Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blockchains Are Poised To End the Password Era (technologyreview.com)

Posted by BeauHD on from the changing-times dept.

schwit1 shares a report from MIT Technology Review: Blockchain technology can eliminate the need for companies and other organizations to maintain centralized repositories of identifying information, and users can gain permanent control over who can access their data (hence "self-sovereign"), says Drummond Reed, chief trust officer at Evernym, a startup that's developing a blockchain network specifically for managing digital identities. Self-sovereign identity systems rely on public-key cryptography, the same kind that blockchain networks use to validate transactions. Although it's been around for decades, the technology has thus far proved difficult to implement for consumer applications. But the popularity of cryptocurrencies has inspired fresh commercial interest in making it more user-friendly.

Public-key cryptography relies on pairs of keys, one public and one private, which are used to authenticate users and verify their encrypted transactions. Bitcoin users are represented on the blockchain by strings of characters called addresses, which are derived from their public keys. The "wallet" applications they use to hold and exchange digital coins are essentially management systems for their private keys. Just like a real wallet, they can also hold credentials that serve as proof of identification, says Reed. Using a smartphone or some other device, a person could use a wallet-like application to manage access to these credentials. But will regular consumers buy in? Technologists will need to create a form factor and user experience compelling enough to convince them to abandon their familiar usernames and passwords, says Meltem Demirors, development director at Digital Currency Group, an investment firm that funds blockchain companies. The task calls for reinforcements, she says: "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."

15 of 129 comments (clear)

  1. Sorry by Anonymous Coward · · Score: 2, Informative

    "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."

    Sorry, ethics died a year ago.

    1. Re:Sorry by NicknameUnavailable · · Score: 4, Insightful

      "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."

      We literally need none of those people, they're just the buddies of the people who write stupid articles like this.

    2. Re:Sorry by gweihir · · Score: 4, Informative

      Quite to the contrary of the article, some experts (derided as "geeks" in the article) are currently exploring what the blockchain is all _not_ good for or at least not any better than traditional solutions. Unfortunately, that likely includes basically everything, with a slight chance that some variant of the failed "currency" angle ("Bitcoin") may be salvageable if there is a way to reliably curb speculation and create stability.

      In fact, I am currently supervising a BA thesis in this area and I expect that a mostly negative result will save the industry-partner a ton of money. I also already told the student that a negative result can certainly get a good grade if argued and justified well (same as a positive result, really). I have a second thesis lined up with a different student and industrial partner. Will be interesting to see what the outcomes are, but I do expect a "not now" or a "not ever unless special conditions are met".

      Incidentally, "ethics" in the commercial space these days means "how can we manage to not get caught and still get rich". And please keep out the sociologists and designers, they really are mostly useless with very few exceptions.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. These are experts ... by CaptainDork · · Score: 3, Informative

    ... with, apparently, no experience:

    ... a startup that's developing a blockchain network specifically for managing digital identities.

    --
    It little behooves the best of us to comment on the rest of us.
  3. Ad by Anonymous Coward · · Score: 2, Informative

    See subject

  4. Sounds idiotic by Anonymous Coward · · Score: 2, Interesting

    Blockchain wallets have to be secured, else anyone can impersonate the user and do what they will with the contents. So what would a blockchain credential system be? An online password wallet, in effect, exactly as secure as the protection on the wallet... which is either going to be what you have (an app on your device) or what you know (a password).
     

  5. bottleneck vunerability? by PhantomHarlock · · Score: 5, Insightful

    If everyone uses one private/public key set for everything, then if that is compromised then the third party gets access to absolutely everything and can impersonate the user?

    For those of us who use different usernames/emails/passwords from server to server that seems like a downgrade in security.

    Tell me I'm wrong and I'm missing something. I've used PGP in the past and use keys for SSH logins but I've never used blockchain related stuff.

    1. Re: bottleneck vunerability? by Monster_user · · Score: 3, Insightful

      It is simply a password manager for more complex passwords.

      A downgrade in security most definitely, but it should have the same pros and cons of a password manager.

  6. LOL by EvilSS · · Score: 4, Funny

    users can gain permanent control over who can access their data

    So yea that's definitely not going to happen.

    --
    I browse on +1 so AC's need not respond, I won't see it.
  7. Re:Admin hell by gweihir · · Score: 2

    And as somebody that uses certificate-based logins (ssh) regularly, I wonder what problem they are trying to solve....

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. Re:Um... that's exactly when Private Keys are best by sexconker · · Score: 2

    If you're always signing into something like that, then you should have already setup a public/private key solution for yourself, fool.

    Seriously. This is why our computing experience sucks; we've got fools like "fluffernutter" running things.

    Work smart, not hard.

    Many systems don't support such a setup. Most systems (servers, networking gear, UPS, building/infrastructure management, etc.) still require a simple password as the lowest level authentication mechanism.

    And how the FUCK would a key pair help? You still need to present the private key somehow. Carry it with you? Gee, better not carry it in plaintext, so you better encrypt it in some sort of reversible way. With a password.

    DERP.

    And finally, working smart doesn't mean you don't have to work hard. Why not work smart and hard?

  9. Re:A password does not a private key make. by sexconker · · Score: 2

    Every password is a private key.

    It may not be a private key in a public/private key pair. But it's a secret (key) that is known only to you (private).
    It may or may not be used in the same crytographic manner (hashing vs. encryption) as, a public/private key pair. But it's a secret (key) that is known only to you (private).

  10. Re:Admin hell by sexconker · · Score: 3, Insightful

    Erp? How does that help anything? If you're not providing your password each time you authenticate, then somewhere it exists in an accessible form to some automated system. Using keys? You need to encrypt them (with a password). There's no getting around it. A password is at the heart of all proper authentication schemes because it is the only method that is even possible to be secure. It is the secret, the "something you know", that exists only in your head. Nothing changes if you use it to encrypt a key or a keychain or a password database or whatever else.

  11. Re: Blockchain may not be all good, but it ain't a by gweihir · · Score: 2, Insightful

    This keyfob would need to be protected in some way.

    While your picture is somewhat correct and somewhat wrong, this really is the key-point. Incidentally, this is already the key-point with a password, but there it is relatively easy to do. All those that got weakly protected customer passwords stolen in the last few years were just grossly incompetent in protecting them. It is well known (to experts) how to do that right: salt, hash, iterate and in newer times add a large-memory property. PBKDF2 was the standard since at least 2000 and and is still doing reasonably well with good parameters. Don't use it for new designs though. Argon2 is the new standard. Both are not hard to use, but you need to know about them and understand why they work and that relatively low level of expert knowledge was already not available in all these hacked companies.

    So the blockchain really has no place here as it does not solve the problem, and it also does not make it easier to solve.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Re:Admin hell by Dorianny · · Score: 2

    The problem of how to squander the hundreds of millions being poured into blockchain startups by VC's that mostly don't even understand what it is