In partnership with SingleID, an aggregator of personal identity information, NokNok is in an ideal position to capture the web authentication market
Authentication, the process of establishing the identity of a user, is a key component of granting access to systems
Since its inception, web applications have relied on the maintenance of a username and password for authentication -- a mechanism both insecure and cumbersome. As websites proliferated, amassing large quantities of PII, the security risks of managing this information escalated beyond control, culminating in spectacular hacks and breaches of financial systems that have led to large monetary losses and the breakdown of confidence
With the advent of asymmetric-key cryptography, solutions like SSL envelopes have advanced the security of data transmission, but storage remains a problem, as does the espionage made possible by the use of secrets
This paper proposes a protocol for authentication that is both secure and significantly friendlier than what is currently in place
The first problem with the current paradigm lies with the use of secrets. Supplying an identity (username) to a system isn't secure as anyone may guess it with some knowledge of the user, therefore an accompanying secret that only the user knows must also be transmitted. However, this implies a number of issues:
- that the same secret isn't used across domains (websites/systems)
- that the secret be complex enough to prevent brute-force attacks
- that the information will realistically be beyond the ability of most users to commit to memory
- that secrets must be transmitted securely
- that recipients must be trusted with the secret
- that recipients are competent to store the secret securely
None of which have practical solutions
The problem may, however, be solved using elliptic-curve cryptography (ECC), which eliminates the need to have secrets to begin with. Using ECC, we can produce a private-public keypair used to sign messages that systems can verify for granting access
In our estimation the market for such a solution is gigantic, and predatory upon existing systems. Allowing users to have a single ID to access services on the web and other systems will not only simplify everyone's life but restore confidence in our infrastructure. Additionally, as the Vow wallet already contains a PPK, is designed for mobile platforms (the already well established venue for 2FA), and introduces a new payment rail, it seems only natural that it become the centerpiece of user authentication
In fact, the very mechanism may also be used to securely share PII with systems, thus facilitating for websites a much friendlier user experience where repeated acquisition of PII is avoided
The solution relies on an initial setup between a mobile app (the "Authenticator") and NokNok infrastructure (the "Server"), and a subsequent dialogue between a browser operated by a user (the "User") and a web site (the "Site")
- Authenticator generates a PPK
- Authenticator submits its public key to Server
- Server signs the public key and stores it in IPFS
- Server returns to client the hash ("Hash") produced by IPFS, which may be used to retrieve the public key
- Authenticator stores the Hash locally
-
User requests a page on the Site
-
The page displays a QR code the User may scan using the Authenticator
-
Upon performing a scan, Authenticator extracts a Json object containing:
- a session token
- the path of a web-hook published by the Site
- an array of mandatory PII
- an array of optional PII
-
The Authenticator then presents the User with a page requesting for authorization to share PII. The User may decline optional items. Requested items whose values are not already known to the Authenticator are prompted for and stored locally, encrypted with the private key, for future use
-
For NokNok accounts that have linked a credit card (because of linking to the SingleID infrastructure), the Authenticator will have the Server sign the PII, allowing sites to have a guarantee of the legitimacy of the data
-
Upon authorisation, the Authenticator composes a Json object, signs it and POSTs it to the URL provided. The object contains the Hash and any PII the User consented to share with the Site
-
Site looks up Hash in local storage, if not found:
- Retrieves public key from IPFS using Hash
- Verifies public key signature using the NokNok public key
- Stores public key in a local dictionary using Hash
-
Site verifies signature on the Json object received, grants access as appropriate
NOTES
- Please note that in the above description, Client would be the Vow app, and Server the current Enigmatic Smile (EC) infrastructure
- Use of IPFS decentralises the storage of public keys and eliminates infrastructure requirements for EC
- The PII arrays provided by the QR code contain canonical codes from a well defined taxonomy
- Though most transmissions between the Authenticator and other parties are acceptably made in the clear, the Json object POSTed to the web hook must be made under the cover of an SSL envelope, as it contains PII
- The stated protocol places the Authenticator's PKK at the centre of the security structure. Security of the Authenticator itself is beyond the scope of this document but will be addressed in a separate paper
The information below typically constitutes PII and shall be identified by the codes shown. Though at present this list is limited, the taxonomy could be open sourced, allowing communities of all kinds to participate in the designation of information relevant to them, and allowing the Authenticator to perform data acquisition for a myriad applications well beyond the presently considered scope
| Code | Datatype | Description |
|---|---|---|
| ID | numeric | Unique ID |
| LN | string | full legal name |
| BA | string | billing address |
| SA | string | shipping address |
| NIN | string | national identification number e.g. SSN |
| DOB | string | date of birth |
| WA | string | wallet address |
| COB | string | country of birth |
| LOR | string | location of residence |
| COC | string | country of citizenship |
| PN | numeric | phone number |
| EA | string | e-mail address |
| SM | string | social media (adjective) |
| SM:FB | string | |
| SM:TW | string | |
| SM:TL | string | Telegram |
Implementation of the above protocol makes an application "the keys to the kingdom", allowing users to go anywhere and have instant and effortless access to their information with minimal effort on the server side. In pursuing this path, NokNok stands to position itself at the centre of all interactions of a private nature, on the web and other systems like blockchain and IOT
In short, NokNok stands to bring the world the next and logically final solution to authentication
The terms listed below are used in this document to mean the following:
| Term | Definition |
|---|---|
| 2FA | second-factor authentication |
| ECC | elliptic-curve cryptography |
| PII | personal identification information |
| PPK | private-public keypair |
| SSL | secure sockets layer |
| URL | uniform resource locator |