Password is one of the most popular methods of user authentication. Programs, website, services, banks and even government organizations use it to provide access to their system. Though, are passwords really reliable?
Vulnerability by default
The history of passwords goes back more than 55 years. For the first time the need for them arose in the 60’s. At the time, computers just started their journey into our life; they were very expensive and used mainly in educational and research institutions. But the number of curious minds that wanted to test new machines was enormous. To distribute computing power between them, a password system was invented. One could get access to the system only after entering a password. They controlled who and how much time could spend at the computer. At the same time, the first hacking of passwords happened. In 1962, a graduate student at MIT was not happy with the rules, so he stole the passwords and used other people’s quotas.
Today, when computers are connected to the worldwide network, many other threats have appeared. Now only a person you know but anyone who needs access to your data can store your password. Moreover, the services we use, store our passwords. And we cannot fully trust the device we use, the network connection and even the server. The hacking of servers has repeatedly served as a tool for stealing passwords from millions of users, for example, the US government employee database OPN, which resulted in cybercriminals gaining access to data of 22.1 million of people, including employees, their families, and relatives. And such examples are innumerous.
Such massive user accounts compromises tarnish the reputation of organizations and companies. Both site owners and users could suffer severe financial losses.
Obsolete system – increased risks
The password authentication system is obsolete and fails to meet the requirements of the modern world. It was great for a single-user PC, but not for online systems.
When a user presents a password, she fully reveals the secret. It is not a problem when using a trusted device. But today hardly any device can be called a trusted one. When a hacker intercepts a password, the hacker gets full access to the account.
Several methods are used to solve the problem. Often, services require choosing a password that contains at least a certain amount of characters and letters of different registers. From time to time they remind you to update an old password. And do not forget that one user has to come up with dozens, or even hundreds, of such passwords for different sites that are impossible to remember.
Centralized storage of accounts is another crucial vulnerability of most modern systems. In such databases, in addition to the UserID, which is of no value when used alone, other data is also stored, including password hashes, which can be used to recreate the password.
The use of centralized storage is one of the main reasons for the massive theft of data. Only a new architecture would solve the problem. It should not disclose the user’s secret to the server during the authentication process, nor should it use decentralized accounts storage. And the less they store, the better. The best option is only to store the user ID on the server.
The use of the system of client SSL-certificates offers a partial solution. But the purchase of these certificates is not only expensive but also occurs centrally. In the case of certificate compromising, there is a massive compromise of users. Even though such break-ins are not as frequent as hacking of sited, they happen, and DigiNotar company is a dramatic confirmation.
The decentralization of blockchain in EmerSSL
With the advent of cryptocurrency and blockchain, we get an absolutely new way of protecting data. Independent trust can be applied to build new authentication architecture. And Emercoin did just that.
The client SSL-certificate system successfully solves the problem of full disclosure of the secret, but its main chief shortcoming is the complexity of scalability. As a result, it is not very popular.
EmerSSL completely changes the notion of such systems. With it, users are responsible for issuing certificates. There is no single certification authority. Emercoin blockchain is used as a public trusted store of SSL certificates hashes. It also assigns a unique number, a user ID. Thus, mass compromise of accounts is impossible. Certificates are generated on user computers and never leave them. The work of the “pass” does not depend on a certifier, the site, but only on the user.
If you need increased security, EmerSSL can be used in the two-factor authorization. With the help of EmerSSL, the device authorizes and establishes a secure connection with the server, and the password authorizes the user. If need be, the user can easily revote the compromised certificate.
It is also great to use EmerSSL together with InfoCard system. The InfoCard contain all the information about the user that he wants to store on the blockchain. When you log into the system using EmerSSL certificate, it contains a link to the card and the decryption key. The server extracts the necessary information from it, for example, the name and address for delivery, and after the purchase, “forgets” the contents of the card. The server stores only the user ID, which, without other data, is of a little value.
InfoCard enhances the usability of various services. A user does not need to manually enter personal information to register an account, which saves time and reduces the likelihood of typos. In the case of data changes, you do not need to change it on all used services; it is enough to update the infocard.
Summing up, we can say that EmerSSL solves several tasks. When using the system, the user’s secret is not disclosed, and you do not have to rely on a trusted device, as well as on centralized certificate storage. In combination with InfoCard you get a reliable system that protects your personal data and provides secure passwordless authentication. It is already used by many services, including Authorizer, HashCoins’ data center and data management system, a large passwordless authorization system by Remme, and will soon be used by Hashing24, a cloud-mining company, to protect user accounts.