A modern human being has to remember dozens of logins and passwords to access all accounts at different platforms. The more reliable the password, the harder it is to remember it; and the more unique passwords there are, the higher the probability of forgetting some of them.
Can one break the old paradigm where the foundation of security, i.e. password, is the reason of its deterioration? It’s pretty hard to imagine that logins and passwords won’t be required to sign in. Yet, voice authentication and retina scanning seemed pretty sci-fi not so long ago. We might be closer to the era of password security than we think.
Solutions seeking to make things easier by creating a single entry point aren’t something new. Those initiatives have probably been inspired by old protocol Kerberos which was used to freely roam within a single website or software shell. Decentralized authentication systems like OpenID and Mozilla Persona attempted to expand the principles onto several sites and services, yet with no any serious success.
Notwithstanding the support from major brands, the technologies hasn’t been widely accepted, while Persona was finally buried in late 2016.
Phishing was considered a serious vulnerability of such services.
Open authorization protocol oAuth became slightly more popular as it allowed users to provide third parties with temporary access to their data, and sign in on any online service supporting the protocol using just one well-protected account. Still, oAuth couldn’t provide perfect protection of personal data, and relied too much on a single central account, which, if hacked, could compromise the rest.
Client SSL certificates for browsers sold by centralized certification entities are quite reliable in terms of password-free authorization. Still, the solution is quite expensive and time-intensive. There are other possible solutions involving blockchain technology. For instance, NXT authorization tokens are employed to authenticate user account with a unique signature generated by a private key. Unfortunately, NXT tokens can’t ensure sufficient security level as they’re transmitted as a whole, and therefore risk being intercepted.
There is a need for a service ensuring safe and reliable authorization, which brings to mind emcSSL protocol positioning as the first decentralized system for management of digital keys. Just like in any other decentralized structure, it’s the users who deal with certification, while EmerCoin blockchain is used to store hashes of said SSL certificates, thus ensuring UserID uniqueness.
Blockchain technology enhances security of systems, and scales them up to the global level due to decentralization. Private keys never leave user computers, so no massive leak due to a hack is possible. The system lacks any central server that could be compromised.
The emcSSL system stores personal data on so-called infocards, i.e. encrypted blocks of data on EmerCoin blockchain. When a user authorizes on a site, it’s he or she who decides which information could be accessed. Such system protects personal data when users are unwilling to share them, and allows them to enable such access when necessary (for instance, in case of online purchasing, one won’t have to fill in forms at every site as the protocol will open access to personal data at the user’s discretion.)
Nevertheless, emcSSL is quite difficult to set up, and requires certain professional skills from a user.
Unexpectedly, Hashcoins, a company also known for its cloud mining business, has made a step forward to create a ‘multipassport’ for mass audience.
Having used emcSSH to create a simple hierarchy of access to multiple mining servers, Hashcoins claims it works on Authorizer, a service combining emcSSL protocol with oAuth 2.0 functionality. The common expectation is that the result will feature greater simplicity of setup and higher user-friendliness.
According to the developers, the interface will be a hyperlink button. A user will have to click it to enter Authorizer website or open a pop-up window, and will get an authorization token. This will hardly look different from Facebook authorization.
The service’s release is scheduled for late January, yet Hashcoins started explaining the product beforehand. The first step is to create a certificate and fill in an infocard either via Authorizer website, or emcSSL or EmerCoin wallet. The most secure method for advanced users is to generate the certificate individually with scripts.
A newly created certificate can be integrated in any browser. It’s a simple process requiring a one-time entry of the password generated during the certificate’s creation. The password is used to link the certificate to each new browser. Still, a physical theft of a protected device with enabled certificate may have unfortunate consequences. Using Authorizer on mobile devices without reliable protection against unauthorized physical access may be unsafe.
“It’s the password that protects the certificate. You have to enter it just once when adding to the browser. If you carry your laptop or phone by your side, and there are some sensible data therein, you sure have a password or fingerprint authentication activated to protect them from strangers,” says Nikolai Pavlovski, CTO of Hashcoins.
Further usage of the service requires no passwords and checkups. In order to authorize at any website supporting Authorizer, all you have to do is to click the authorization button and select the required certificate. The amount of personal data the service would receive is at the user’s sole discretion.
As an electronic storage of personal data, Authorizer is way more secure than any centralized solution, yet it requires higher level of offline security.