Hackernoon logoHow to Solve the Authentication Problem with WebAuthn+ by@Michael

How to Solve the Authentication Problem with WebAuthn+

The current username/password system is a failure. User names and passwords are difficult to manage and easy to hack. There are significant financial costs, measured in billions of dollars each year. The FIDO Alliance is advocating a solution called WebAuthn. This could be accomplished by a simple change to the Web Bluetooth API. Simple passwords will become highly secure. The Fido Alliance will most likely fail. The problem that needs to be solved for secure web authentication is actually very simple: insure the user is on the right web page. This would completely stop phishing scams.
image
Michael Hacker Noon profile picture

Michael

A simple addition to the Web Bluetooth API will completely solve the authentication problem. And most users will be able to keep the convenience of user names and passwords! Simple passwords will become highly secure.

I know, this sounds amazing, but if you take a few minutes to read this article you will be amazed.

[Note: This article is about the establishment of a new protocol, not the
promotion of any product or service. TLDR: 29 minute read; 3 minute
scan. This article is formatted for a quick scan of essential points.]

Many people are attempting to solve the authentication problem. The current username/password system is a failure. User names and passwords are difficult to manage and easy to hack. There are significant financial costs, measured in billions of dollars each year.

For more than ten years, the most common “solution” has been to send a sign-on token to a user’s mobile device; however, the FBI has warned that these multi-factor authentication (MFA) processes are subject to advanced attacks, especially when the tokens are sent through text messages (SMS).

The Fido Alliance will most likely fail.

A consortium of the world’s leading technology companies, the FIDO Alliance, is advocating a solution called WebAuthn. There are two primary implementations of WebAuthn; one depends on physical security keys, another depends on integrated biometric readers within consumer devices (e.g., Windows face recognition technology).

Despite years of advocacy, the WebAuthn standard has not captured the mindset of the development community. For consumer applications, it is ridiculous for developers to assume that everyone who wants to use their applications will first go out and buy a physical security key; even within a secure corporate setting lost, misplaced and stolen keys must be a significant bureaucratic hassle.

Most consumers do not trust biometric surveillance (whenever I get a new laptop the first thing I do is put a piece of black electrical tape over the camera; my webcam for my workstation is unplugged most of the time) and most people think biometrics are intrusive (Big Brother really is watching.). Many older systems do not have integrated biometrics, thus the problem for developers in coding a universal solution based on biometrics.

The W3C WebAuthn recommendation (written by members of the FIDO Alliance) is convoluted and complex. The WebAuthn recommendation is over one-hundred-fifty pages long and it reeks of artificial complexity. Anyone who has been involved in IT for any reasonable period of time will see the WebAuthn recommendation as an opportunity for IT “service” providers to create complex systems and sell consulting services.

The WebAuthn document reads like the blueprint for a massive suspension bridge to be built across a “narrow creek”. The problem that needs to be solved for secure web authentication is actually very simple: insure the user is on the right web page; e.g., “www.chase.com” not “www.chaze.com” (this would completely stop phishing scams). This could be accomplished by a simple change to the Web Bluetooth API; the complexity of WebAuthn is completely unnecessary.

The two primary leaders of the FIDO Alliance are Microsoft and Google. If Microsoft and Google are dead set on their plans for WebAuthn, it is most likely because they have a strategy to harvest data from every authentication in every web application and every application running on Windows and every application running on Android; that utilization data would be exceptionally valuable data (and ethically, I think it would be an unfair competitive advantage).

How did the implementation get so screwed up?

The FIDO Alliance promise of “simpler stronger authentication”, is a noble goal. How did the implementation get so screwed up? How did an alliance of the world’s leading technology companies set out on a path that in my opinion has lead to failure?

If you think the major technology corporations are staffed with brilliant
people doing brilliant things, you would only be partially right. In every organization there are mission-oriented people dedicated to advancing the organization’s mission; however, there are also a significant number of petty, incompetent, politically conniving assholes dedicated to their own aggrandizement. The political assholes often form tribal groups dedicated to making each other look good and deflecting blame when something goes wrong (“How to Build Alliances”, is one of the key strategies for rising in the corporate bureaucracy.).

The problem affecting WebAuthn is the same problem affecting many aspects of our society, especially our politics: the mindset of the tribal group.

Groupthink is a psychological phenomenon that occurs within a group of people in which the desire for harmony or conformity in the group results in an irrational or dysfunctional decision-making outcome. Group members try to minimize conflict and reach a consensus decision without critical evaluation of alternative viewpoints by actively suppressing dissenting viewpoints, and by isolating themselves from outside influences.”[ref]

Groupthink requires individuals to avoid raising controversial issues or
alternative solutions, and there is loss of individual creativity, uniqueness and independent thinking. The dysfunctional group dynamics of the ‘ingroup’ produces an ‘illusion of invulnerability’ (an inflated certainty that the right decision has been made). Thus ‘the ingroup’ significantly overrates its own abilities in decision-making and significantly underrates the abilities of its opponents (the ‘outgroup’).”[ref]

It is possible for one individual to breakthrough the the mindset of the tribal group, even when he/she is going up against some incredibly smart people who are egotistically certain they know what they are doing. The story of John C. Houbolt from the early days of NASA is a story that should be taught in every engineering program. John C. Houbolt was THE guy who figured out how to go to the moon. He succeeded against strong opposition because his solution was technologically superior and because his ultimate concern was the success of the mission.

The “Nirvana Solution”

The “Nirvana Solution” for authentication will enable users to keep simple passwords (which is what they really want).

Imagine a world where authentication is convenient, simple and secure.

The first time you authenticate to a web application you simply touch a “Sign On” button on your smart phone to engage a cryptographically secure process, then you have the option to designate that system as a “trusted system” (e.g., a home computer or an office workstation); in the future you can sign on to that “trusted system” with a user name (e.g., your email address) and a simple password (anything you choose, even “asd” or “123”). If you forget your password, you can simply reset it without making a support call. Everything is done with high levels of cryptographic security.

No extraneous physical security keys are required.

No biometrics are required.

The foundation of WebAuthn+ is a simple “Cloud to Mobile Authenticator” that enables users to simply touch a “Sign On” button on their smartphone and securely authenticate to a web application

A Simple Change in the WebBluetooth API

Any IT expert who demos the prototype and examines the system architecture will realize the simplicity and elegance of WebAuthn+. Truly, a simple change in the Web Bluetooth API completely solves the web authentication problem.

The primary goal of a phishing scam is to convince the user they are on a legitimate website (e.g., www.chase.com) when in fact they are on the scammer’s website (e.g., www.chaze.com). The most common tactic is to send an email that appears legitimate and contains a link to the scammer’s website. If the scammer can convince you to enter your username and password into their site, they can capture the values and then forward you onto the legitimate website; you may never know your credentials have been compromised.

What if you could always be certain that you were on the legitimate website whenever you went to a sign on page. Web Bluetooth provides the solution. Web Bluetooth is a technology and API that enables interaction with Bluetooth devices through a web browser; it enables your web browser to communicate with your smart phone over a local bluetooth connection (“out of band”; i.e., not through the Internet).

Because the connection is local and through a device that you control, the
system can be architected so that scammers cannot intervene. Information
is currently transferred through JavaScript methods in the Web Bluetooth API:

domainNameCharacteristic.writeValue(textEncoder.encode(domainName));

Currently, the “domainName” value is determined by the developer who wrote the JavaScript (or by the scammer who creates a fake JavaScript file on a fake website); the value is controlled within the “JavaScript context” and can be easily modified. If instead, the value came from the “application context” of the browser the value could not be modified and the user’s smart phone could confirm the user was on the right web page.

writeDomainNameCharacteristic();

That’s it… a simple change in one method in the WebBluetooth API is all that is needed to solve the authentication problem.

Well, that’s almost it… The pairing process currently specified by the Web Bluetooth API is not user friendly and not highly secure. “Session Specific Pairing” would be a great improvement.

And yes of course, if a bad actor can install malware on your system or
install a completely fake version of your Internet browser, then your
authentication can be compromised. This is one reason why you should
never use a publicly open computer for anything requiring secure
authentication.

Some Technical Details

After a user signs on for the first time through the full cryptographically secure process, the user can designate that system as a “trusted system” (e.g., a home computer or an office workstation) and create a password of their own choosing.

The password for a trusted system can be incredibly simple because the value that the user enters is combined with a UUID salt value that is stored on the system as a cookie (hence, the system needs to be trusted and secure). The values are used to generate a cryptographic hash using the PBKDF2 function from the Stanford JavaScript Cryptography Library:

var out = sjcl.misc.pbkdf2(password, sjclSalt, 
sjclIterationCount, sjclLength); 

var passwordHash = jcl.codec.hex.fromBits(out).toUpperCase(); 

console.log(“passwordHash: “ + passwordHash); // TODO: remove

A simple user password of “asd” becomes

7C3249A2415F53FC1A8A150C60C9347CBC14AE0C62C7C5C73FF4BC45A15ECFCA”;

This value is essentially a generated password and is sent to the server
over encrypted HTTPS. The value is hashed once again on the server with
the Argon2id hashing algorithm (the most secure hashing algorithm) and
is stored on the server as a set of Argon2id parameters:

‘$argon2id$v=19$m=1048576,t=4,p=8$HQiUtZvto2icGsXVTF/BJw$emWzw24cLFhmnd8WUhZDyjRJHCg1C0J9542yTPCiACE’

Whenever the user signs on, the hash values are recalculated and compared with the stored hash value. Without access to the user’s physical system and knowledge of the user’s password, it is impossible for a bad actor to sign on, even if there was a complete breach of the server data.
The user can use the same simple password across multiple sites because
each time it will be combined with a different salt value and will be stored on different servers as completely different hash values.

A cookie with a password on a trusted system is actually more secure than
a digital certificate on a “trusted system”. With a digital certificate a bad actor just needs to access the system, either physical access or through malware. When a cookie and a password are required a bad actor would need both.[ref]

Also, the user can always reset his/her own password. There is no need to
call tech support which for large organizations can be a seven figure
annual cost, just for changing passwords.

Everyone assumed that user names and passwords had to be eliminated in order to solve the authentication problem. The paradox of the ebAuthn+ solution is that most users will be able to keep their user names and passwords, the system will become more secure and passwords can become even simpler.

Public-Key Cryptography

While the mathematics of implementing a cryptographic system can be very complex, the basic principles are quite simple.

There are two broad categories of encryption: Symmetric and Asymmetric. Symmetric encryption depends on a single key that needs to be shared among the people who encrypt and decrypt messages. Symmetric encryption can be very secure if the key is strong and protected. The bureaucratic nightmare of securing and administering secret keys inspired the creation of Asymmetric encryption which is usually referred to as Public-Key Cryptography.

Here is everything you need to know about the magic of Public-Key Cryptography: There are two keys, a public key which everyone has access to and a private key which you must keep private for the system to be secure. If a bad actor gets access to your private key it is game over; you lost.

  • A message that is encrypted with your public key can only be decrypted
    with your private key. If you keep your private key private, anyone can
    send you a secure message by accessing your public key.
  • When you send a message and sign it with your private key, your signature can be confirmed with your public key. If you keep your private key private, the validity of your signature is assured.

That is the essence of Public-Key Cryptography.

Securing Data on Your Smart Phone

In the WebAuthn+ process the credential provider sends messages from the application server to your smart phone through an encrypted Firebase channel. A message can only be decrypted with your private key which is stored securely on your smart phone.

What do you mean, “stored securely on your smart phone”? Is that a joke? We all know from the Apple v FBI encounter that anything on your smart phone can be decrypted by anyone with marginal computer skills. It is incredibly easy to do.

Well… it is not easy to do if the encryption process is done in a sensible manner (send the following architectural overview to your friends at Apple).

When a user downloads and activates the WebAuthn+ mobile app from the Apple App Store or from the Google Play Store, in the installation process the mobile app generates a 4,096 bit public/private key pair in less than ten seconds (on a “good” phone). A 4,096 bit key pair is very large and highly secure (double the traditional recommendation by RSA Laboratories [ref]).

The public key is uploaded to the mobile app provider’s (e.g., your bank’s)
data structures. The private key never leaves your smart phone. The
private key is stored on your smart phone in an encrypted state.

In order to attain a high level of security an AES-256 symmetric key is also created when the WebAuthn+ mobile app is installed. This AES-256 key is used to encrypt/decrypt data on the smart phone; this key is not stored on the smart phone.

When the WebAuthn+ mobile app is installed the user creates a password for the app. This password is used to create an obfuscated identifier
(details below) which is associated with user’s AES-256 key and both are stored in the mobile app provider’s data structures. When a user initializes the WebAuthn+ mobile app the password is entered and the obfuscated identifier is re-created and sent to the server, the AES-256 key is returned.

When a user enters his/her password in the WebAuthn+ mobile app, after a configurable number of failed attempts (bad password entries) the mobile app locks and the assistance of a personal banker (or a team member from corporate security, etc.) is required to reconfigure the app. Don’t forget your password unless you want to see your personal banker or a team member from corporate security, etc.

Because after a configurable number of failed attempts (bad password entries) the mobile app locks, it is impossible for an external bad actor to attack WebAuthn+ through a brute-force attack (there is no way for a bad actor to get the AES-256 key and then decrypt the user’s private key).

It is important not to associate the user’s AES-256 key with the user in
the server data structures. Associating the user’s AES-256 key with an obfuscated identifier and not the user’s account limit’s the possibility that a bad actor within the mobile app provider’s organization could gain access to a user’s symmetric key, steal the user’s smart phone and gain access to
the user’s accounts.

The only way to secure data on a smartphone is to encrypt the data with a key that is stored off the device, delete the key from the smart phone when it is not needed and load the key in a secure process when it is needed. The WebAuthn+ process takes just a few seconds and is within the boundaries of being user friendly.

So if your smart phone is lost or stolen, a bad actor cannot sign on to your WebAuthn+ mobile app; and if a bad actor can programatically gain root access to your smart phone and read the stored data, the important data (i.e., your private key) is securely encrypted.

What if the government gets involved?

If a government agency ordered a service provider to decrypt the data on a
user’s smartphone, the service provider would not be able to comply if
the user has chosen a complex password for the WebAuthn+ mobile app.

Wait a minute!!! The weak link of the system depends on a user’s password??? That can’t be good.

There is a significant difference between a web application which is a
distributed application running on multiple systems (and in multiple
browser applications) and a mobile app running on a single system that
you control.

The only way a password that you enter into the WebAuthn+ mobile app can be intercepted is if there is malware running on your phone (game over, you lost) or if a bad actor “looks over your shoulder”, steals your password, then steals your smart phone, and defeats the fingerprint reader (or other security) before you can report your smart phone lost or stolen… then the bad actor can access your account; this is the only real threat vector against WebAuthn+.

Why don’t we just use the security key within the Trusted Platform Module
provide by the phone manufactures? There are both social reasons and
technical reasons. Big corporations have now proven that they cannot be
trusted with our personal data AND they cannot be trusted not to collude
with evil governments. There are also numerous technical reasons not to
trust TPM: click here for details.

Some More Technical Details

In order to protect the private key and other data within the WebAuthn+ mobile app, access to the app is protected by a password and that password is used to generate an obfuscated identifier that is associated with the user but cannot be used to identify the user, for example:

2E988595485874A71449546BB49A7AFC9B603ED5EFFD7A5DAC9B8B333A345B78

The obfuscated identifier is created using the PBKDF2WithHmacSHA256
secret key algorithm. The two most important inputs into this algorithm
are the password itself and the iteration count. The more complex the
password and the higher the iteration count the higher the computational
cost for anyone trying to crack the secret key. The password is combined with a UUID salt value to guarantee uniqueness.

When a user enters his/her password in the WebAuthn+ mobile app this obfuscated identifier is generated and sent to the server. The AES-256 key is returned and used to decrypt data on the user’s smart phone.

The PBKDF2WithHmacSHA256 secret key is also used to encrypt/decrypt the AES-256 key which is then stored on the server in an encrypted state.

The reference implementation uses an iteration count of 262,144. The
iteration penalty is imposed every time a user enters his/her password
and activates the WebAuthn+ mobile app. On a good phone the time penalty is about 2.5 seconds (about the limit for a “bad” user experience).

If a government agency ordered a service provider to decrypt the data on a
user’s smartphone, and the service provider had access to the smart
phone, in theory, a brute force attack could be made by testing all the obfuscated identifiers in the service provider’s system. If the user chooses a password that is ridiculously easy to guess (e.g., “password”, “123”, “asdf”) then the quality of the algorithm and the iteration count do not make a difference. The system is vulnerable.

On most mobile app keyboards there are 82 characters to choose from (26
lower case, 26 uppercase, 10 numeric and 20 symbols). If a user creates a
password with twelve characters there are 82 to the 12th power possible
permutations to consider when cracking the secret key generated from
the password:

82¹² = 92,420,056,270,299,898,187,776

That is 92 sextillion and change. If you randomly go through half the
possibilities, you have about a 64% chance of hitting the right password. How long would that take if each guess took 1 second to compute on a very fast computer and you had an array of one million computers (a “small” array by NSA standards)?

92,420,056,270,299,898,187,776 / 2 (half the possibilities for a 64% probability) /1 million computers / 60 seconds in a minute / 60 minutes in an hour / 24 hours in a day / 365 days in a year = 1,465,310,380 years

That’s 1.465 billion years; the age of the Earth is estimated at 4.543 billion years. In cryptography, the key is to use algorithms that require a significant time penalty to defeat.

Assume that a user chooses an eight character password. The number of
possibilities is 82⁸ = 2,044,140,858,654,976 and the time calculation
goes to 32.4 years; not great but maybe “good enough”.

Assume that you are trying to protect some system like your phone with a four digit numerical PIN. Well, that is only 10,000 possible combinations and the system could be cracked in a matter of seconds. Assuming that the
iPhone was protected by a PIN or a weak password, it really was no big
deal that the FBI was able to crack the system.

Cryptographically Secure Digital Credentials

In the late Seventies and early Eighties computer names were maintained by using handcrafted HOSTS.TXT files. As networks became more
interconnected this process became unmanageable. Everyone knew that
something needed to be done. When the Domain Name System (DNS) was created everyone saw it as the obvious solution.

Similarly, when the solution to the authentication problem emerges, everyone will say, “Of course, this is how it had to be.”

Whenever a significant technology problem is solved, incredible new opportunities arise. Solving the Domain Name System (DNS) problem made the creation of the information Internet possible. Solving the authentication problem will make the Internet of Value possible.

The Internet of Value has the potential to ignite a worldwide renaissance by providing, “ubiquitous access to efficient financial systems and the ability to transact with anyone in the world.” ~ W3C — Internet of Value Manifesto ~

The basic question is, how can trust be established in the digital age? If
you and I have never met and I come to your website or place of business, how can you be confident that my digital credential is valid? WebAuthn+ answers this basic question regarding the establishment of trust.

The essence of the WebAuthn+ system is incredibly simple: Through cryptographically secure digital credentials, we do away with the weaknesses of user names and passwords for the initial web authentication (later the user has a choice to create a trusted system where a simple password can be used). If a credential is provisioned to a user’s smart phone in a valid institutional process, then when the user presents the credential (either in person or over the network) the receiver can be highly certain that the credential and the user are valid.

There is only one threat vector: If a bad actor “looks over your shoulder”, steals your password to the WebAuthn+ mobile app, then steals your smart phone, and defeats the fingerprint reader (or other security) before you can report your smart phone lost or stolen… then the bad actor can access your account.

Because the receiver can cryptographically verify that you are the person to whom the credential was issued, under WebAuthn+ it truly does not matter who you are; what matters are institutional validations and the ability to represent those validations with cryptographically secure digital credentials.

What is a valid institutional process?

It is the identity proofing process. It can be anything the institution defines and controls, from the very simple to the highly secure. In the most basic use case, the credential provider of a web application simply wants to secure the account to the user who created the account. Identity attributes do not need to be verified; valid authentication (from the user who created the account) simply needs to be secure and repeatable. Under this use case a credential can be issued directly through a web application when the account is created; the identity proofing could be an email verification.

The process for creating a cryptographically secure digital credential
can also be applied in a secure setting where identity is verified (e.g., the issuance of corporate identity credentials at a security station or the issuance of financial credentials at a bank, “know your customer”). This secure “identity proofing” represents a high level institutional validation and can be a very complex process.

Under WebAuthn+ the user’s identity is verified in a valid institutional process determined by the institution issuing the credential. There is no master identity proofing process that one organization or overnment controls. The identity proofing takes place by the institution when a digital credential is issued.

An organization can maintain complete control of its authentication process under WebAuthn+. When there is no need for third party validation of credentials (e.g., a corporation or government agency simply wants to authenticate its own users or a service like Netflix just wants to authenticate its own members) the WebAuthn+ infrastructure can exist as an insulated microcosm within corporations or government agencies.

When third parties must rely on credentials (e.g., drivers licenses, passports, financial credentials, insurance credentials, etc.) there will be a public identity infrastructure that will be managed through The Worldwide Distributed Ledger of Credential Providers; essentially, if you can trust the digital signature of a credential provider (an established bank, government agency, etc.), you can trust all the credentials that they issue (as long as there is a valid revocation list).

Surprisingly, there is no need to store user credentials or identity data in any type of worldwide data structure. The integrity of a user’s digital credential is determined by the hash codes and signatures that are contained within the credential itself. As long as the user keeps his/her private key secure (on his/her mobile device), the user’s digital signature provides assurance of the association to the user’s public key and the validity of the credential can be established.

There is also no need for a “Trust Authority” to bind a user to his/her identity attributes (and require the “Trust Authority” to manage billions of identities and keys worldwide). The binding process of a user to his/her identity occurs during the valid institutional process when a credential provider issues a digital credential. Identity is completely contextual to the institutional process (i.e, if your banker knows you, your credential will be valid).

This means that the The Worldwide Distributed Ledger for Credential Providers will contain at most a few hundred thousand entries for credential providers worldwide: banks, other financial institutions, insurance companies, national governments for passports, other government agencies for government programs, state/provincial governments for driver’s licenses, educational institutions, etc. In terms of data structures, less than a million records is an incredibly small data structure.

Who are you?

Under WebAuthn+ the concept of identity is fundamentally changed. Who are you? You are the entity that has been issued a cryptographically secure digital credential.

The traditional view of identity is that you are a collection of identity
attributes (e.g., user name, first name, last name, address, account
number, credit history, etc.) and you then prove your association to
these attributes through one or more of the three factors of authentication:

  • Something you know (password, secret question)
  • Something you have (security token, USB key, mobile device)
  • Something you are (biometrics)

Rather than proving an association to a set of attributes, the focus of WebAuthn+ is on the ability to use cryptographically secure digital credentials in valid institutional processes. The concept of verifying institutional validations rather than verifying personal data requires a shift in perspective. Once that mental shift occurs everyone is amazed at how
simple WebAuthn+ is.

Think of your smartphone as a security device for securing your private key and your association to your digital credentials.

Access to your phone can be thought of in terms of the three factors of authentication:

  • Something you know (password)
  • Something you have (the phone itself)
  • Something you are (fingerprint scanner)

However, once you have established a legitimate association to your private key, the digital credential process takes over. WebAuthn+ essentially creates a single signon process with the user’s smart phone as the point of entry to the digital credentials that provide more granular application access.

Signing on to a mobile device that you physically control is qualitatively
different than signing on to a web based application from any system in
the world. Your digital credential is cryptographically locked to your mobile device; it cannot be “spoofed” or replicated. Along with the cryptographic processes, the “something you have factor” (the physical smart phone itself) provides enhanced security.

Again, there is only one threat vector against WebAuthn+: If a bad actor “looks over your shoulder”, steals your password, then steals your smart phone, and defeats the fingerprint reader (or other security) before you can report your smart phone lost or stolen… then the bad actor can access your account.

Think of Identity and Authentication Management in terms of referencing
institutional validations represented by cryptographically secure digital credentials, not in terms of managing and verifying certificate chains of authority, or even worse, managing and validating vast amounts of personal or biometric data.

Your identity is not determined by a collection of attributes; your identity is determined by a cryptographically secure digital credential that associates “you” to a public/private key pair. For each specific context, the essence of “you” is determined by an institutional validation (i.e., identity proofing: anything the institution defines and controls, from the very simple to the highly secure).

The King’s Seal

If your bank validates you and issues you a digital credential, your identity does not matter, all that matters is that you are the only person who can utilize that credential. Think of the past when the king’s seal represented a stamp of approval; your identity did not matter, all that mattered was the validity of the king’s seal and that you were the rightful holder of the credential. In the age of technology it is possible to create a “valid seal” with a secure private key on a smart phone.

A cryptographically secure digital credential is an inviolable proxy to the valid institutional process that was used for identity proofing. Once the institution determines that “you are you”, the digital credential can be used to verify that institutional validation.

It will be simple to make cryptographically secure digital credentials interoperable amongst various institutions, e.g., a group of universities and/or commercial enterprises. Federation will be just a matter of sharing user identifiers (usually an email address) and the associated public keys, along with a valid process for a credential revocation check.

Legal Identity and Digital DNA ID

When you establish an account with Netflix or some other service organization there is no need to provide your absolute legal identity; all that is needed is an application identity. You just need some way to secure your account; a digital credential that only you can use works fine in this use case. In fact, WebAuthn+ works flawlessly in this scenario. If your smart phone is lost or stolen you can buy a new smart phone and reestablish your digital credential through a trusted email account. Not perfect, but probably good enough.

For banking credentials, insurance credentials, state issued credentials
(e.g., digital driver’s licenses, digital passports) you need a process that securely establishes your legal identity. Currently there is a hodgepodge” of processes. Every financial institution and government agency has their own process for identity proofing (i.e., institutional validation). All of these
processes, especially current biometric processes based on facial
recognition, are flawed.

What if there was a foolproof biometric identifier that established identity with absolute certainty? There is: Digital DNA ID. There is no other biometric identifier that is more accurate.

In the near future, when a financial institution or state agency first
provisions a digital credential they will take a DNA sample that will be
digitized in a manner of minutes. This Digital DNA ID will be the secure identifier for your account. Once your digital credential is provisioned to your mobile device, the security of the WebAuthn+ process takes over. If your digital credentials are ever lost or stolen you can reestablish your digital credentials simply by being you.

Credential restoration is one of the primary attack vectors against an identity system. If a bad actor can convince an organization that credentials have been lost or stolen and they can scam the process for credential restoration, they can steal a user’s credentials. A completely secure credential restoration process will be the main driving force behind Digital DNA ID. Customers will feel more secure dealing with a bank where only someone with their Digital DNA ID can access their account.

Under the WebAuthn+ it will be possible to securely store a Digital DNA ID within a user’s credential when the credential is created by the provisioning institution. In cases where extreme security is required, verifying the Digital DNA ID in the credential against the individual in real time will provide absolute security.

Government / corporate surveillance and invasion of privacy will become even greater threats in the presence of a technology that establishes absolute identity. The technology itself is not the problem. Government / corporate abuse is the problem. Democratic societies will need to establish laws that prevent this abuse because the technology is definitely coming.

In fact, it is already here…

One way to limit the potential abuse is to limit the information that can be in a Digital DNA ID. The following excerpt is from the website of ANDE, the makers of a rapid Digital DNA processing system:

[Begin quote:] Digital DNA IDs are not Genetic Profiles — the two tests look
at different aspects of an individual, are performed for different purposes. A Digital DNA ID simply identifies an individual, while a Genetic Profile is designed to assess the health of an individual, and contains essentially every piece of genetic information in the human genome. To put this in perspective, a Digital DNA ID contains approximately one-millionth of the information in a Genetic Profile.

Digital DNA IDs are the optimal identification tool for two major reasons:

  1. DNA IDs are far more accurate than any other biometric modality including conventional fingerprints, facial recognition, iris scans, and voice recognition.
  2. DNA IDs preserve privacy — they contain absolutely no useful information about an individual other than identification. A DNA ID contains much less usable information than an individual’s address, phone number, photograph, or browser search history.

The ability of DNA IDs to identify a person with exquisite accuracy is
accompanied by an emphasis on privacy protection — the DNA ID generates absolutely no information concerning an individual’s health or body composition or organic strengths or weaknesses. [:end quote]

In the near future, when legal identity is required it will be based on a Digital DNA ID.

When a child is born his/her parents will be issued a digital birth certificate with the child’s Digital DNA ID encoded into the digital credential. This digital birth certificate will also include a copy of each of the parent’s digital birth certificates. This digital credential will be stored with the hospital where the birth occurred and with the county department responsible for registering births. If the user loses his/her digital credential birth certificate it can be easily recovered with a Digital DNA ID verification.

When the child passes his/her driver’s license test he/she will be issued a
digital driver’s license by the state/province department of motor vehicles; the child’s Digital DNA ID will be encoded into the digital credential. A verification will be made against the child’s digital birth certificate to establish another link in the child’s legal identity.

A similar process will occur when the child receives his/her passport,
financial credentials, insurance credentials or any credential that
depends on legal identity.

With the technology to absolutely verify an individual’s legal identity
there will be significant opportunities for abuse by corporations and
governments. The technology is coming. There will be no way to hold it
back. Rather than reacting out of fear of a potentially dangerous
technology, everyone should remember the social problems associated with biometrics are social problems, they are not technology problems.
An enlightened society will create solutions for these social problems.
Technology companies should take the lead in creating these solutions
or they will face punitive restrictions. There are workable solutions.

Democratic societies that respect human rights will have ample opportunity to witness the abuses of government/corporate surveillance because in totalitarian states this technology will most certainly run amuck. Power will corrupt.

Voting From Your Kitchen Table

WebAuthn+ will greatly influence political events by reintroducing classical
Greek democracy to the world. Unlike current on-line polls that can be “spammed” multiple times by a single user or a group of users, on-line polls conducted under WebAuthn+ will be validated for user uniqueness and still be anonymous. Users could also volunteer to provide their demographic profiles to the on-line pollsters enabling political scientists to extricate more meaningful conclusions from their polls.

At first, this uniqueness will probably be based on a cryptographically secure financial credential.

Ultimately, with digital driver’s licenses and state identity cards based on Digital DNA ID, secure on-line voting will become a reality that will lead to an ever-increasing number of local, national and world plebiscites. There
will come a time in the near future when a consortium of major news organizations will call a worldwide referendum.

Solving the authentication problem will bring the world together and enhance democratic institutions.

“One more thing…”

When Steve Jobs made a presentation, the most important part of the presentation usually came after the phrase, “One more thing…

First, a few more technical details:

A Secure Hash Algorithm inputs a text string of any length and outputs a
number of a fixed length. The number is usually represented in HEX (there are 16 HEX digits: 0–9 and A — F). There are five ideal properties for a Secure Hash Algorithm [ref]:

  • it is deterministic so the same message always results in the same hash
  • it is quick to compute the hash value for any given message
  • it is infeasible to generate a message from its hash value
  • a small change to a message should change the hash value so extensively
    that the new hash value appears uncorrelated with the old hash value
  • it is infeasible to find two different messages with the same hash value

As an example:

 input: The quick brown fox jumps over the lazy dog.
  hash: 1EA1245F20D46AE9A037A989F54F1F790F0A47607EE
        B8A14D12890CEA77A1BBC6C7ED9CF205E67B7F2B8FD
        4C7DFD3A7A8617E45F3C463D481C7E586C39AC1ED
 
 input: The quick brown fox jumps over the lazy dog
  hash: 07E547D9586F6A73F73FBAC0435ED76951218FB7D0C
        8D788A309D785436BBB642E93A252A954F23912547D
        1E8A3B5ED6E1BFD7097821233FA0538F3DB854FEE6

While the second input differs from the first only by a period at the end of
the string, the hash output is vastly different; in cryptography this is known as the “Avalanche Effect”.

Bitcoin mining depends on a proof of work process involving hash codes. When new transactions are added to the distributed financial ledger a hash value of the ledger is calculated. Then the proof of work is performed
by adding a numerical value to the ledger that will cause a recalculated hash value to have a determined numbers of leading zeros. From the example above:

input: The quick brown fox jumps over the lazy dog.139547552
 hash: 00000000679BC7B0C894820D666F07279FE60D4F2F3
       26471E22F1B91C495115495FA987C209CD99995DF46
       5E8B04C00E555CA9926AD972C34FC210FDE7280B8A

If we append “139547552” to original input, the recalculated hash has eight leading zeros. The proof of work to determine this value took just a few minutes on a good workstation. Imagine recalculating the hash of a very long distributed ledger to create a hash value with twenty leading zeros. The computing power to determine that proof of work would be
significant. In fact, one of the major criticisms of Bitcoin “mining” is its environmental impacts which are severe and growing.

We won’t debate Bitcoin’s future as a niche crypto-currency or the “greater fool theory” propelling Bitcoin’s rising value or the very real possibility of crashing the Bitcoin network by mounting a “Micro-Transaction Multi-Spend Attack”; however, similar to Bitcoin’s distributed ledger, it is possible to create a Cryptographically Secure Private Distributed Ledger for all types of business and financial processes.

These ledgers will be in a simple, structured JSON format (see the test image below) and will be signed with one touch on a user’s mobile device. The private key stored securely on your mobile device will be used to sign
the hashcode of the elements in the ledger. Your signature will be
verified by anyone with valid access to your public key.

This process will be the foundation of a change the world technology platform that will lead to creation of the Internet of Value and the widespread implementation of practical artificial intelligence systems (based on lots of structured decision making data, harvested for optimal decisions).

Cryptographically Secure Private Distributed Ledgers will be engineered with artificial intelligence systems in mind. All the key decision making attributes will be constructed into the ledger; over time, the correct weight of these attributes will be determined by evaluating vast amounts of data  for optimal outcomes. A new IT/BPM position will arise: DLT Engineer.

I think it is doubtful that silicon-based systems will ever be capable of true creativity or consciousness. But certainly “practical AI” systems that seek optimal decision making in vast amounts of data will relieve humans from non-creative drudgery work and lead to better decisions.

In the very near future, all business processes and agreements (including
all financial transactions) will be confirmed by a cryptographic signature of a Cryptographically Secure Private Distributed Ledger. Business process management will be transformed. Your smartphone will enable the creation of an inviolable business record. Complex records among multiple participants will have cryptographically secure attestations.

A point of emphasis, except for the creation of a hashcode, these Cryptographically Secure Private Distributed Ledgers have nothing to do with crypto-currencies, blockchains or distributed data structures; this has nothing to do with the blockchain hype (a problematic technology that is going nowhere). This has everything to do with secure authentication, transforming business process management and creating practical AI systems.

image

Igniting a Worldwide Renaissance

The Internet of Value has the potential to ignite a worldwide renaissance by providing, “ubiquitous access to efficient financial systems and the ability to transact with anyone in the world.” ~ W3C — Internet of Value Manifesto ~

Stated as a fundamental principle of economics: Identity is the foundation of financial rights.

“In battling poverty in the developing world with affordable financial
services, there is nothing quite as democratizing as the ubiquitous cellphone. Few proponents of economic growth would quibble with the belief that banking is integral to the foundation that society is built on, but a full one billion of the globe’s five billion cellphone owners have no access to financial services. That makes mobile banking the perfect way to bring the unbanked and underbanked into society’s fold… Embracing the financial services ecosystem gives poor people the ability to leverage their existing wealth, to plan for the future better, to save resources and to interact outside of their neighborhood.” [American Banker: Waiting for the Call]

Cryptographically Secure Private Distributed Ledgers will truly become a transformational technology that will exceed all initial expectations. It is possible to create a cryptographically secure shared source of truth where all participants are trusted, privacy is maintained and all participants are instantaneously notified of changes.

All financial services will eventually be transacted through digital credentials on your smartphone. If your financial institution verifies you, everyone in the world will be able to trust your digital credentials. This extension of trust will nearly eliminate fraudulent financial transactions and uplift the Third World by providing secure and efficient financial services for everyone on the planet.

This technology will generate great benefits for all businesses, from startups to multi-national corporations to impoverished villagers in the third world. Cryptographically Secure Private Distributed Ledgers will become the standard format for secure processes/transactions.

These Cryptographically Secure Private Distributed Ledgers will be archived and optimal decisions will be harvested by Artificial Intelligence systems. The impact will be transformative. Some have estimated that the resulting economic efficiencies (by reducing time, costs and risk) will be “measured in trillions of dollars.” Everyone in the world will benefit.

The authentication problem is solved. The future is bright.

Also read behind a paywall at: https://medium.com/@mduffy_48393/webauthn-solving-the-authentication-problem-9407faf7540a

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.