Heartbleed and The Future of Authentication
Last night, my very non-techie girlfriend told me “someone broke the internet and now we have to change all our passwords”. She was, of course, talking about Heartbleed. While this is not the first time we’ve had a serious vulnerability affect the vast majority of the internet, it’s the first time a bug has received such publicity, and deliberately so. As a result, it has caused a great deal of fear and uncertainty from even the most technologically inclined.
What’s scary about this particular bug is the realization that our online identities — and therefore our data — are not truly safe. Things get especially spooky when we consider that they may soon become our primary proof of identity (both on and offline) as networks grow and the market demands an efficient and accessible method for verifying identities on a global scale, far beyond what any government or treaty can provide.[1]
Ideally this would come in the form of a decentralized authentication system that is open, secure, reliable and easy to use, but unfortunately, none of our current options stack up. Government-issued physical documents are easy to forge, the inadequacy of e-mail/password authentication is well documented, and not even two-factor authentication is bulletproof. Most importantly, because traditional ID’s are constrained by complex international laws, e-mail addresses and phone numbers are not permanent enough to reliably identify an individual person over time, and all of these are centralized, none could serve as the platform for a truly global personal identity.
It goes without saying that we have to rethink how we’re handling user authentication, as its importance grows beyond simply signing into a website. An interesting idea is to use the collection of a user’s verified online profiles to construct an ID. Keybase is a good example of this mechanism at work. However, while it appears to function well, it will likely never go mainstream in its current form due to the technical knowledge required to both understand and use it. Nevertheless, the concept is solid and I think it’d work well if paired up with a Blockchain.
It turns out that a system based on the signed agreggate of public profiles stored on a Blockchain to decentralize identity is not a new idea, as posted by Albert Wenger on Continuations not long ago. As he points out, the challenge is to build a system that solves Zooko’s triangle by being memorable, secure, and global. Relying on various verified public profiles in conjunction with a Blockchain makes it global right off the bat, but what’s missing is an extra layer of security and a smooth user experience.
I think the solution might be a Keybase-like service running on a Blockchain, secured by two-factor authentication powered by a fingerprint sensor[2] rather an an SMS code, all delivered through a simple API. For this, we’d an open source (both hardware and software) version of Apple’s TouchID. We’d also need the hardware to be cheap enough to be built into as many devices as possible. I want to be able to click the authentication button, have an alert pop up on my mobile device[3], scan my fingerprint, and be on my way. In fact, I expect Apple to announce this exact functionality soon, as they move towards wearable computing and expand the reach of TouchID beyond unlocking your phone and authorizing App Store purchases.
This is the experience we should strive for. We need to think ahead and start working on an open alternative. It’s a complex issue, for sure, but solving this kind of problem is what draws most of us to technology after all. There’s also a very real business opportunity in either developing the technology or being one of potentially many API providers.
Footnotes
[1] For example, Zidisha, a YCombinator-backed global P2P mircolending non-profit, has skipped credit reports and instead requires users “be an active internet user and hold a Facebook account with extensive social connections” in order to become eligible for a loan.
[2] While it’s true that fingerprint sensors, including TouchID, are not 100% secure, it’s a good solution for the vast majority of consumers, and help defend against attacks that target large amounts of users simultaneously. If an attacker is targeting an individual user, and is willing to go as far as to lift a fingerprint off a surface to surpass the sensor’s security, the target will probably be compromised in one way or another anyways.
[3] This makes more sense if we consider the trend towards wearable devices.
