Your privacy matters
Introduction:
Since passwordless authentication is more secure but takes longer, many companies use 2FA first, because it's easier to set up and most software suites support this solution.
FIDO Alliance?is focused on providing open and free authentication standards to help reduce the world's reliance on passwords, using UAF, U2F, and FIDO2.
Secure Digital Identity (SDI) - Vault Security is a concept of a personalized platform to authenticate and authorize digital and tangible/Internet of Things assets.
I want to emphasize that our startup goal is not to replace any part of security systems with ours but to complement or augment existing systems by adding a layer of protection. Vaulter helps enterprises minimize threats because any attempt to impersonate people or intercept data is useless without possessing encryption keys. We help businesses save their money through the avoidance of password resets as well as an opportunity to share their assets or services ONLY with proper employees, suppliers, customers, and just users. It is an excellent solution for any company that shares/rents access to its goods). Many of these things are connected to corporate networks in some fashion, further complicating cybersecurity. There is also the ability to launch subscriptions, e.g. video streaming safely.
Secure Digital Identity (SDI)
An additional layer of security with the convenience of Single-Sign-On
1. No traditional account is needed, but accepted and its credentials can be stored with keys
2. Once an SDI account is created for one key, no other primary keys can be added
a. Accounts are created by invitation with activation codes. To exploit the account a hacker would need to fully impersonate the legitimate user/owner on the approved authentication service
3. To log in, the user does not need to enter their login name, which is computed from their email and a secret key. This anonymizes the user on that service
4. The user/owner may securely share their account with others
a. The user/owner may remove sharing at any time
5. All user’s devices share the same keyset stored in the cloud
a. Device independence – lost, stolen, or damaged devices can be easily replaced without reregistration
b. If the user has multiple devices, only one registration is required per service, not device
6. Keys stored on TPM (Trusted Platform Module) are used to protect the user’s keyset that can be cached on a device. The user may opt for additional passcode to unlock their keyset
a. The user’s cached keyset can be accessed with biometrics, passcode, both, or passphrase
7. The server is identified by URL and an encrypted nonce (ephemeral key)
a. Hacked DNS (Domain Name System) cannot spoof the service
8. SDI is an encryption algorithm and a key size agnostic. Key sizes keep increasing from time to time when computers get faster. An algorithm and its crucial size are negotiated automatically with a server
9. SDI is intended for the authentication of authorized transactions
a. It promotes high-granularity networks, which prevent lateral movement attacks
b. No synchronization is required, because each transaction is unique, and thus cloning of messages is impossible regardless of network issues
10. Attestation is performed for ownership of a PCM (Personal Cryptographic Matter) via authentication service, regardless of a device
11. Authorization servers use anonymized account IDs, which cannot be used for tracking their owners
a. If traditional accounts are still used, traceability of those accounts is still possible but can violate the privacy of their owners
b. If traditional accounts are not used, traceability is not possible. Each user has different anonymized IDs on different services
12. The platform is also designed to go beyond authentication and authorization of web services
a. Control of access to tangible assets, such as cars, homes, offices, public transportation, IoT devices, and more
b. Cryptographic sharing of documents and messages, e.g. files, emails, short messages.
领英推荐
Fast Identity Online (FIDO)
Convenience without additional security as long as the registered device is present
1. Traditional account is required
2. Multiple devices can be registered with that account as long as the device holder knows the credentials for that account
a. A phishing scheme can be used to obtain the user’s password and register the hacker’s device as legitimate
3. To log in, the user must remember and enter their login name for a specific service
4. Sharing is possible by registering new devices, but that requires sharing credentials
a. No removal of sharing is specified or even possible
5. Devices use their keys stored on TPM (Trusted Platform Module)
a. Device dependence – a new device requires a new registration and the user must remember their password for that account (password-less?)
b. If the user has multiple devices, each must be registered with a specific service
6. An unlocked device is wide open for exploitation of those keys
a. Keys on TPM can be accessed with biometrics or passcode
7. The server is identified by URL only
a. Hacked DNS (Domain Name System) can spoof the service
8. An encryption algorithm and key size are fixed. An increase in key size would require a new revision of a standard
9. It is intended and designed for authentication purposes of websites only
a. Authenticated sessions a prone to hijacking and thus impersonation
b. A server and an authenticating device must be in sync with a signature counter to prevent message cloning. Network issues may result in going out of sync
10. Attestation is performed for a device, but not its owner
a. Wrong hands with a legal device is a security hole
11. Guarantees non-traceability of authenticating devices, e.g. smartphones (use of batch certificates)
a. But because traditional accounts must still be used, traceability of those accounts is still possible that can violate the privacy of their owners
12. No other use, besides authentication of websites, is specified.
Client Use Cases
Business Adoption of a Service
For more articles subscribe here: