it provides us with a way to securely say “this email id belongs to this roll number”, which can be useful for convenience and authorisation.

Caveats

  • This is only as secure as the user’s ERP account (not at all secure in practice, protected only by obfuscation, but what can you do), and the user’s email address (usually somewhat secure). Note that ERP stores user passwords without hashing. (“Retrieve Passphrase” option will show you your password in plaintext)