At some point in time we decided that email addresses control the keys to the kingdom. If you lose access to your email, there goes your social media accounts, your bank accounts, your gaming accounts, and potentially many of your commercial accounts as well.
And then we decided that custom domains are the most professional. Which does make sense, there can only be one 'robert@gmail.com'. But, this is coupled with the idea that domains can expire, and that expiry does not appear to kill the identity that's potentially associated with the domain.
We should not be using email addresses as our primary source of identity verification in the first place. And we definitely _should_ have some way to globally declare that an identity has been compromised. Especially given our society's track record of keeping database safe from breach.
I more or less assume it is inevitable that one of my major accounts will be compromised, and that this will be able to cascade into most of my major accounts being compromised. I do what I can to protect myself, but gmail as a single source of failure makes me nervous. Using any email provider besides gmail makes me even more nervous, because they don't have the full power and knowledge of Google protecting their databases.
If you use a third party service for your email ID, the third party can ban you or like you mention - disappear and basically take your identity away.
If you rely on national ID cards, you have another set of problems.
If you rely on phone numbers, these can be sim-jacked.
If you rely on bio-authentication methods, you risk your privacy especially when the master database gets compromised.
Relying on any single source seems to be a recipe for disaster. Perhaps the solution is to have multiple ways to authenticate yourself, with different levels of credibility and to let as many of them survive as possible. Phone numbers and email IDs seem to have similar levels of credibility, but I haven't seen domain name service providers take to phone number authentication as much as I would have liked, but things are looking up. Alternatives could be backup codes, which some registrar's use if you have 2fa enabled.
I think the usual suggestion is a public/private keypair. You then sign accounts saying they are yours.
This would also allow you to have multiple identities in cases where that is useful.
I've heard of various groups doing this under blockchain (of course) which is a way to solve the problem of publishing the details, but in many cases you don't really need that. It should be enough to make a key and get involved, like Bitcoin.
The issue of course is that if you lose the key(s) you have a major problem, whether they're just lost or stolen. This is probably solved with MFA but it's not a solution if that opens up other attacks.
For me, email has much more credibility than phone numbers.
The email market has worldwide competition, phone providers compete at a local level only. You can choose from thousands of different email providers, while phone provider choices for any given person are ~5.
The effective 'god' of domain names is IANA, which, while imperfect is more trustworthy than the 'gods' of phone numbers: local governments and telcos.
>If you rely on bio-authentication methods, you risk your privacy especially when the master database gets compromised.
It's my understanding that these methods (TouchID, FaceID) don't actually store your thumb prints or images of your face rather they store hashes of the output. Similar to how passwords should never be stored in plain text.
Its more than a hash since it needs to be able to match similar inputs (face at different angle, partially obscured), its probably just a bunch of raw measurements but not actually a photo of your face.
The upside is its only stored on the device itself and not in a master database and also isn't used for any remote authentication so can't be exploited by hackers over the internet.
Rounding drastically reduces the search space of possible values. A cryptographic hash is no good if you know that the original message can only take on a finite set of values that can easily be enumerated.
The problem is that every new source of identity added is another new attack vector. If there are 10 different ways for me to prove I am who I say I am, it only takes a security flaw in one for my account to be compromised.
You point out some problems, but how do we actually do these?
Without emails as the keys to the kingdom, what would you use?
Without a global identifier for a human person (like social security in the US), how would we declare that an identity is compromised?
While I believe your ideals are well-intentioned, I think they're impractical in our current society.
I would propose that an email is the key to the kingdom, that people running custom domains and use them for email must deposit $500 in registration to do so (to ensure the domain is registered for their lifetime), and that they should be protected by a password plus 2FA with your phone being the other factor. And I propose that each person should be uniquely identifiable by an email address stored in a global publicly-accessible database.
I would suggest having a bank or similarly regulated institution manage identity recovery. They can declare a login invalid, and they can go through the process of KYC (drivers license, SSN, in-person visit, etc) to get you a new identity.
Think Facebook login except instead of tab unrestricted entity that steals every piece of dignity it gets its hands on, its a bank or legal custodian with strict responsibilities, penalties, and insurance in case of identity theft.
> Without emails as the keys to the kingdom, what would you use?
PKI. Service providers shouldn't give you access to an account just because you can prove you control an email address (during a narrow and predictable time window, no less). The simplest thing would be to encrypt the relevant part of the payload (the one containing the password reset link), so resets are only possible if you can receive the email and have the means of reading it in its "true" form.
Failing that (suppose you've not just lost your password but also the ability to decrypt the contents of the message), there should be an alternative, but the threshold for proving your identity should increase. It would ameliorate a lot if it meant that people had to show up in person somewhere. E.g., I show up at either the business's local branch (if there is one) or the USPS (or...) with my photo ID. From there, an attestation is generated that you really are who you say you are, and only with that attestation will your account be unlocked.
But Photo ID was forged long before the computers came along. There's always some way of getting around the security if you really want to. That is part of why we don't want to give in to electronic voting even though we work with computers.
This is not a retort. The claim is not that photo ID is unforgeable. The claim is that "it would ameliorate a lot if it meant that people had to show up in person somewhere".
> Without emails as the keys to the kingdom, what would you use?
From Ursula K. LeGuin's indispensable "Dispossessed":
“You're really much too polite for ...”
“For what?”
“For an anarchist,” she said, in her thin and affectedly drawling voice (it was the same intonation Pae used, and Oiie when he was at the University). “I'm disappointed. I thought you'd be dangerous and uncouth.”
“I am.”
She glanced up at him sidelong. She wore a scarlet shawl tied over her head; her eyes looked black and bright against the vivid color and the whiteness of snow all around.
“But here you are tamely walking me to the station, Dr. Shevek.”
“Shevek,” he said mildly. “No `doctor.'”
“Is that your whole name — first and last?”
He nodded, smiling. He felt well and vigorous, pleased by the bright air, the warmth of the well-made coat he wore, the prettiness of the woman beside him. No worries or heavy thoughts had hold on him today.
“Is it true that you get your names from a computer?”
“Yes.”
“How dreary, to be named by a machine!”
“Why dreary?”
“It's so mechanical, so impersonal.”
“But what is more personal than a name no other living person bears?”
“No one else? You're the only Shevek?”
“While I live. There were others, before me.”
“Relatives, you mean?”
“We don't count relatives much; we are all relatives, you see. I don't know who they were, except for one, in the early years of the Settlement. She designed a kind of bearing they use in heavy machines, they still call it a `shevek.'” He smiled again, more broadly. “There is a good immortality!”
Vea shook her head. “Good Lord!” she said. “How do you tell men from women?”
“Well, we have discovered methods...”
...
The five- and six-letter names issued by the central registry computer, being unique to each living individual, took the place of the numbers which a computer-using society must otherwise attach to its members. An Anarresti needed no identification but his name. The name therefore, was felt to be an important part of the self, though one no more chose it than one's nose or height.
There's a difference between an email address and a social security number in a way that the latter will still be around if you stop paying for it or something happens to you. In some way (at least for this threat model) a gmail address is better than one on your own domain as it's unlikely to go away or get taken over.
You can get locked from Gmail if Google decides to suspend your Account. It has already happened to lots of users, even G Suite ones and good luck trying to get it back.
Google reallly sucks in this regard. You can also lose your account if someone hacks it and google cannot determine who it belongs to, so it belongs to no one despite not being suspended.
Why should my own domain taken over. It can be taken over as easily as someone could take over my gmail.
I use my own domain on my own server with my own running mail server. Why should someone take that over?
Of course someone with state level hacking experience could do that, but I am not a target for those. Script kiddies have no luck, because you can't even login from the Internet into my server you will need to VPN into first.
My point wasn't about how gmail is perfect but that things that are under your control (domain you have to pay for, needs interaction from time to time) are more fragile sometimes than if they are not (social security number isn't going away).
That's the whole beauty with your own domain. They don't have to touch your server at all, it's enough if they can social engineer their way into your account at the DNS provider and point your domain to their own email server. Your security isn't even considered in this case. The only thing that can save you there is how good the DNS security is.
I want a private key embedded in a chip, that never leaves that chip, so all encryption and decryption happens on that chip—similar to how chip-and-pin credit cards work now. I'm identified by the corresponding public key. Then I want to embed that chip in my hand. Then I can unlock my car, house, computer, or phone and sign into any online service the same way: you send me a challenge token, I sign it with my private key then send it back.
I guess the approaches taken with U2F tokens here (and FIDO2) makes sense - have more than one token enrolled, and allow either to be used.
It's not perfect and there are usability issues around this, but they're mostly solvable. Needing both keys around to enrol into each service can be an issue, but this could be addressed by letting a user enrol other public keys as a delegate, and present a signed delegation token allowing that token to enrol a public key on behalf of an off-site token.
Revocation is the next issue - how do you revoke either of your tokens if stolen or compromised? PKI had this issue and ended up down the CRL Vs OCSP approaches. Clearly you need to be able to revoke without the token being present (maybe storing a signed revocation for A on your B token), and some kind of gossip-based network to spread the signed revocation around. That might avoid centralising it.
As long as your "chip" is designed as an ISO smartcard, you can also rely on pin protection (I'll ignore the implanted under skin aspect, other than to observe that does adjust the threat model as deniability around knowing the PIN is lost at that point. A duress PIN that validly unlocks but generates different keys would be a potential solution here for where mistaken identity can be used as an escape from an adversary).
Agreed, although most of this will end up wrapped up into the token and system itself, I suspect.
U2F is pretty much a "key" (some even visually looking like keys) that are used pretty much like a physical key - put the key into the keyhole (USB port), and press the flashing light. Done.
That level of UX is what we all need to build towards!
Well, lost or stolen hopefully wouldn't happen if it's embedded in my hand—that's the point of embedding it in my hand!
To protect against damage—which is a very real possibility, of course—I'd put identical chips in each hand, and if one fails or gets damaged, then you'd have to rotate keys by replacing both chips.
And you could have a third identical chip/key (or a different private key on another device in a safe somewhere) as a further backup, as my sibling comment recommends.
The security and privacy implications of this are horrifying to me, as are they to enough of the population that I doubt this will get widespread adoption.
Putting aside the embedded beneath the skin aspect (I share your concerns), this concept can actually work - see FIDO2 and U2F protocols. They're actually pretty good from a privacy perspective too, and give you unlinkability between services (as the key you present is derived from factors including the verified origin, i.e. URL, of the resource you're authenticating to).
Clearly the verified URL origin of something in the real world is complex, but there are ways to potentially make this work. Devices might have certificates for a URI, and this URI could be verifiable and convey attributes like the GPS coordinates to within 25m, that you can verify before authenticating. Users could presumably also whitelist certain origins (garagedoor.home.mydomain.net)
All of this apart from the subdermal part actually could work out well - a small number of people already do this via U2F, or even traditional smartcards.
I've thought about this a lot—I'm very interested in both security and privacy, so I wouldn't want to do this if I thought it would compromise either.
My current solution is that the device has three functions: encrypt/sign with private key, decrypt with private key, and send public key. They would be protected by a PIN—probably a six-digit alphanumeric pin. You might want to rate limit PIN attempts to one per second, as well.
With this scheme, I can't see how it would compromise privacy or security. No one can just scan your hand and know your identity, since you need the PIN to get your public key. And since all encryption/decryption happens on the chip, the chance that your private key gets stolen is pretty much as low as possible.
If you see any flaws with this scheme—I certainly wouldn't be surprised if there are, I just can't see any right now—please critique away!
This is a solved problem in many other countries. Instead of proposing some new solution maybe it would be better to copy an existing which has already proven to work.
In Sweden, BankID covers well over 90% of the population between ages 20 and 60 with a unique electronic ID. (Including 98% of those between 20 and 40.) It supports identifying yourself with a credit card and pin using a card reader given to you by your bank or alternatively (and more commonly) a pin combined with a smartphone/computer that you have identified as being yours.
BankID covers well over 90% of the population between ages 20 and 60
What do the other 206,868 people do?
If a similar system were implemented in the United States, that would leave 6,514,383 out. What do you do with six million people who can't be part of the standard ID scheme?
And as a result we have a lot of bank accounts hacked over phone because people don't know how to use it. Or more importantly how NOT to use it. All it takes is a phonecall to someone, tell them someone is trying to hack into their bank account and they need to hurry and ID themselves because the thief is running off with their pension. The police get these kinds of cases every day.
I love BankID but I have been using it since the start and know the pitfalls to watch out for. Most people does not know the problems though.
You're going to have a hell of a time trying to sell that to 50 states and a handful of territories, all of which can't even implement REAL-ID properly.
What agency manages BankID in Sweden? I would imagine in a better world, the US Postal Service could be doing some of this work in the states at a federal level, but I wouldn't get my hopes up.
I'm not here to babysit you. If you were serious about wanting to make a suggestion you would have started by looking at the current solutions. Not doing that is just a waste of screen estate.
Maybe there should be some transparent way for mail servers to request public encrypted keys to an email address and any incoming mail gets decrypted by the private key. So if someone hijacks your domain any password reset emails should be gibberish unless they magically got the private key, in which case you have worse problems.
This is the only technique I think might work till someone social engineers people at Twitter.
CAEP provides this to some extent https://openid.net/wg/sse/ - but now you're asking for a whole bunch of systems to be able to talk about you in back channels which other people will find fault with.
But that doesn’t matter! I hate this argument because it misses the point of biometric authentication as “something you are.” There’s no such thing as compromise or revocation. It’s a piece of public information that can’t be stolen or used by anyone other than yourself.
The world can have high def scans of my fingerprint for all it matters, they can’t produce a living human finger with the same print. And if you can’t reasonably ensure that you’re taking a reading from a living human then you shouldn’t be using biometrics.
Biometrics is not transmitting a picture of a fingerprint, it’s presenting your hand.
Having your email secured by a password locked by a device you trust doing biometric auth is perfectly fine. Having a website somehow store your print isn’t.
> Biometrics is not transmitting a picture of a fingerprint, it’s presenting your hand.
What would this "hand data" look like? A 3D model of a hand MRI or X-Ray?
Based on my understanding, in any form of biometric authentication, some amount of static data (i.e. the biometric database is not receiving a secure, updating feed of the state of your hand/body) is stored on the server and compared with the data transmitted for authentication. Biometrics change (fingerprints can be rubbed off from gardening, DNA mutates, etc.), so this static biometric data is something that is mostly environment-invariant.
If someone can compromise your "full hand scanner" or compromise the biometric database (which will inevitably happen), then you are compromised for life, since you cannot change your hand.
> If someone can compromise your "full hand scanner" or compromise the biometric database (which will inevitably happen), then you are compromised for life, since you cannot change your hand.
Suppose this happens. The world now knows all of your fingerprints. And at some point in the future you walk up to the desk of a datacenter where there's a security guard who phyiscally takes your hand, inspects it, and places it on the scanner. Can someone other than you pass this check?
Biometrics are a hard, mostly unsolved the problem, because the hard part is replacing the human security guard who verifies that you're scanning a real person's hand. For not super security sensitive applications TouchID, FaceID, and friends are good enough because most people aren't in Face Off or Mission Impossible.
> It’s a piece of public information that can’t be stolen or used by anyone other than yourself.
The point here is that this is completely wrong. Biometrics can be stolen and they're unreplaceable. There's no device in the world that can be sure it's reading a fingerprint from a living human. Drop a quick query into Google, you'll find dozens of methods that fool Apple's TouchID and that's probably one of the more robust implementations as it makes it rather difficult to do something like replace the sensor and feed in fake data directly to the system. There's only so much you can do to tell human flesh from inanimate objects when all you have is a tiny fingerprint sensor.
> Biometrics is not transmitting a picture of a fingerprint, it’s presenting your hand.
Biometrics is read with sensors, sensors produce data, data can be copied. If you were to publish scans you would have effectively allowed anyone the information needed to fake your fingerprint and authenticate as you. That's the definition of compromise.
Encryption isn't about making something impenetrable, it's about making it more difficult. For example, modern encryption is very difficult
for present-day computers to crack, but won't be that hard for quantum computers to crack.
Also, you're discounting the possibility of multiple layers of biometric + non-biometric authentication. Password/Private-Key + retina scan + left big toe-print scan >= Password/Private-Key.
I also think there are ways to authenticate your identity outside of static data-points if there's a trusted 3rd party real-time system involved.
If you take the position that nobody, even a human sitting at a desk taking prints by hand, can verify that they’re reading from a living human then biometrics and every “something you are” auth is totally useless for all applications.
If you think of biometric auth as “the scan of your eye/hand/whatever is just a password” then I can’t help you and of course that system can be compromised. “Upload a PDF of your fingerprint" is the silliest auth system of all time.
> “the scan of your eye/hand/whatever is just a password” then I can’t help you and of course that system can be compromised.
Unless you have a human to sit there validate that they're reading from an actual human, isn't this essentially what biometric auth is? Am I missing something here? No reasonably sized machine can certainly do the needed verification with the limited information they have.
Not to mention - if it were to be heavily relied upon for security for a very high value target, say one of those bitcoin vaults with hundreds of millions of dollars locked away, you can certainly envision a world where you could get grafted silicone fingertips installed by a plastic surgeon that would likely fool humans based on the exact sort of data leak we discussed.
I totally agree with you, this is why biometrics are this weird open for machines, but solved for humans problems. If you don't trust the scanner then it's useless. Depending on your threat model you can do really fancy stuff like retina scans that detect blood flow and temperature or TouchID for less-sensitive stuff like a screen lock.
> You can certainly envision a world where you could get grafted silicone fingertips.
If you built a system that's so secure that this is the lengths you have to go to beat it then you would be an overnight billionaire if you brought it to market. Like at this point you've achieved human-level verification. Assuming it was small enough to go in phones it would be revolutionary!
Indeed. What if you are a super responsible person, but there is unrest in a Country you are visiting or live in, through no fault of your own and you are unable to pay a renewal. Or you fall sick and go to the hospital.
At minimum register a domain and email forward the wildcard address for it to your daily driver. Use this for important things and don't forget to renew.
Edit: you can do all this on namecheap pretty easily.
And then we decided that custom domains are the most professional. Which does make sense, there can only be one 'robert@gmail.com'. But, this is coupled with the idea that domains can expire, and that expiry does not appear to kill the identity that's potentially associated with the domain.
We should not be using email addresses as our primary source of identity verification in the first place. And we definitely _should_ have some way to globally declare that an identity has been compromised. Especially given our society's track record of keeping database safe from breach.
I more or less assume it is inevitable that one of my major accounts will be compromised, and that this will be able to cascade into most of my major accounts being compromised. I do what I can to protect myself, but gmail as a single source of failure makes me nervous. Using any email provider besides gmail makes me even more nervous, because they don't have the full power and knowledge of Google protecting their databases.