Have you ever counted how many online services you access every day? The majority uses some kind of a user identification. It is a hassle to remember credentials to all of your accounts. Sometimes it seems: there is got to be a better way of logging in to your favorite websites and services. But is there?
Traditional means of user authentication are rather complicated if used properly (to keep login/pass in your head, not on paper, to change it periodically) or they can be easily compromised. Everybody has written his or her passwords on a piece of paper or, what’s worse, saved in right on a gadget, making account theft a piece of cake. Two-factor authorization, however, should have solved this problem, granting access to the web-service only after it is confirmed via another source – an SMS or an email. Instead the 2FA just added some new vulnerabilities to the existing ones: neither SMS, nor emails are encrypted.
According to the Telesign latest report, in the past year 2 in 5 polled people confirmed that his or her account had been either stolen, compromised or hacked. Almost half of them did not bother to change a password in 5 years, and some use ten-year-old passwords. Whereas three most popular passwords in the english-speaking world today are “123456”, “password”, and “qwerty”.
As we can see, existing means of authentication are either not secure enough or they are just too complicated for a user. This significant drawback of a traditional auth scheme, as well as necessary password change from time to time makes it unattractive option for everyday use.
Along with the traditional schemes, there is another approach to authentication: Private Key Infrastructure system. In other words, instead of using a pair of a login/password with an sms or email confirmation, a device connects to the web service with the help of a public/private key pairs. Such a scheme is not only much more secure as the said keys are encrypted, but it is also much more secure than the traditional means of authentication.
The system somehow resembles the bank card holder authorization procedure. While authorizing, a user enters into the system only the PIN code. The PIN code is used with combination of the two private keys — these are RSA codes which consist of numbers encrypted with AES-256 algorithm. It is to be noted that instead of one PUK-code two PUK-codes are used — one is server PUK (sPUK), and the other one is client (cPUK). Encryption is used so no administrator of the database is able to compromise the account. The cPUK is saved on the user device, and also backed up in a safe offline-storage (e.g. on a flash drive), in case a user wants to access his web account from a new device. For the sake of convenience they can be also stored in QR-code pictures, so it enables a user to scan it and enter the system from his or her cellphone.
Basically, upon the registration procedure a user receives a key for his device which is stored in an encrypted form. A user will never bother with his or her account recovery, login/password loss, or even the device theft.
The PKI implementation changes the way how users access any of their online services: they have no need for login/password memorization (and that is the most common issue for all kinds of users), and no need to worry about lost email or even a mobile phone as there are no sensitive data saved in there in an open form. The PKI lets user restore his or her access to the service even if he has lost all the digital data – he would still have a paper with a printed QR-code, which will be issued upon the registration procedure.
The author of the scheme is Alex Sitnikov, the chief technical officer of Exscudo has successfully implemented it in the exscudo.com, making its services more secure and user-friendly. Alex Sitnikov has a vast experience in IT: he worked as a system architect for IBM, he also designed IT-infrastructure for major US and russian exchanges. Being engaged in Exscudo project, Alex has implemented the best practices of IT security in the authentication process used in various projects of the company.
“As a developer I wanted to minimize the factor of a human mistake or any careless attitude to the personal data. Working for Exscudo I saw a way of making it possible and also a motivation to do that. We are creating a number of online financial services which will be accessible within one single account. It means that it should be as secure as possible”, explains Alex Sitnikov, the CTO of Exscudo.
Exscudo is the nextgen financial ecosystem that unites the traditional financial system and the cryptocurrency market. The main goal of the project is to create a single gate to cryptocurrency market for everyday users, professional traders, investors and financial institutions. Exscudo’s ecosystem consists of a Stock exchange, a b2b cryptocurrency merchant, mobile wallets, trading terminals, bank cards and a protected messenger. The developers team consists of professionals who have many years of experience in the development of financial products and services. More information about the team can be found on Exscudo official website.
Alex Sitnikov, CTO of Exscudo