Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Bitcoin Privacy Security Software The Internet Technology

Blockchains Are Poised To End the Password Era (technologyreview.com) 129

schwit1 shares a report from MIT Technology Review: Blockchain technology can eliminate the need for companies and other organizations to maintain centralized repositories of identifying information, and users can gain permanent control over who can access their data (hence "self-sovereign"), says Drummond Reed, chief trust officer at Evernym, a startup that's developing a blockchain network specifically for managing digital identities. Self-sovereign identity systems rely on public-key cryptography, the same kind that blockchain networks use to validate transactions. Although it's been around for decades, the technology has thus far proved difficult to implement for consumer applications. But the popularity of cryptocurrencies has inspired fresh commercial interest in making it more user-friendly.

Public-key cryptography relies on pairs of keys, one public and one private, which are used to authenticate users and verify their encrypted transactions. Bitcoin users are represented on the blockchain by strings of characters called addresses, which are derived from their public keys. The "wallet" applications they use to hold and exchange digital coins are essentially management systems for their private keys. Just like a real wallet, they can also hold credentials that serve as proof of identification, says Reed. Using a smartphone or some other device, a person could use a wallet-like application to manage access to these credentials. But will regular consumers buy in? Technologists will need to create a form factor and user experience compelling enough to convince them to abandon their familiar usernames and passwords, says Meltem Demirors, development director at Digital Currency Group, an investment firm that funds blockchain companies. The task calls for reinforcements, she says: "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."

This discussion has been archived. No new comments can be posted.

Blockchains Are Poised To End the Password Era

Comments Filter:
  • Sorry (Score:2, Informative)

    by Anonymous Coward

    "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."

    Sorry, ethics died a year ago.

    • Re:Sorry (Score:5, Insightful)

      by NicknameUnavailable ( 4134147 ) on Friday December 01, 2017 @06:44PM (#55661419)

      "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."

      We literally need none of those people, they're just the buddies of the people who write stupid articles like this.

      • Yeah, I voted this swill down as "stupid" this afternoon -- apparently that convinced them it would get a lot of clicks and needed to run post haste. LOL

    • Re:Sorry (Score:5, Informative)

      by gweihir ( 88907 ) on Friday December 01, 2017 @07:29PM (#55661649)

      Quite to the contrary of the article, some experts (derided as "geeks" in the article) are currently exploring what the blockchain is all _not_ good for or at least not any better than traditional solutions. Unfortunately, that likely includes basically everything, with a slight chance that some variant of the failed "currency" angle ("Bitcoin") may be salvageable if there is a way to reliably curb speculation and create stability.

      In fact, I am currently supervising a BA thesis in this area and I expect that a mostly negative result will save the industry-partner a ton of money. I also already told the student that a negative result can certainly get a good grade if argued and justified well (same as a positive result, really). I have a second thesis lined up with a different student and industrial partner. Will be interesting to see what the outcomes are, but I do expect a "not now" or a "not ever unless special conditions are met".

      Incidentally, "ethics" in the commercial space these days means "how can we manage to not get caught and still get rich". And please keep out the sociologists and designers, they really are mostly useless with very few exceptions.

      • NASDAQ is introducing a BTC futures market in 2018. Futures markets have the effect of smoothing thrash and adding longer term stability to a commodity.

        • by gweihir ( 88907 )

          I know. That is why I think the "currency" angle may be salvageable. Will be interesting to see whether that works or not.

          • I would argue that bitcoin works brilliantly as a currency (though not much else: I can't imagine how it would work to keep track of your private info). It will never work as a day-to-day currency: you won't commonly go to buy pizza or laundry detergent with it, but for large transactions it can work great. Note also that this has been a problem historically with gold: people didn't mostly do day-to-day transactions with gold.
            • by gweihir ( 88907 )

              Usefulness as a currency and usefulness as a speculation object are mutually exclusive. Bitcoin is currently a complete fail as currency.

              • Bitcoin is currently a complete fail as currency.

                This is either ignorant or an outright lie: it fails to acknowledge the actual uses of bitcoin as a transaction medium. In brief many of the transactions e-gold was used for, bitcoin has taken over.

                I don't any bitcoin at all (I wish I did), but come on, if you're advising BA theses, you better get your head screwed on straight.

                • by gweihir ( 88907 )

                  You seriously do not get it. Fascinating. It is fortunately I do not supervise your thesis, you would fail completely. Your analytical skills suck.

                  • Your analytical skills suck.

                    And you had none. Your post is pure insults.

                    But I can insult you too: if you think the only use for bitcoin is a speculation object, you're just ignorant. Fortunately ignorance can be cured, stupidity is forever.

      • As I understand it, blockchain is like a bunch of trees growing in synchonicity. Exact duplicates. If a tree doesn't grow exactly the same, it is considered defective and cut down.

        A blockchain might function as a web accessible smart card or key fob which functions for all accessible websites. This keyfob would need to be protected in some way.
        • Re: (Score:3, Insightful)

          by gweihir ( 88907 )

          This keyfob would need to be protected in some way.

          While your picture is somewhat correct and somewhat wrong, this really is the key-point. Incidentally, this is already the key-point with a password, but there it is relatively easy to do. All those that got weakly protected customer passwords stolen in the last few years were just grossly incompetent in protecting them. It is well known (to experts) how to do that right: salt, hash, iterate and in newer times add a large-memory property. PBKDF2 was the standard since at least 2000 and and is still doing re

          • Makes sense, but still doesn't give me a complete picture.

            The block chain stores your/my public keys, and I guess any public keys of entities you/I do business with.

            Where do your/my private keys go? And how are they kept secured?
            • by gweihir ( 88907 )

              I have no idea.

              • I'm not sure I do either, getting totally confused by this blockchain concept. I think my comment was intended for another poster who said the blockchain/wallet would act as some kind of PKI management database. Facilitating the use of public and private key pairs for the general public at a lower cost than the current going rates of SSL certificates. So if this thing works, SSL cert vendors might go out of business, as "root" authorities will no longer be required. The blockchain will be the root CA, in so
                • by gweihir ( 88907 )

                  Indeed. I can actually not see any added value compared to a simple distributed database, like the PGP key servers. To me, it seems that the efforts to justify the value of the blockchain for _something_ are getting more and more desperate. A typical hype-cycle.

      • I know next to nothing about blockchains, and cryptocurrencies have always looked to me like the dumbest financial "innovation" since the South Seas Company. But I sort of vaguely thought that blockchains MIGHT be useful as sort of the digital equivalent of Notarization of paper documents. For example, imagine a trust set up by lawyers for any of the thousand usual nefarious purposes or maybe even some legitimate purpose. The trustee is incarcerated for unrelated acts having to do with failing to touch t

      • Incidentally, "ethics" in the commercial space these days means "how can we manage to not get caught and still get rich".

        As described by my ethics people where I work, ethics literally means following company policy. If you are following written company policy, then it's ethical, and if not, it isn't. Whether it's legal or moral has no bearing on if it's ethical.

  • by CaptainDork ( 3678879 ) on Friday December 01, 2017 @06:18PM (#55661255)

    ... with, apparently, no experience:

    ... a startup that's developing a blockchain network specifically for managing digital identities.

    • by Luthair ( 847766 )
      Based on past stories that made it to the front page its the same sort of fine journalism one can expect from the MIT Technology Review.
  • Ad (Score:2, Informative)

    by Anonymous Coward

    See subject

  • As someone who needs to sign in with a password to a server possibly a hundred times a day, this sounds like it could possibly be hell.
    • by gweihir ( 88907 )

      And as somebody that uses certificate-based logins (ssh) regularly, I wonder what problem they are trying to solve....

      • The problem of how to squander the hundreds of millions being poured into blockchain startups by VC's that mostly don't even understand what it is
      • How often do you change your certificates? If an admin that worked for you a year ago got your private key and then got canned in a very nasty manner, would it still be valid or do you change it every 90 days or so?
      • by u801e ( 1647927 )

        And as somebody that uses certificate-based logins (ssh) regularly, I wonder what problem they are trying to solve....

        A better problem to solve would be to have a more intuitive UI for managing client side TLS certificates. It would be nice if I could just use a client side TLS certificate to authenticate myself on Slashdot instead of (or in addition to) a username and password.

  • Sounds idiotic (Score:2, Interesting)

    by Anonymous Coward

    Blockchain wallets have to be secured, else anyone can impersonate the user and do what they will with the contents. So what would a blockchain credential system be? An online password wallet, in effect, exactly as secure as the protection on the wallet... which is either going to be what you have (an app on your device) or what you know (a password).
     

    • by Desler ( 1608317 )

      It is idiotic, but since it uses “blockchain” in it that means they’ll easily score heaps of VC money to burn for years.

  • by PhantomHarlock ( 189617 ) on Friday December 01, 2017 @06:38PM (#55661373)

    If everyone uses one private/public key set for everything, then if that is compromised then the third party gets access to absolutely everything and can impersonate the user?

    For those of us who use different usernames/emails/passwords from server to server that seems like a downgrade in security.

    Tell me I'm wrong and I'm missing something. I've used PGP in the past and use keys for SSH logins but I've never used blockchain related stuff.

    • by Monster_user ( 5075027 ) on Friday December 01, 2017 @06:48PM (#55661445)
      It is simply a password manager for more complex passwords.

      A downgrade in security most definitely, but it should have the same pros and cons of a password manager.
    • by DarkOx ( 621550 )

      As an individual quite possibly as an organization not so much. Right now attackers go after the authentication/authorization server / infrastructure (very often AD but not always). Its the first and primary target because if they can compromise that odds are good some of the following become true:

      1) They can authorize some existing account they have access to already
      2) They can change the authentication information for an account they want access to
      3) They can get the authentication information in bulk,

      • The blockchain essentially becomes the"root certificate. If an individual account is compromised but the "root certificate" (block chain) is not, the key for that account (password) can be "revoked" or "changed".
        However, there will most likely be a window of opportunity before the "certificate" gets revoked, that is there is a window before the block chain is forked by a trusted authority, or otherwise before the integrity of the block chain is restored and the fraudulent access chain is no longer trusted
    • There is no third party that needs to be trusted.

      Basically, you would open an account with your bank, and tell them that you have already registered id/PhantomHarlock. They would give you specs for a public key pair and a subidentifier. You'd create a private key to their requirements and publish the corresponding public key under the subidentifier they will be looking for.

      When you go to log in, you type in your username and their system consults the global distributed database. It finds the subidentifie

      • So your describing it as part of a three factor authentication, where two factors are pairs of PGP keys, where both public keys are stored in publically accessible databases, and the third factor is a temporary secret?

        Where does the audit trail of blockchain come into play?
        • No, it's 1 factor. It relies on 1 thing you know (your private key) presented over a single channel (the internet).

        • It is either 1 or 2 "factors" depending on user choice. That it isn't obvious says a lot about the uselessness of that system for classifying authentication schemes.

          I didn't really explain how the blockchain figured into it, but after that it is a textbook-standard public key authentication system with some dress-up for the web. We could do it today if we wanted to.

          The blockchain part is for key management, also known as "the hard part of PKI". Basically, you only need to communicate one identifier to ev

          • I don't see an advantage to blockchain in your comment. Blockchain is used to make PKI management eaiser? I can't visualize the entire concept, start to finish. In order to understand what advantage blockchain has over other options, or to understand where vulnerabilities might occur. I wouldn't know how to implement blockchain to manage PKI for my own use, not in a manner I trusted to be secure.
      • If you trust the bank's published public key, then you're not getting anything beyond the current method of trusting their SSL cert.
        Having a one time challenge presented is pointless within the context of an SSL-encrypted session.

        There's simply no benefit to such a scheme over creating a username and password for each site and using a password manager.

        The most impact you could have is the authenticating system's database not having to keep a copy of your hashed password for someone to eventually steal and t

        • SSL involves trusting a few thousand third parties. The system I described would have zero. That would be worth the price of admission by itself.

          Second benefit: you can change your key just by updating your public record. No need to contact the other party and let them know.

          Third benefit: no one but you can change your key.

    • by ceoyoyo ( 59147 )

      As far as I can tell, the blockchain bit is clickbait. They're talking about public key encryption and signing.

  • LOL (Score:5, Funny)

    by EvilSS ( 557649 ) on Friday December 01, 2017 @06:45PM (#55661425)

    users can gain permanent control over who can access their data

    So yea that's definitely not going to happen.

  • by Anonymous Coward

    Translation:
    Lets take Public Key/Private Key (ie PGP) methods, combine it with "BlockChain CryptoCurrency" words, and then get suckers that have more money than brains (or tech knowledge) to fund a startup that goes nowhere.

    • Its reinventing the wheel, but it is a different technique/implementation.

      Does the blockchain mindset or methodology provide a superior visualization or understanding of the beat use implementation of the solution?

      Can people understand it better, so they can use it better?
      • People don't understand a blockchain or public/private keys or anything. The OP is right, just another guy trying to make a buck from VCs, and trying to avoid real work.
        • I just had a thought. A block chain is sticking a tracking device on a credential, and following it around the network. If that credential shows up going two different directions at once that would be a pretty big red flag. Might have some place in corporate or enterprise authentication methods.
  • Of course, nothing like that is true or even desirable. This story is utter nonsense. Credentials (whether passwords, certificates or seeds for OTP mechnisms) are under company control so their servers can access them easily and so they can revoke them fast. The blockchain has absolutely no place here. Incidentally, when it comes to public identities, the blockchain is about as useful as the PGP server network, albeit more complicated and more expensive, i.e. useless. The one thing that makes these identiti

  • by Anonymous Coward

    These days a single bitcoin transaction uses as much electricity as a home does in a week. How long before it requires a similar amount of computation, and by extension, energy, just to open a goddamn file?

  • There is currently a technology out there right now that addresses all the problems inherent in profile/passwords, i.e. they get shared, lost, site must hold a secret for user. SQRL (https://www.grc.com/sqrl/sqrl.htm) handles all that and more so why not just implement that tech? Admittedly there is going to be some cost but when/if it scales up it will the answer to all of those questions.
  • You should be. The possibility of the ultimate loss of all privacy to the government should be scaring the bee-jeep-ers out of everyone!

  • How many times have we heard about some new technology that is going to obviate the need for the lowly password?
  • Another idiot who doesn't understand the tech proclaiming that it'll replace a tried and true standard when he doesn't really understand the scenarios where his product works or not.
    Join the masses of idiots who said biometrics are going to replace passwords, among others.

    Should've ignored it. Here's the red flag: "the geeks are working on it right now"

  • Yes, your private key is protected by a ... password. And nobody's ever had their bitcoin wallet hacked. I'm not saying blockchain technology brings nothing to the table, but it's certainly not a panacea.
  • Whenever someone says 'blockchain', they're almost certainly leading into selling you an inefficient solution that doesn't apply to the problem they think it does.

    Just say 'no' to blockchains.

  • I've been intrigued by blockchain for months... but feel frustrated by the (lack of) technical material I can find on the subject.

    I definitely want to use (something with what I understand to be the properties of) blockchain for a few different purposes:

    • Not-easily-falsifiable audit. I would like my (internet facing) application to record every relevant event - and provide confidence that the events could not (reasonably) have been tampered with ex-post. Essentially, I'd like to be able to demonstrate that
  • This from a guy with a deep, deep interest for that assertion to be true.

We are not a loved organization, but we are a respected one. -- John Fisher

Working...