How to solve the password security problem? Blockchain identity authentication platform has a solution

No one hates remembering passwords - I, you, and even Facebook's boss Mark Zuckerberg all hate remembering passwords for various occasions. People often forget their passwords. According to Deloitte, at least 37% of users forget their passwords when logging into a website, and thus use the "retrieve password" function. (See "Using the password for multiple accounts is "dadada")

We often use the simplest combination of numbers and letters on different websites so that we don’t forget our passwords easily. According to Experian, an average user uses 5 different passwords to log in to 26 websites, but the 10,000 most commonly used password combinations can log in to 98% of accounts.

Twitter has 33 million accounts, LinkedIn has 165 million accounts, Tumblr has 6.5 million accounts, VK.com has 171 million accounts, Badoo has 127 million accounts, and MySpace has 360 million accounts.

Today, more than 1 billion personal accounts have been hacked and sold publicly on the Internet. In this era of easy password theft, it is very easy to obtain low-level passwords, even easier than phishing sites, malware and vulnerability exploits. "Password Confirmation" tools are now readily available to find websites that match reused passwords.

That's why attackers hack into user accounts by means of password screening or theft. In 2013, 76% of accounts were hacked, and by 2015, the figure had reached 95% (from Verizon's Data Breach Investigation Report). Hackers only need to choose the most vulnerable point - simple passwords to launch attacks. Companies spend a lot of money and create high-quality and highly secure systems, but all their efforts are ruined because their customers use simple passwords such as "12345"!

Perhaps that’s why system security costs are $201 per user, and why losses due to cybercrime are expected to reach $2.1 billion in 2019 (more than four times as much as in 2015, according to Juniper Research).

No matter how hard security experts try to explain how to create account passwords according to requirements, they cannot defeat the weakness of human nature, which is to use simple and easy-to-remember passwords.

Although there are many ways and means to solve the problem of password cracking, such as password storage service providers such as 1Password and LastPass, which provide customers with password memory and create a master password, they have only made small improvements in conventional ways and have not solved the essence of the problem. Many programs (such as browsers, etc.) usually require "remember password" to facilitate automatic login next time, which is unsafe. When someone approaches your computer, they can obtain your automatic login information, so your password will also be stolen.

The biggest problem is that the database that records user login names and passwords is centralized. All information is stored on a centralized server, and all login verification is based on the username and password recorded on the server. Of course, the passwords used by some users, such as website administrators, are much more complex than those of regular users, which will make hackers more tempted to use these complex password accounts. This is why hackers have to use more means and reasons to hack into password servers. Hackers even need to find files with passwords or paper with passwords written on them before they can log in.

As a result, another security system was invented to protect the most important accounts - "二次验证" (2FA), which is based on physical devices and human memory.

For example, the well-known Google authentication - users must enter the two-factor verification code on their mobile phones to their computers before they can log in, and these verification codes will change in a short period of time. Once again, this method is still insecure (before the user enters the two-factor verification code, his computer has been placed under the control of the hacker). And in terms of convenience, users are too lazy to enter the two-factor verification code every time, unless it is a very important or rarely logged-in account.

Another well-known secondary verification method is to obtain a verification code through a text message. This raises another problem, the cost of sending such text messages. In addition, the intelligence agencies of authoritarian governments such as Russia have a long history of intercepting text messages.

I would like to mention "Clef" - it provides services that mitigate the security issues mentioned previously, but it cannot be used on mobile devices.

Using hardware tokens such as USB shields or other devices can be convenient for use in the company, but it is super inconvenient for users with large numbers and smartphones.

The above is a description of the current situation, and the point I want to make is that although the required soft and hard conditions are now met, there is still no solution for identity authentication that is convenient, easy to use, and secure enough.

But luckily, we have blockchain!

The distributed and decentralized database solves the problem of centralized servers being easily hacked. In addition, it is also suitable for asymmetric encryption of 256-bit secret keys, which can be regarded as super secure passwords. Of course, such a long password (secret key) is difficult for ordinary people to remember, but there is no need to remember this long password at all - the secret key can be generated in the mobile wallet, that is, the secret key can be stored on the mobile device.

We also use SSL certificates to protect channels similar to "man-in-the-middle attacks". The solution is to generate an SSL certificate that matches the customer's email and phone number, and write the certificate hash to the blockchain for verification.

Job Details:

When a client visits the website, the browser will prompt the user to display the certificate.

When a web server receives a certificate, it first checks its signature.

After the server generates a random number, it encrypts it using the public key contained in the certificate and sends it to the client's browser as a one-time connection password.

The browser, which has the certificate file and the key, extracts the key and then sends the encrypted password to the server.

The server checks the certificate information through the blockchain to confirm that the client has the correct secret key. To do this, the server checks the certificate serial number and searches within it. After the server verifies the received certificate verification code, it confirms that the serial number of the certificate is consistent with the certificate used during registration.

If the attacker generates a certificate with the same serial number as the client, he will not be able to import the verification code into the blockchain because the certificate has been used by the client. If the attacker creates a certificate with a different serial number, this certificate can only have a different ID, and the server will create a new account for it.

Now, we have to make it easy for users to use it, so we ask users to enter only their email address and phone number (no password!!), generate a certificate locally containing this data, and let the user install it in their browser.

After that, users are required to activate their accounts from the confirmation email link and confirm and send a message to the customer service robot in the form of a phone number. Again, this method is different from sending a verification code via SMS. The confirmation form gives the mobile phone an independent communication channel for secondary verification, eliminating the opportunity for hackers to infect the computer channel.

In this way, we do not use passwords, centralized servers, and public databases for login, and provide customers with sufficient convenience. In daily life, we do not need to use two-factor authentication (2FA). For most servers, browser certificates are safe enough - just like the current frequently used "save password" for automatic login, but free from the risk of centralized servers being hacked, there is no worry about user password leakage, and there is no need to use the "forgot password/retrieve password" function. For sensitive data services, it is recommended to use two-factor authentication (2FA), but even if it is used, it will be convenient and easy to use - just enter "Yes" in the information!

The certificate can be installed on the mobile device (SDK), and the operating system will suggest installing other protection measures: biometrics, PIN code, pattern lock, these measures are for customers to choose, but the most important thing is that even the simplest other protection measures are safer than the current ones. At the same time, customers are allowed to access from any device, which is ready for the big event in the future, that is - IoT applications! Biometrics and passwords cannot be used with our devices because they are based on existing token hardware and U shields, but we can make them more secure than they are now.

Therefore, the main features are as follows:

1. SSL certificates for secure connections and easy deployment

2. Works on any device: desktop, mobile, car, drone, etc.

3. Email and mobile number for registration: no wallet, no node, no password required

4. Convenient and secure secondary verification: Use an independent channel to interact with the local robot

5. No central server: no vulnerable points

6. One account can be used on multiple websites

7. Multiple accounts for easy management
   

Questions and Answers

What happens if you lose a device?

Your account is associated with a mobile number and an email, so you will be able to suspend access to your account through your email until you recover your mobile number. After that, it will be possible to reissue the certificate. The server uses a system like a bank, and in order to restore the account in the most complex cases, it is possible to collect additional data, such as copies of documents, photos of customers. Over time, I hope to store complete identity information on the blockchain, in which case the certificate in physical form will no longer be needed.

Are there any published examples?

Identity verification via SSL certificates is already implemented in Emercoin. We are using this concept to add a second level of verification to MVP, automatically generating a certificate using the installed wallet without requiring server deployment. We also plan to deploy this technology on Bitcoin's sidechain to facilitate cheaper transfers if we see demand for it.

How much will it cost?

It is free for users. The required fees are paid by third-party service agencies (such as banks, exchanges, etc.) because they want to reduce security costs and improve and ease customer evaluation of their services. There may be cases where the cost of the service will be borne by the customer. For example, a Bitcoin exchange has a large number of customers but very small revenue. In this case, it should be acceptable for customers to pay $1/year.

One reason for choosing the customer service payment model is that a transaction needs to be completed when an account is created on the blockchain. In addition, certificates need to be reissued regularly due to equipment damage, etc.

I'd love to hear public opinions on this convenience solution: for example, is it hard to download the certificate for an inexperienced user? (It's downloaded and installed like any program), do you see any vulnerabilities? Would you use such a technology as a service or as a user?

Related resources cited

• https://news.ycombinator.com/item?id=11845346

• https://www.bellingcat.com/news/2016/04/30/russia-telegram-hack/

• https://getclef.com/

• http://emercoin.com/EMCSSL