Passcard, featured today on HackerNews, describes a decentralized blockchain-based authentication system. The basic idea is that you store your personal information in one of several registrar-maintained blockchains authenticated by a secret key, then use your ownership of this key to prove your identity. According to Passcard’s site, it’s supposed to replace your house keys, your wallet, your driver’s license, your credit cards — to be able to unlock everything in your life.
This is a terrible idea.
In order to figure out why, we have to explore the problem space of security and look at why problems like user authentication are fundamentally hard in the first place.
Security products exist in a continuum between theoretical security and user-friendliness. On the theoretical security side we have encryption products where security against adversaries is paramount: PGP, full-disk encryption, Bitcoin wallets, and so on. On the user-friendliness side we have most commercial products: shopping, webapps, credit cards, and so on — basically anything with a user account. The major difference between these categories is that, if you forget your password to a “user-friendly” system – essentially, your key, the secret that supposed to authenticate you and you alone — there exists a human or other system that, if you provide them with the right information, can restore access to the thing that your key is supposed to be protecting.
This is the expectation that most people operate under the real world. If I forget the password to my Amazon account, I don’t expect to be permanently unable to make purchases on Amazon. I can call customer support, and after a few minutes on the phone, I’ll be able to access my account again.
Similarly, if I lock myself out of my house, I expect to be able to call a locksmith, who will use their tools to restore my access. Even were I to have only one copy of my key — were I somehow confident that only one copy of my key existed in the world — I would not expect that losing that key would cause my house to become permanently unusable, to anyone, forever. Same thing with my car: “Lost your key? Too bad; your car is now an inert, undriveable hunk of metal blocking the road forever,” said no one ever, and if they did, they’d soon find themselves on the receiving end of “WTF?!?” articles in your media outlet of choice.
This, however, is the security model of Passcard. This is also, coincidentally, the security model of Bitcoin and other blockchain-based systems, as well as PGP and other systems purporting to offer cryptographically strong security. (For the purposes of this rant, we’ll set aside attacks on the crypto itself.)
Getting normal people, whose only mental mapping for CIA is the three-letter agency, who don’t know the difference between authentication and authorization and don’t care — in other words, 99.999% of people in the world — to wrap their heads around the idea that once you lose your key it’s gone forever is hard. Scratch that — it’s one of the canonical Hard Problems in making strong crypto accessible to the rest of the world.
Let’s go back to Passcard’s claim to be able to replace your keys, your wallet, your credit cards, and all other devices and systems used to authenticate you. The premise behind Passcard is that your key equals your identity. In other words, under the security model of Passcard, anything and anyone able to present the key that verifies against your blockchain entry is ipso facto considered to be you.
Let’s also remind ourselves that, in order to use Passcard this way, you need to have your key with you: on your mobile device, on your desktop, anywhere you want to authenticate yourself electronically. Are you seeing the problem here?
If someone steals your phone, or hacks your desktop, or otherwise exfiltrates your key, they are you.
Here’s Passcard’s security section in its developer overview (in its entirety!):
When you sign up for a passcard, your registrar will give you a secret key. So long as you keep that key safe and prevent others from getting to it, your passcard will be secure and nobody will be able to impersonate you or steal your data.
Don't worry though! Your registrar will do the hard work of keeping your key safe so that you never have to worry about it. In fact, many registrars will store your keys across your mobile and desktop devices so that even they can't get to your passcard or tamper with the data. These registrars are the most secure and trustworthy, so go with them if you can.
Those are some strong claims. Let’s address them one by one, shall we?
Your registrar will give you a secret key
So you don’t even generate the secret key yourself! Your registrar generates it for you. What does this mean?
Let’s put it in bold text: In the Passcard world, anyone at the registrar may have the ability to unlock your house, read your email, post on social media as you, and make purchases using your financial data.
So long as you keep that key safe and prevent others from getting to it, your passcard will be secure and nobody will be able to impersonate you or steal your data.
You cannot, in 2015, release a system that doesn’t have a story for what happens if you get hacked or your phone gets stolen (etc., etc., ad nauseam). This is irresponsible to the point of malice. The idea that the response to “someone swiped my iPhone and now they’re raiding my bank account; how do I stop this?” could possibly be “we told you not to let that happen” is horrendously infuriating. “User-hostile” doesn’t begin to cover it.
What if, in order to address this problem, sites require extra information along with your Passcard data? Then the system is no more user-friendly than it would be if it did not use Passcard, and its grandiose claims to replace Everything would fall apart.
Let’s go on to their FAQ:
What happens if I lose my passcard?
If you lose the device with access to your passcard, you can always recover it with the backup instructions that your passcard registrar gave to you. There are usually many mechanisms in place to ensure that if your passcard is lost, you can still recover it. Of course, if all the mechanisms fail, there is nothing you can do, but it very, very rarely comes to that.
*handwaves intensely enough to generate a small hurricane*
(Also, did you catch that the passcard registrar still has your key? Awesome!)
Can my passcard be stolen?
Unfortunately, yes. That’s why it’s important to safeguard the device that your passcard is stored on. That said, passcard registrars typically provide really strong mechanisms for preventing theft, so you shouldn’t run into problems.
Their faith is endearing. The idea that others should adopt it is markedly less so. (“Typically?” Where’s the evidence?)
Why do I care? Part of the role of security professionals is to hold organizations’ feet to the fire when they make unsubstantiated and grandiose claims. Security isn’t a game, and claiming to have solved a problem — authentication that is simultaneously strong, decentralized, and user-friendly — that has bedeviled companies and academics for decades, just through a little Bitcoin magic, is a little like claiming cancer can be cured with high doses of vitamin C.
I would LOVE to be proven wrong about this. I would love it if we could make cryptographically strong authentication useable and accessible and open and free and available to everyone. But this isn’t it. Sorry, folks.
Some quick thoughts:
The key is generated client-side. So you can cut out most of the arguments stemming out of that one liner.
You got that right. And definitely makes it a worth while problem to work on. We're working on better "reset" mechanisms for when you do lose access to your private key. Owning your passcard on a m-of-n multisig is one thing (users are trusting their family members and friends for reset). This is an active area of research and we're involving some of the top minds in CS to come work on it.
No, that's not true. In fact, it's against the entire "decentralization" movement that we stand for.
Doesn't mean that people shouldn't work on it :-) Similar arguments were made for "Zooko's Triangle" or practical BFT systems etc.