Everybody hate passwords — your bank, your grandma, me, you, and even Mark Zuckerberg. People just forget the passwords — 37 % of customers ask for help on this issue in a month at least on one website, according to Deloitte (so that`s a reason for “dadada”).
We try to use the easiest combinations at the same time on several websites to not forget them. Base of 10000 most common passwords gives access to 98 % of all the accounts, although the regular user uses only 5 different passwords to access 26 services (according to Experian).
Twitter 33 million. Linkedin 165 million. Tumblr 65 million. VK.com 171 million. Badoo 127 million. Myspace 360 million.
There are now over a billion owned accounts with credentials sold online. In the age of stolen passwords, a compromised credential is the easiest way in, simpler than phishing, malware or exploit. “Password confirmation” tools are now readily available to find reused passwords matching any website.
That’s why attackers hack accounts exactly through the selection or stealing the data of a user. There were 76 % of such cases in 2013 and up to 95 % last year (Verizon Data Breach Investigation Reports). Hackers just choose the most vulnerable place — simple passwords. You can spend tons of money and create a high quality and highly protected safety system for your service — but all the efforts are vain because of the password “12345” that your customer will use.
Probably that’s why safety system of each user costs 201$/account for companies and the amount of a loss from cybercrimes goes up to $ 2.1 billions to 2019 (4 times more than in 2015, according to Juniper Research).
No matter the efforts of experts of safety, telling about the requirements towards the password in creating the account, you can’t fight the human nature. That’s why I propose to come from another side.
Despite the existance of numerous services, created to solve this problem, they all make just a small improvements, not changing the nature of a problem. Services such as 1Password and LastPass slightly ease the task, remembering the passwords or creating one master password. A lot of other programms (such as browsers) also remember the password that was put in once and automatically set it in the following visits. It is not secure, and this is transition from the factor “something that you know” to the factor “something that you have” — computer with installed program to remember. When somebody standing near your computer gets access to your account automatically, so the password loses sence at all.
Bigger problem is the centralized architecture of a database of logins and passwords, stored at the server. All the access to this base also available (all of a sudden) by login and password. Of course here the password might be more complicated as the regular administrator is more tempted on the issue of security then the regular customer. That’s why it can be more complicated to get the access to this base and it might require stealing a file with passwords or a piece of paper where it’s wtitten as in TV show “Silicon Valley”.
As a result society invented another system of protecting the most important accounts — “second factor authentication” or 2FA, based on combination of factors.
For example well known Google Authenticator — you have to put in the code from the smartphone into the computer, that changed after short period of time. Once again such desicion is not perfect on safety — you need to put in the code on the device that can already be under the control of the attacker, also on convenience — using such scheme every time gets tiring to the lazy users and they do it only to the critical important or seldom used accounts.
Another well known variety of the 2FA are the codes through SMS — there’s another problem, connected to the price of such messages, where the services turn to sending such codes via messengers. Besides recent history of interception of SMS by secret services of Russia to get the access towards the conversations of citizens also does not add confidence to the security of such a channel.
I also want to mention Clef — a great service in terms of ease with original decision but not working with mobile devices.
Using hard tokens such as flash drives or other devices can be convenient to the special use in the companies, but highly unconvenient in high number of clients who use smartphones.
Starting from the above I want to express my opinion that now there is no at the same time convenient, easy and sufficiently safe solution to the problem of authentication. Even though all the required technologies for that already exist.
First of all, we have blockchain.
Decentralized database solves the problem of central server that can be hacked. Besides it works on assimetric encryption with the length of a bit key 256, being in that sense supersecure password. Of course it is hard for a common person to memorize it, but it won’t be required — the key can be used as now happening with mobile wallets — it uses the storage of a device.
We also have SSL-certificates that protect the channel from an attack such as MIM — “man in the middle”. The solution is to release the SSL-certificate with the email address and phone number of a customer, at the same time writting hash (checksum) of certificate to the blockchain.
How it works in details:
When the customer goes to the site, the last requires from the browser to show the certificate.
Server, receiving the certificate, first checks its signature.
Server generates random number, encrypts it on public key that is included in the certificate and sends it to your browser. That is one time password of connection.
Browser, having the file with the certificate and the key withdraws the secret key and encrypts the password from it sent by the server.
Server, convinced that the client owns the correct secret key, conducts certificate info check through the blockchain. For that it checks the serial number of the certificate and searches on that serial number. After that the server calculates the checksum of just received certificate and makes sure that presented certificate with appropriate serial number is the same that participated in the registration.
If the attacker generates another certificate with the same serial number as yours, he won’t be able to load the checksum into the blockchain because it is already used by you. If he creates the certificate with other serial number it will be other ID. The server will create another account.
Now you have to make all of that convenient for the customer. For that we ask him to only put email address and phone number (no passwords!). We generate certificate locally with this data and offer the customer to install it to the browser.
After that we ask to activate the account by following the link from the email and send to any messenger that supports bots, the form of confirmation of a phone number. I note that unlike the code in SMS or a common message with such code, the form of confirmation gives the opportunity to use the separate channel of communication of a smartphone for the second factor, not the channel of potentialy compromised computer.
This way we get the chance to use the desicion without passwords, central cerver and common database, which is more convenient for the customer. For the day to day usage we don’t need to use the messenger with 2FA, for most services browser certificate will be enough secure — it will seem as the current use of a variety of “password savers”, without the risk of attacks on central server and a leak of your password and often forgettings/recoveries. For the services with sensitive data it is recommended to use 2FA, but even here the process becomes much more comfortable — you just have to press “Yes” in the messenger.
Certificates can be installed on the mobile devices (SDK). OS will suggest installing the protection with the help of other twofactors — biometrics, pin-code, graphical key. Usage of all the functions is left to discretion of a customer, but the most important is that even in the easiest version of authorization through one factor such solution looks more secure than current methods. At the same time it allows access from any device and is ready for the future — internet of things. Biometry and passwords are unavailable to our devices, they will work exactly according to such scheme with tokens an keys. We can make their interactions between themselves much more secure than now.
So, the main features are the following:
- SSL certificate for secured connection and easy deployment;
- Can be used on any device — desktop, mobile, car, drone, etc.
- Email and phone number for registration — no wallets, no nodes, no passwords;
- Convenient and secured 2FA with native bot in any messenger for independent channel;
- No central server — no weak point for attack;
- Single account can be used on many sites;
- Multiple accounts with simple management.
What happens if you lose a device?
Account connected to the phone number and email adress that’s why you would be able to pause the access with the help of email before restoring the phone number. After that it’s possible to reissue the certificate. Services that use such system, like banks, might be gathering other data such as copies of the documents and photos of the clients according to which it will be possible to restore the access in the most complicated situations. With time I hope we would come to storing full identity in blockchain and the phisical presence in such cases won’t be required.
There are any examples of the release already exist?
Authorization through SSL-certificate was developed in Emercoin. We use their concept for MVP adding second factor, automated generation of a certificate without the need of server deployment with installed wallet. We also plan to deploy this technology on the bitcoin sidechain for cheaper transactions, if we see the demand.
How much will this cost?
Nothing for the user. It will be payed by the services (banks, exchanges, etc.) who want to decrease the expence on security and who want to improve and ease the usage of their service for the clients. There may be situations when the service will want to put those expences on the customers. For example, bitcoin exchanges with huge amount of clients but small income. In such cases the payment of $1/year should be acceptable for the customer.
The model of paying for the customer was chosen because of a reason that to create an account in the blockchain it is required to make a transaction. Periodically it will be required to reissue the certificate because of the lose of devices etc.
I would love to hear the public opinion on the convenience of such a solution: would it be difficult to download the certificate for unexperienced user? (its download and instalation is similar to any program) What vulnerabilities do you see? Would you use such a technology as a service? As a user?