The trust centres of future internet are emerging… what will they be?
It was raining when I arrived in London. In the midst of dealing with the rain, I lost my mobile phone. Unfortunately, the last GPS signal from the sad, rain-soaked phone indicated that it was located at a waste processing centre a few hours away.
I hurried to purchase a new phone. As I tried to set it up, it soon dawned on me that I could do nothing with it.
My work depends on me having access to an active Google account. Google will only allow me to log in if I confirm my identity on another device, such as the one now languishing in the waste processing centre I mentioned previously. In the alternative, Google sent me an SMS verification code … to the same ‘wasted’ phone.
The new phone I purchased is a Samsung — the new model with a built-in blockchain keystore. Many of this phone’s functions hinge on one owning a Samsung Account. To use it, the phone told me to tap on a dialogue on my other Samsung device, or receive an SMS code. Both forms of identification went … well, you know where.
My technological troubles didn’t end there. Amazon scrutinised me similarly to Google and Samsung. These days, having a username and password is, it would seem, no longer sufficient to login into the Audible app.
Even my apps for HSBC and DBS (a bank) required authentications vis-à-vis my former phone.
The idea of proving one’s identity through a device is not new. In fact, such proof is instrumental in preventing online identity theft. The working theory is that a hacker may know everything about you. Still, they can’t access your data or bank account because they do not have in their possession the smart devices to which two-factor authentication (as it is best known) relates. In theory, it’s impossible to fake security of this nature over the Internet, thanks to modern-day cryptography.
As a bank system architect, I often advised that there are three (3) elements at work for secure remote identity authentication: what you know, what you have, and what you are. The first element is a password. The second element is a security device, such as a mobile phone. The third element is the biometrics feature of today’s smartphones accomplishes. The use of a device to authenticate a user is not a bug, but a feature.
The usability penalty for two-factor authentication is considerable, however. To access my Google account, I was forced to find an old phone back in my home in Australia (which involved waking up my wife in the middle of the night to look for it). To regain access to Audible, I asked her to retrieve my daughter’s iPad (she listens to bedtime stories with it). My Samsung account was beyond saving, though, since the ‘wasted’ phone was my last Samsung. So I created a new Samsung account, losing my old data.
But the inconvenience that comes with better account security is a new problem. If history repeats itself, it will be solved by the Internet’s favourite method: centralisation.
A bit of history. In the early days of the Internet, web portals competed with one another by offering email accounts so that they could keep in touch with the users. Because of this, it’s common for users to have lots of email addresses, one per portal, such as ‘@yahoo.com’ and ‘@GeoCities.com.’ This ‘feature,’ such as it was and is, quickly became a nuisance. Luckily, email protocols were standardised, so centralisation happened naturally. Users settled with one (1) email as their “main online identity.” As time passed, websites gradually stopped offering email addresses on the side, and allowed users to create email addresses for themselves, at their discretion, instead. With this being the norm, information flows to a few centralised email providers.
Back to 2021, authentication is no longer about information, but rather, about services. For example, if someone gained access to your Apple ID, they could use it to make purchases online, or drive a smart car attached to the ID. Presently, the bar for integration and security is as high as it has ever been. In my opinion, the centralisation of email addresses will be replaced by the centralisation of authentication devices.
To my mind, it won’t be surprising to eventually observe vendors such as Apple and Samsung offering third-party applications as their foundation for the authentication on the hardware security provided. Under such a model, someone who gets a new phone only needs to prove access to an old device, instead of providing such proof for individual apps.
Will the centralisation of authentication devices cause the Internet to be more centralised around F.A.N.G? It’s hard to say at this time. By the looks of it, Google and Apple are well positioned to be the ultimate centre of security-related identification, with other apps simply pegging onto them. Actually, if you think about it, this is already happening… albeit on a small scale. For example, I once logged into the LinkedIn app, but it suspected that someone other than myself was attempting to gain access to my LinkedIn account. I was eventually granted access to my LinkedIn… via a Google Account.
But it’s also possible to do what Internet did in the 90s — standardise protocols. Samsung, for example, integrated a blockchain key store into their mobile phones. If the APIs are well written and accommodate standardisation, apps can utilise hardware authentication mechanism directly, instead of through intermediaries on Google or Apple. This kind of centralisation is healthy, since it doesn’t require the user to reveal their Google/Apple ID, and there is no way for Google or Apple to impersonate you, even under threat of the law, since the relevant cryptographic key only exists in the phone itself. It’s actually decentralising when viewed from above.
With all that said: which direction will the Internet’s future go in? Will we fall into the firm grasp of F.A.N.G.?
I’m optimistic because, as the CTO of AlphaWallet, I know there are blockchain technologies that can centralise a user’s identities to their device without intermediaries like Google and Apple. It’s called the Blockchain. But in my opinion there are three (3) hurdles standing in the way of this technology’s implementation.
First, there is a lack of mature blockchain protocols and tech stack. Google and Apple worked extensively on how to make their identity solution easy to use, so much so that it’s difficult to compete with them now. Outside of the efforts made by those two (2) companies, standardisation efforts have been lacking; and the other Internet corporate juggernauts are too profit-driven to contribute significantly to protocol standardisation.
Second, there is a lack of consumer demand. Though most users would consider apps pegging onto Google and Apple a bad idea, only a few percent will adopt new technologies. It’s like knowing vegetables are good for you, but refusing to eat them.
Third, there is no legal framework to penalise the apps that solely depend on Google and Apple for authentication and don’t provide other options, such as a blockchain key store. To achieve that, our legislation bodies should prioritise privacy, like what the European law makers did with GDPR.
These hurdles appeared to be insurmountable at first. However, just a few years ago, people wouldn’t’ve thought that big vendors such as Samsung would provide a blockchain key store (the basis of blockchain device authentication) on any of their devices… but alas, that is what has happened. Currently, there’s already a significant blockchain app market. Ideally, the blockchain ‘buidlers’ should focus more on providing a pathway for apps to use blockchain-based authentication. If we don’t work hard to overcome the above-mentioned hurdles, what may happen is that most apps will depend on Google or Apple for authentication, thereby creating a path to dependency from which it will be difficult to return.
