You point out some problems, but how do we actually do these?
Without emails as the keys to the kingdom, what would you use?
Without a global identifier for a human person (like social security in the US), how would we declare that an identity is compromised?
While I believe your ideals are well-intentioned, I think they're impractical in our current society.
I would propose that an email is the key to the kingdom, that people running custom domains and use them for email must deposit $500 in registration to do so (to ensure the domain is registered for their lifetime), and that they should be protected by a password plus 2FA with your phone being the other factor. And I propose that each person should be uniquely identifiable by an email address stored in a global publicly-accessible database.
I would suggest having a bank or similarly regulated institution manage identity recovery. They can declare a login invalid, and they can go through the process of KYC (drivers license, SSN, in-person visit, etc) to get you a new identity.
Think Facebook login except instead of tab unrestricted entity that steals every piece of dignity it gets its hands on, its a bank or legal custodian with strict responsibilities, penalties, and insurance in case of identity theft.
> Without emails as the keys to the kingdom, what would you use?
PKI. Service providers shouldn't give you access to an account just because you can prove you control an email address (during a narrow and predictable time window, no less). The simplest thing would be to encrypt the relevant part of the payload (the one containing the password reset link), so resets are only possible if you can receive the email and have the means of reading it in its "true" form.
Failing that (suppose you've not just lost your password but also the ability to decrypt the contents of the message), there should be an alternative, but the threshold for proving your identity should increase. It would ameliorate a lot if it meant that people had to show up in person somewhere. E.g., I show up at either the business's local branch (if there is one) or the USPS (or...) with my photo ID. From there, an attestation is generated that you really are who you say you are, and only with that attestation will your account be unlocked.
But Photo ID was forged long before the computers came along. There's always some way of getting around the security if you really want to. That is part of why we don't want to give in to electronic voting even though we work with computers.
This is not a retort. The claim is not that photo ID is unforgeable. The claim is that "it would ameliorate a lot if it meant that people had to show up in person somewhere".
> Without emails as the keys to the kingdom, what would you use?
From Ursula K. LeGuin's indispensable "Dispossessed":
“You're really much too polite for ...”
“For what?”
“For an anarchist,” she said, in her thin and affectedly drawling voice (it was the same intonation Pae used, and Oiie when he was at the University). “I'm disappointed. I thought you'd be dangerous and uncouth.”
“I am.”
She glanced up at him sidelong. She wore a scarlet shawl tied over her head; her eyes looked black and bright against the vivid color and the whiteness of snow all around.
“But here you are tamely walking me to the station, Dr. Shevek.”
“Shevek,” he said mildly. “No `doctor.'”
“Is that your whole name — first and last?”
He nodded, smiling. He felt well and vigorous, pleased by the bright air, the warmth of the well-made coat he wore, the prettiness of the woman beside him. No worries or heavy thoughts had hold on him today.
“Is it true that you get your names from a computer?”
“Yes.”
“How dreary, to be named by a machine!”
“Why dreary?”
“It's so mechanical, so impersonal.”
“But what is more personal than a name no other living person bears?”
“No one else? You're the only Shevek?”
“While I live. There were others, before me.”
“Relatives, you mean?”
“We don't count relatives much; we are all relatives, you see. I don't know who they were, except for one, in the early years of the Settlement. She designed a kind of bearing they use in heavy machines, they still call it a `shevek.'” He smiled again, more broadly. “There is a good immortality!”
Vea shook her head. “Good Lord!” she said. “How do you tell men from women?”
“Well, we have discovered methods...”
...
The five- and six-letter names issued by the central registry computer, being unique to each living individual, took the place of the numbers which a computer-using society must otherwise attach to its members. An Anarresti needed no identification but his name. The name therefore, was felt to be an important part of the self, though one no more chose it than one's nose or height.
There's a difference between an email address and a social security number in a way that the latter will still be around if you stop paying for it or something happens to you. In some way (at least for this threat model) a gmail address is better than one on your own domain as it's unlikely to go away or get taken over.
You can get locked from Gmail if Google decides to suspend your Account. It has already happened to lots of users, even G Suite ones and good luck trying to get it back.
Google reallly sucks in this regard. You can also lose your account if someone hacks it and google cannot determine who it belongs to, so it belongs to no one despite not being suspended.
Why should my own domain taken over. It can be taken over as easily as someone could take over my gmail.
I use my own domain on my own server with my own running mail server. Why should someone take that over?
Of course someone with state level hacking experience could do that, but I am not a target for those. Script kiddies have no luck, because you can't even login from the Internet into my server you will need to VPN into first.
My point wasn't about how gmail is perfect but that things that are under your control (domain you have to pay for, needs interaction from time to time) are more fragile sometimes than if they are not (social security number isn't going away).
That's the whole beauty with your own domain. They don't have to touch your server at all, it's enough if they can social engineer their way into your account at the DNS provider and point your domain to their own email server. Your security isn't even considered in this case. The only thing that can save you there is how good the DNS security is.
I want a private key embedded in a chip, that never leaves that chip, so all encryption and decryption happens on that chip—similar to how chip-and-pin credit cards work now. I'm identified by the corresponding public key. Then I want to embed that chip in my hand. Then I can unlock my car, house, computer, or phone and sign into any online service the same way: you send me a challenge token, I sign it with my private key then send it back.
I guess the approaches taken with U2F tokens here (and FIDO2) makes sense - have more than one token enrolled, and allow either to be used.
It's not perfect and there are usability issues around this, but they're mostly solvable. Needing both keys around to enrol into each service can be an issue, but this could be addressed by letting a user enrol other public keys as a delegate, and present a signed delegation token allowing that token to enrol a public key on behalf of an off-site token.
Revocation is the next issue - how do you revoke either of your tokens if stolen or compromised? PKI had this issue and ended up down the CRL Vs OCSP approaches. Clearly you need to be able to revoke without the token being present (maybe storing a signed revocation for A on your B token), and some kind of gossip-based network to spread the signed revocation around. That might avoid centralising it.
As long as your "chip" is designed as an ISO smartcard, you can also rely on pin protection (I'll ignore the implanted under skin aspect, other than to observe that does adjust the threat model as deniability around knowing the PIN is lost at that point. A duress PIN that validly unlocks but generates different keys would be a potential solution here for where mistaken identity can be used as an escape from an adversary).
Agreed, although most of this will end up wrapped up into the token and system itself, I suspect.
U2F is pretty much a "key" (some even visually looking like keys) that are used pretty much like a physical key - put the key into the keyhole (USB port), and press the flashing light. Done.
That level of UX is what we all need to build towards!
Well, lost or stolen hopefully wouldn't happen if it's embedded in my hand—that's the point of embedding it in my hand!
To protect against damage—which is a very real possibility, of course—I'd put identical chips in each hand, and if one fails or gets damaged, then you'd have to rotate keys by replacing both chips.
And you could have a third identical chip/key (or a different private key on another device in a safe somewhere) as a further backup, as my sibling comment recommends.
The security and privacy implications of this are horrifying to me, as are they to enough of the population that I doubt this will get widespread adoption.
Putting aside the embedded beneath the skin aspect (I share your concerns), this concept can actually work - see FIDO2 and U2F protocols. They're actually pretty good from a privacy perspective too, and give you unlinkability between services (as the key you present is derived from factors including the verified origin, i.e. URL, of the resource you're authenticating to).
Clearly the verified URL origin of something in the real world is complex, but there are ways to potentially make this work. Devices might have certificates for a URI, and this URI could be verifiable and convey attributes like the GPS coordinates to within 25m, that you can verify before authenticating. Users could presumably also whitelist certain origins (garagedoor.home.mydomain.net)
All of this apart from the subdermal part actually could work out well - a small number of people already do this via U2F, or even traditional smartcards.
I've thought about this a lot—I'm very interested in both security and privacy, so I wouldn't want to do this if I thought it would compromise either.
My current solution is that the device has three functions: encrypt/sign with private key, decrypt with private key, and send public key. They would be protected by a PIN—probably a six-digit alphanumeric pin. You might want to rate limit PIN attempts to one per second, as well.
With this scheme, I can't see how it would compromise privacy or security. No one can just scan your hand and know your identity, since you need the PIN to get your public key. And since all encryption/decryption happens on the chip, the chance that your private key gets stolen is pretty much as low as possible.
If you see any flaws with this scheme—I certainly wouldn't be surprised if there are, I just can't see any right now—please critique away!
This is a solved problem in many other countries. Instead of proposing some new solution maybe it would be better to copy an existing which has already proven to work.
In Sweden, BankID covers well over 90% of the population between ages 20 and 60 with a unique electronic ID. (Including 98% of those between 20 and 40.) It supports identifying yourself with a credit card and pin using a card reader given to you by your bank or alternatively (and more commonly) a pin combined with a smartphone/computer that you have identified as being yours.
BankID covers well over 90% of the population between ages 20 and 60
What do the other 206,868 people do?
If a similar system were implemented in the United States, that would leave 6,514,383 out. What do you do with six million people who can't be part of the standard ID scheme?
And as a result we have a lot of bank accounts hacked over phone because people don't know how to use it. Or more importantly how NOT to use it. All it takes is a phonecall to someone, tell them someone is trying to hack into their bank account and they need to hurry and ID themselves because the thief is running off with their pension. The police get these kinds of cases every day.
I love BankID but I have been using it since the start and know the pitfalls to watch out for. Most people does not know the problems though.
You're going to have a hell of a time trying to sell that to 50 states and a handful of territories, all of which can't even implement REAL-ID properly.
What agency manages BankID in Sweden? I would imagine in a better world, the US Postal Service could be doing some of this work in the states at a federal level, but I wouldn't get my hopes up.
I'm not here to babysit you. If you were serious about wanting to make a suggestion you would have started by looking at the current solutions. Not doing that is just a waste of screen estate.
Without emails as the keys to the kingdom, what would you use?
Without a global identifier for a human person (like social security in the US), how would we declare that an identity is compromised?
While I believe your ideals are well-intentioned, I think they're impractical in our current society.
I would propose that an email is the key to the kingdom, that people running custom domains and use them for email must deposit $500 in registration to do so (to ensure the domain is registered for their lifetime), and that they should be protected by a password plus 2FA with your phone being the other factor. And I propose that each person should be uniquely identifiable by an email address stored in a global publicly-accessible database.