EOS’ Block.one Looks To Eliminate Passwords, Advocates For Better Authentication Via Pass Manager
Block.one Wants To Eliminate Passwords, Believes Better Authentication Is Possible
The Cayman Islands is well known around the world for two things. It's a well known financial center, and along with that, it's a well-known place for money laundering. Well, there is a company based in the Cayman Islands that is using their privacy laws for something else – creating secure, open source software and protocols for the EOS blockchain. The company has said that present authentication processes suffer from the “Hearsay Problem.”
All The Problems With Current Authentication Can Be Solved
The company released a blog post detailing what it meant when referring to the Hearsay Problem. They defined it as “any information received from one party about the statements or actions of a second party that cannot be adequately substantiated.” The company went on to say that any current method of authentication would qualify as hearsay if anyone in the system (authenticator or user) were tried and place the validity of the information into question.
It's a problem of verification. A log can contain all actions done by a user, but the user may be able to claim that it was done without their express permission. This is called repudiability. Security measures such as passwords are prone to repudiability because it is impossible to verify that each action undertaken by a user were in fact done by the user that entered the password to start the information sharing session. This brings us to The Blank Check Problem.
As the name suggests, The Blank Check problem lies in a system that is able to take action on behalf of a user without the express permission of the user. So while you can log in to your internet banking with a password, that is just express permission to allow your browser to access your account on a bank's server. Every action taken after that has implied permission, and anyone who gained access to your password would have a “blank check” to do as they pleased on your account.
The blog post goes on to mention that this is the same for any method of capturing a users consent that does not explicitly show a log of proof that a user is fully aware of the implication of each action. Then, a user would have to give explicit permission on the understanding that they know exactly what reaction that particular action would entail.
They go on to say that, technically speaking, there is nothing stopping a bank from blocking or liquidating funds from your account. The bank could simply falsify records using the same technologies that currently keep you safe. There is a good reason this does not happen. It would ruin the trust that banks have built up over the years with their customers. However, it is technically possible.
Pass Manager Is The Ultimate Solution
Block.one believes that Pass Manager is the ultimate solution, currently, to these problems. They say that it could be implemented using a variety of technologies is working together to provide the best in security and usability. These would include items such as cryptographic signing, biometrics and hardware keys. All of that on a transport-agnostic protocol so that it would be usable on a variety of different systems.
To show how this would work, we can refer tot he banking profile example that we referenced earlier. Any action was taken while in the theoretical Pass Manager enabled system would require the system to send you an explanation in two forms. One that is readable by humans such as “This action will result in payment of XYZ Ltd” and another in a computer language that is cryptographically verifiable. Your response via the Pass Manager would show that you have given explicit consent for that particular action to be approved through a combination of hardware keys and biometrics unique to you.
Another example would be sales calls or spam calls. The risk of getting scammed would be drastically lowered. If the transaction does not match the agreed upon terms, which are signed cryptographically and verifiable by a third party, then the transaction can be easily nullified. This kind of system, says Block.one, solved both problems talked about earlier. The Blank Check and the Hearsay problem are rendered null and void using a system such as Pass Manager.
The system is such that you do not need to remember a password, which is great from an authentication and authorization point of view. Passwords can be both forgotten and stolen, not to mention succumbing to the inherent problems discussed earlier. This way, all of that is bypassed.