Over the past month, I’ve been holidaying with my family in Germany and Denmark. My wife, Britta, comes from a small farming community in the north of Germany near Hamburg and every couple of years we drop in to visit her family and friends.
I’ve travelled to Germany six times in the last twelve years and each time I offer to clean up her parent’s computer, do updates, install patches and this trip, added additional memory to their iMac. I find it’s the simplest way to keep the Skype communication channels open for weekly calls and serves as a thank you for allowing us to live in their house and eat their food!
It’s fair to say my in-laws are not the most computer savvy and have little interest in using the computer for anything other than Skype. The mac gets used once or twice a week at the absolute most, it’s sole purpose is to be a video phone so by the time we visit, updates are long overdue.
Over the last 12 years, each time I’ve performed an upgrade or installed a new version of Apple OS, we battled with locked accounts or forgotten passwords. This got me thinking… has nothing changed in the last decade? Managing passwords is still tricky, time-consuming and insecure, especially for your day to day end user!
I’m sure most people in technology have experienced this phenomenon when helping out family or friends. You go to your parents place thinking there’ll be an easy fix, only to spend the next two days resetting an account and proving their identity. Attackers have improved their capabilities in the last ten years, stealing passwords with relative ease, taking peoples accounts and credit card numbers. Head to your favourite IT news site, and you’ll find a new article about the latest breach, it’s almost a daily occurrence.
I started thinking about my situation. What do I do, what’s my process? It’s certainly not perfect but here it is anyway.
- I use a password database and set random passwords for all sites I visit. I rotate my primary password a few times per year.
- Use Multi-Factor Authentication for everything that supports it. Easy to set up (in most cases), difficult when buying a new phone.
- I store a backup of my database in an encrypted file offline. Just in case, you never know when a software service might stop working or disappear.
- I keep database backup codes in a safe location; you can never be too sure
- Commit the most critical passwords to memory and never store them digitally
I’m sure you have similar strategies, but I think everyone can agree, managing and storing passwords is a lot of work, and if you’re like my in-laws you don’t have the knowledge or interest. If you’re an enterprise, you spend substantial amounts of money on this problem every day, and it’s a considerable cost to the business.
So is there an answer to the problem? Or are we stuck with passwords forever? In my previous post, I suggested that blockchain and the cryptographic technologies may be used to render passwords obsolete. Numerous startups are looking to solve this problem, for example, Civic and Remme, just to name a couple.
The question here is why use Blockchain or a decentralised system over something centralised like a certificate authority? Certainly, digital certificates can negate the need for passwords; however, it’s still a requirement to trust the authority. What if it gets compromised or sells your credentials? If they are large enough, they will be a target for attack, look at the companies and governments that trusted Equifax with their users’ data.
I like the idea of using a decentralised blockchain solution for just that reason. A single organisation does not control it, compromising a node doesn’t compromise the entire network, and if you control the keys, you control the account.
Anyone who has used or even played with blockchain technology such as Ethereum (ETH) or EOSIO would note the current difficulty and learning curve associated with the technology. I agree, key pairs are not intuitive to use, however, just like email or the browser was foreign in 1996, usability improves over time, allowing anyone to get involved.
Take the EOSIO chain as an example, the network launched in June 2018 with a CLI wallet, no simple user interface or block explorers. In around three months, the ecosystem has developed, the community stepped in to build some incredible solutions for people with low technical literacy or care factor. The pace of change is accelerating and will only keep improving, eventually making the system user-friendly enough for the mainstream.
Today’s blockchain technologies use cryptographic keys which the user must understand and maintain themselves. In the future, blockchains will provide user-friendly account names, automatic key creation and storage with integration into a smartphone. Users will not realise they are using a Blockchain, just as most don’t understand anything about the base layer protocols of the Internet. My in-laws do not know TCP/IP or RTSP. This knowledge is not required to use Skype or WhatsApp. They call by clicking a picture and answer when it rings.
A raft of new applications or “dApps” is currently in development, using the blockchain at the base protocol layer. If you’re an ETH account holder, you can interact with the dApps built on ETH via tools such as MetaMask, a browser plugin. The same is true for EOSIO, create your account then interact with the dApps using Scatter and your account name. For those in Enterprise familiar with single sign-on, the concept is similar, except you don’t own the user. The user comes to your dApp and consumes the product, or in the case of EOSIO you can assist to onboard them to the network, but you never see their new private key as it’s generated by their local device.
At no point is a password exchanged between the user and the dApp. The user interacts by sending transactions, which are messages signed by the users private key by an app such as Scatter or MetaMask. The network is aware of the users public key so can easily distinguish between real or fraudulent transactions, it can then determine if a transaction is valid based on the network rules and it’s consensus mechanism. The security is built into the protocol and is not an afterthought or an add-on! In the case of EOSIO, there are additional options around permissions, time delay and staking available to improve the overall security and enable features such as account recovery.
I look forward to the day where my password database is reduced to handful of keys, secured by a hardware device, most likely my phone with faceID or another form of physical biometric security. The time is approaching, and I hope it comes quick! After all these years, we need to make the password obsolete.
Thanks for reading!
In future posts, I plan to dive into some of the services that are operating on the blockchain and demonstrate how Scatter can be used to access multiple products with a single account.
Until next time.