To log on to a website today, users must remember usernames and passwords: complex strings of ever-changing numbers and numerals.
But determining why this process is necessary is a bit tricky. After all, all most websites want to do is verify that there is a real person behind the keyboard, and sometimes that that person is who they say they are.
For 20 years now we are being told that usernames and passwords are something of the past and that there are better methods to verify a real person. But we are still using passwords and not those better methods – because the human being is lazy by nature.
Passwords are problematic for many reasons:
- Passwords are too easy to guess (e.g.: password123, or a name, date of birth, etc.)
- Passwords can be obtained via a brute force attack (dictionary based)
- They can be compromised centrally
- Strong passwords are invariably written down, etc. to provide a reminder
- Passwords can be forgotten and lose hours of working time (and therefore money) to be reset someone connected to your network might try to intercept your password information as you log in using network programs that monitor the local Wi-Fi hot spot.
- Someone physically near you may observe you entering your password while you type
- They can be reused across multiple systems, resulting in a higher chance of being compromised.
There have been many new good technologies developed during those 20 years. But they all had their drawbacks as to uncomfortable, untrusted, user unfriendly or simply because they where limited to a specific platform.
To put it in other words: the password has survived many attempts to kill it off
Now with the new blockchain technology finally username and passwords can become obsolete as blockchain identity management could replace passwords and fix many hacking problems. It provides distributed ledger technology as the foundation for a decentralized trusted identity. It can act as a decentralized counterpart to existing identity products like Facebook Connect, the difference is that users can prove their uniqueness – without sharing that information with a website.
A unified decentralized identity ecosystem requires addressing a set of fundamental user needs and technical challenges:
- Enabling registration of self-sovereign identifiers that no provider owns or controls.
- The ability to lookup and validate identifiers and data across decentralized systems.
- Providing a mechanism for users to securely store sensitive identity data, and enabling them to precisely control what is shared with others.
- Allowing a decentralized ring of trust whereby other trusted identities can increase the trust in new identities.
- Gateways to existing identity provider.
- Bounty system
In our system you register your identity ONLY with your browser (be it on your desktop machine or mobile device) by leveraging blockchain-linked private keys without ever transmitting any data to a 3rd party. Your browser will host the secure wallet for ultimate portability.
With that browser based wallet you could digitally sign an identity ticket which is then confirmed with a cross signature by other trusted identities (attestation service). This identity ticket can then be used to logon and authenticate to any 3rd party service without having to use a username and password and without revealing any personal data. We demonstrate that with our Aloaha e-Forms Server HERE.
The integration into any exciting service is extremely easy as it requires only the validation of various digital signatures.
How does it work?
- Website refers a web session to the Attestation Server. For example: http://demo.chain-provider.com/logon.aspx or http://demo.chain-provider.com/logon.aspx
- User types in the local browsers wallet password to unlock temporarily his private key (password or key never leave the browser)
- In case the local wallet has never been used before the user needs to type in his Mnemonic Phrase (private key) and a secure password. More details HERE.
- Browser wallet signs referer nonce, attestation nonce, current date and time and some more unique parameters.
- Attestation Service validates all signatures and adds his own signature, date, time, etc.
- Web session is referred back to original website containing blockchain ID, signatures in case the website wants to check them again.
- User is authenticated without using any username and password.
Ideally every service provider, website, etc. will run its own Attestation Service to increase the level of trust. Obviously we would be more than happy to supply you with our Attestation Server.