The Weakest Link

by Oct 18, 2018General, Privacy, Security, Technical

Its a Sunday afternoon, and I have just downloaded another app in the list of endless apps that I MUST use, creating yet another username and password, however this time, this username and password has to be different. Different from the other 200 apps that I use and have equally varied user names and passwords. isn’t that a familiar scenario.

My options are to use the same credentials that I have been using to access other applications, or create another unique credential which would mean another password to remember in my long list of access credentials. And to make life easier, i consolidate all my passwords into a secure document where I store them for easy access. I’m just a sitting duck handing all my user data, assets and credentials out on a platter. And then we wonder how and why we got hacked.

The password has been a ubiquitous part of our lives since we signed up for our first Hotmail or Rediff and Gmail accounts and went online. It is also our least favourite aspect of our modern, connected lives. Most passwords today are built and created around aspects of our lives, such as our birthdays or our pets names and the number of siblings our parents have.

Passwords add a level of familiarity to the alien web and the plethora of new applications emerging everyday, but this very same familiarity acts like a double edged sword and leave us in a space where we are vulnerable and open to exploits.

Passwords, whether in an enterprise environment or personal [any security expert will tell you] are the bane of our existence – and have been for more than a decade, ever since it became easier for hackers to break into computers over the internet than to literally lay their hands on our systems. According to Verizon’s annual Data Breach Investigations Report, 81% of data breaches now leverage weak or stolen passwords. A mere 8% involved physical interaction with hardware.

After more than a decade of fighting a losing battle safeguard personal and corporate data with secure passwords, technology providers may finally be on the cusp of brokering a truce – and making the enterprise more secure – by eliminating passwords altogether.

Proper password hygiene, of course, demands long, hard-to-guess passwords that are changed often. As the password cat-and-mouse game makes abundantly clear, users today, want the opposite: quick and easy access, with simple passwords that never change.

Technology giants such as Google and Microsoft are already testing alternatives to passwords, in a move that could do away with complicated logins forever.

It is hard to believe that a solution created some sixty years ago is still the primary method used to protect our identity and digital assets. Fortunately, there is a better way, and we are starting to experience what Gartner called the “third-wave” of authentication. The first wave is the password, the second wave is the token used primarily as a secondary form of authentication (2FA, MFA), and the third-wave is what Gartner refers to as “recognition technologies”, and we all know what those are – BIOMETRICS.

Since, we are not big fans of storing user data and neither do we support applications that do, we resorted to using cryptography as our primary authentication mechanism. Although cryptography is an ancient science, the advent of Blockchain has clearly brought this subject into the mainstream and is now the spotlight with secure public ecosystems being built on the foundations of this esoteric science. 

Hypersign is creating and securing user access based on cryptographic functions, the application is a single sign solution on that allows users to securely login onto a blockchain, as well as regular web based applications with one asymmetric key-pair (private and public). Users can securely login onto the applications without using username and password. Additionally, HyperSign also allows user to sign (using HyperSign Mobile app) and broadcast (using HyperSign custom web3 provider embedded in HyperSign SDK) transactions on to a blockchain network.

By using a cryptographic function as the basis of the login mechanism we are able to totally eliminate the use of passwords or storing any other user data for that matter, perfect for applications looking at GDPR compliance.

A few other benefits are :

  • There are no passwords for people to try and remember (or succeed in forgetting).
  • Passwords cannot be given away or stolen
  • Use of content can be controlled (printing, expiry, etc.) – not just access to content
  • Content can be encrypted as part of the overall system rather than requiring separate processes and applications and the difficulties of managing them
  • Revocation of access can stop use of previously stored or cached pages, rather than being limited to new information being downloaded.

Hypersign is a cryptography based SingleSignOn Solution that enables users to securely access applications without providing their access credentials. The Application further enables a user to securely sign transactions in decentralized environments; the Hyprsign SDK allows easy authentication to the Ethereum network .

It is essentially a deterministic wallet which is BIP32/39/44 compliant. The wallet creates a 12 – 24 word [mnemonic] and uses those words to deterministically generate a 512 bit seed, which is in turn used to derive BIP32 master key which is further used to derive child keys in the manner specified by BIP44.