backback
back
backback
backback
backback

Unlock the Future: Passkey + DID + FIDO - Exploring the Next Generation of Digital Wallets and Identities

#Wallet#Compliance#Security
2023-05-29
image-cover

Passkey, DID (Decentralized Identifiers) and FIDO (Fast Identity Online) are three technologies that together can change the way we approach digital identity and security, especially in the next generation of digital wallet applications.

  1. Passkey: Passkey is a secure method of identity proofing, generally referred to as a word identity private key or password. In blockchain or other cryptographic applications, Passkey usually refers to a private key used to prove a user's ownership or control of a digital resource Passkey provides strong security, but the challenge of managing and protecting Passkey is also considerable. 2.
  2. DID (Decentralized Identifiers): DID is a decentralized identification method. Each DID is unique and does not rely on any central authority to verify identity. DID can run independently of any particular blockchain and is portable, providing a decentralized, autonomous authentication method that helps protect personal privacy and prevent identity theft.

FIDO (Fast Identity Online): FIDO is a multi-factor authentication framework that seeks to establish secure and user-friendly authentication methods to replace traditional passwords. Passkey and DID can be combined to provide multiple layers of security.

The common goal of all three technologies is to provide a secure, private, convenient and controlled digital identity solution. Using Passkey (private key or password) as the primary identity proofing tool, leveraging the decentralized nature of DID to enhance identity autonomy and portability, and adding biometric or physical device multi-factor authentication through the FIDO framework can greatly enhance the security and user experience of digital identity and digital wallets.

The three key elements of identity verification

To prove that a person is indeed who they claim to be, the following three requirements need to be met, also known as three-factor authentication:

  1. "What you are": This involves personal identity features such as iris, fingerprints, and biometric features such as facial recognition. These biometric features can be verified by fingerprint scanning, iris scanning, or face recognition.
  2. "What you have": This refers to physical objects or assets, including two-step authentication (2FA) mechanisms such as private keys, tokens, keys, bank cards, physical devices (e.g., Unikey), or cell phone authentication. These physical objects can be used to verify your ownership, such as using a key to enter a specific venue or a bank card to make a transaction.
  3. “What do you know”: This refers to confidential information that only the user knows, such as passwords, personal identification numbers (PINs), or answers to secret questions. This information can be used as part of identity verification, such as entering the correct password at login.

These requirements play an important role in the know-your-customer (KYC) process in areas such as financial institutions. International laws and regulators require financial institutions to collect this necessary and mandatory information to ensure the authenticity of customers' identities and to protect against the risks of terrorists, blacklisted customers and identity theft. Such a verification process also helps financial institutions gain an edge over their competitors by enabling fast and fully digital customer onboarding.

The principle of identity verification in KYC is linked to the concept of the private key, which can be seen as a form of "what you own" and serves as proof of ownership of digital assets.

DID: Infrastructure for an Online Democratic Society

In a decentralized world, proof of identity becomes even more important as an infrastructure for our cyber-democratic society:

  1. Personal control: DID gives individuals direct control over their identity data. Traditional authentication methods typically rely on centralized organizations that own and manage the identity information of users. DID, however, enables individuals to own and control their own identity data without relying on any central authority. This increased personal control contributes to a more just and equitable society.
  2. Decentralized Trust: DID does not rely on the authentication of a single central authority, but is built on a decentralized trust mechanism. Through the use of distributed technologies such as blockchain, DID can provide globally verifiable proof of identity without relying on the control and scrutiny of a single entity. This decentralized trust mechanism helps reduce reliance on centralized authority and promotes a fair, transparent and open network environment.
  3. Security and protection against witch attacks: DID is designed to protect against witch attacks, which are attacks that create multiple false identities to deceive or influence a system. By requiring users to provide real identity information and verify it, DID is able to counteract witch attacks and ensure the authenticity and trustworthiness of accounts. This helps to maintain the security and stability of the network and provides a reliable online environment for users.
  4. Global Interoperability: DID is a globally verifiable method of identification that is not restricted by geography or industry. This means that individuals can easily share and verify their identity across platforms and services, facilitating global interoperability and the development of the digital economy. the existence of DID helps break down information silos and provides a more convenient and efficient way to manage identities.

DID meets the three elements of identity verification: the owner (Who you are?), the knowledge (What you know?), and the possessions (What do you have?). It provides a powerful way to defend against Witch Attacks (a witch attack is an attack technique that deceives or influences the system by creating multiple false identities).

Authentication is an effective way to prevent witch attacks by requiring users to provide real identity information and verify it to ensure the authenticity of the account, which prevents attackers from manipulating the system by creating multiple false identities.

From account passwords to passkeys: the evolution of account verification

In the early days of the Internet, people used to create their own account passwords to log in directly. However, as the number of websites increased, their security mechanisms for passwords began to differ. This led us to think about whether different passwords were needed for different sites. As the number of sites grows, each site also requires regular password updates. This made it gradually impossible to rely on the human brain to remember all the passwords. Therefore, we started using password managers to help us manage these passwords.

Although password managers have helped us solve some problems, such as not relying on our brains to remember all our passwords, they still don't completely solve all the security risks. Using a password manager means we need to store our passwords in centralized corporate services, and if those companies are hacked, our passwords may be known.

Because of this, we need better authentication systems to improve security. That's why public-private key systems and other powerful authentication methods have emerged. These methods use more sophisticated encryption and authentication mechanisms and offer higher security guarantees.

For example, Passkey systems use asymmetric encryption to prove "you are you" and each person has his or her own private key.

Each person has his or her own private key and stores the public key where it needs to be authenticated. This way, even if someone hacked into a service provider, they wouldn't be able to get our private keys because they only exist on our own devices. This approach provides greater security while reducing reliance on centralized companies.

The evolution of account authentication can be divided into four stages as follows:

  1. Initial stage: In the early days of the Internet, people simply created their own accounts and passwords to access various websites and applications.
  2. Two-factor authentication: As the number of websites increased, they began to implement stronger security mechanisms by introducing two-factor authentication. This means that in addition to using an account password, additional authentication methods such as SMS authentication codes or security keys are required.
  3. Multi-factor authentication: As security requirements increase, multi-factor authentication becomes a common practice. In addition to account passwords and SMS authentication codes, biometrics (e.g. fingerprints, face recognition) or hardwired authentication devices (e.g. physical devices) can be used to verify identity.
  4. Asymmetric encryption: Today, public-private key systems are a more secure option. This system uses a pair of keys, including a public key and a private key. The public key is used to encrypt the data, while the private key is used to decrypt and verify the identity. The public-private key system provides higher security and the ability to prevent unauthorized access.

Past limitations and present advances

The concept of public-private key pairs has been around for a long time in cryptography, but the popularity of using this concept in everyday account password management (i.e., passwordless login or pass-through keys) has relied on the development of many infrastructures and the development of standards. The support of major technology companies such as Microsoft, Apple and Google, as well as the development and promotion of open authentication standards like FIDO, have all played an important role in driving the popularity of this passwordless login technology.

These companies and standards organizations provide the tools and frameworks necessary to make passwordless access easier for developers. In addition, they provide users with convenient interfaces and tools that make it easier for them to manage their keys without having to delve into the details of cryptography.

However, with any technological development comes challenges. Passkey, or passwordless login, applies the concept of public and private keys to everyday account passwords. In this case, we must find a balance between security and convenience. Each person has a key, and each identity is a key, and we can define how public and private keys are generated and destroyed depending on the situation and security level. How to ensure the protection of private keys and how to create a good user experience are the issues we need to face.

Conclusion: A vision of the future of wallets

Passkey offers better privacy protection and user control, and a good experience in use, but it also brings some new responsibilities and challenges. In the same way that encrypted wallets manage private keys, when we adopt this technology, the responsibility for the custody of the key reverts back to us.

This means that if we lose or forget our key, then we may not be able to access our account or data because no other person or organization can help us recover it. In some cases, this may result in the loss of data that cannot be retrieved. Therefore, as we have more control, we also need to manage our keys more responsibly and ensure that we have proper backup and recovery mechanisms in place.

This change may take some time and education to help users understand their new responsibilities and learn how to manage their keys securely and effectively. However, despite these challenges, the benefits of passwordless login technology and encrypted wallets make them a worthwhile technology to adopt, especially today when the need for privacy and security is increasing.

We can foresee a future where wallets are composed of DID, as well as emerging technologies such as Abstracted Accounts (AA). Such structures can avoid a return to centralization and allow users to separate addresses from owners, thereby increasing the privacy of transactions. Large technology companies such as Apple, Google may also play an important role. Finally, we need to remember that the future of wallets will be composed of technologies such as Passkey, DID, and FIDO (e.g., Ledger uses the FIDO U2F standard as the authentication device for 2FA), and they will be key to Web 3.0.