No passwords: how a distributed registry authentication system works
In several posts on Habré, we mentioned the solution for passwordless authentication from REMME. CEO Alexander Momot was the speaker of our Kiev Blockchain & Bitcoin Conference. He told what is wrong with passwords and how their distributed registry authentication system is arranged. Under the cut - decoding his speech.
According to Alexander, the idea of REMME came to him in 2014: he participated in the ICO Ethereum and after a year and a half after that he decided to check his wallet. But as it turned out, I forgot the password. Only three days later, after going through a multitude of options, was it possible to find the right combination. After that, Alexander seriously thought about the fact that passwords are an extremely inconvenient thing, and they should be replaced by something else.
Today, the average Internet user owns dozens of accounts. For them, most use only 3-4 combinations of passwords. The base of the 1000 most popular passwords (12345678, qwerty, abc123, etc.) opens 90% of all accounts in the world. But even those who use complex unique passwords and keep them in an inaccessible place are not immune from hacking the system: there are other weak points to traditional methods of protection.
The main vulnerability of many systems is the main server. If there is a central point of failure, then the system can be hacked. Most often this is due to the human factor. According to Alexander, 100% of accounts on the Kraken exchange are hacked precisely because of this factor, including using phishing, stealing information from the channel, using repeated passwords, brute-force and server hacking (the source of information is insider information). And it is on the exchange, which has the reputation of the safest.
As an example, Alexander also mentioned cyber attacks in Ukraine on critical infrastructure and videos, where they hacked a traveling smartcar. He also cited statistics from Deutsche Bank, which make hundreds of thousands of attacks annually, and a few examples of loud cryptocurrency exchanges: Coincheck (half a billion dollars stolen, unknown circumstances of hacking) and Bitfinex (800 Bitcoins stolen; there is information that the Exchange administrator was caught phishing).
REMME also encountered phishing scans when they spent tokensale. But since the company specializes in cybersecurity, the attacks were not successful.
So, in most cases, cyber attacks are directed at the central server and use the human factor. The total damage from them each year is $ 6-7 trillion.
REMME works in the field of cyber security in two markets in parallel. First, they issue security certificates for sites with protection against hacking and falsification. This is not a very large market, it is estimated at about $ 2 billion. A well-known analogue is what Google offers: a means of checking the validity of a certificate.
Secondly, the company operates in the market of access-management. Now in this area there is such a solution as 2fa - two-factor authorization. It is not very popular among cryptocurrency resources, but large firms, banks, financial companies make up a large market, which is already valued at $ 10 billion. In a few years, it will reach approximately $ 15 billion.
According to Alexander, in any technology that enters the market, there must necessarily be three qualities: simplicity, safety and business value. Otherwise, it will not become popular.
A negative example, in his opinion, is two-factor authentication on Bittrex. During authorization, you must enter a username and password; when logging in from a new IP address, you must also verify with the help of mail, and then enter your login and password again. This 2fa complicates the authorization process on the site, so many simply disable it. The current technology norm is: in order to do something better and safer, they usually complicate it.
REMME is based on the already existing SSL TLS technology. This is the certificate that is used to verify the site. But in the project this certificate is used differently. It not only shows the validity of the site, but also confirms the identity of the user, ensuring his access to the server.
To more clearly show the principle of REMME, Alexander cited the airport as an example. Upon arrival of a passenger to another country, his document is checked on the basis. If a citizen is not on the list of wanted persons, he is allowed into the country. REMME works in a similar way: the status of the certificate is in the blockchain (active / inactive). If the certificate is active, then the user can be started. The second factor is the confirmation of the identity of the user in the Telegram or in any other messenger. The result is two-factor authentication in two clicks. No data is entered, and phishing attacks become impossible.
The blockchain in REMME is used only to store the certificate status. This information is publicly available, it does not need to be encrypted. Moreover, all user data (for example, a private key, computer certificate) is stored on it, and not on the server. All the necessary information can be obtained from the certificate. This solves the problem of storing user data.
According to Alexander, now REMME developers are solving the problem of integration into traditional businesses. Some of the company's clients (telecoms, power plants) use SCADA-systems from Siemens, ABB, General Electric. Therefore, REMME solutions need to be integrated on the manufacturer’s side of these programs. Then companies can simply connect REMME authentication to the boxed product.
REMME offer users to pay for a $ 1 certificate. This is cheaper than the average for the market, where its cost reaches $ 500. Nodes on the REMME blockchain have the right to issue a certificate: if the consensus is respected, with 100% probability the certificate will be valid. The probability that he will be kidnapped or something will happen to him is extremely low, because there is no central authority to which such an attack can be carried out. The token is used to issue a certificate: to do this, a virtual coin must be sent to the node's address; then the blockchain network node will allow it to be generated. More tokens are needed to raise your node. Plus a small amount is used in every transaction to protect the network from DDoS.
REMME works on a custom blockchain, but the project tokens are ERC-20 standard. The main reason for choosing this standard is the need to integrate into existing exchanges and other services. The custom blockchain was chosen for security and reliability reasons. The interaction is performed via the inter blockchain migration mechanism (the ERC-20 token transfers to the internal blockchain).
Alexander explained why the REMME project was originally created not on the Ethereum blockchain: “We are doing something on Ether, and the nuclear plant employee cannot then log in to the system — I personally would not want this situation to be.” According to Alexander, Vitalik Buterin’s network is now at an early stage of development. The probability that something will happen with the “ether” is quite high, and the project creators themselves do not deny this. REMMEs believe that when entering into business contracts, they must take risks. Also, the task of the developers was to create a blockchain with a large bandwidth, since the potential customers of the company (telecoms) number of users reaches hundreds of millions. The possibilities of Ethereum in this regard seemed to developers to be insufficient.
At REMME, the price of the certificate is fixed in dollars, but the cost of the token is quite volatile and is determined on the exchange. Therefore, there is a course of the ratio of token and certificate. As Alexander explains, such a system is built for the convenience of partners, because they need a fixed figure for building budgets. Now the certificate price is $ 1 per year for one user, and the price of the token, according to coinmarketcap.com, is $ 0,019. The project team laid the groundwork for a rise in the price of a token: each node will receive 90% of the certificate value. Of these, 45% it will receive immediately, and 45% will be blocked for a year and gradually released. This will create conditions for the rise in the price of the token.
Alexander Momot speaks at Blockchain & Bitcoin Conference Kyivin the flow of Develpoment & Tokenization (the second flow was Finance & Regulation). Other speakers were Infrastructure Minister Volodymyr Omelyan, head of the State Agency for Electronic Governance Oleksandr Ryzhenko, President of Ukrainian Investment Holding Mark Ginsburg, and partner in CKR LAW LLP Gordon Einstein.
Our next blockchain conference in the CIS will be held in Tbilisi on June 20 . Details and the program - on the official site .
1. Passwords are uncomfortable
According to Alexander, the idea of REMME came to him in 2014: he participated in the ICO Ethereum and after a year and a half after that he decided to check his wallet. But as it turned out, I forgot the password. Only three days later, after going through a multitude of options, was it possible to find the right combination. After that, Alexander seriously thought about the fact that passwords are an extremely inconvenient thing, and they should be replaced by something else.
Today, the average Internet user owns dozens of accounts. For them, most use only 3-4 combinations of passwords. The base of the 1000 most popular passwords (12345678, qwerty, abc123, etc.) opens 90% of all accounts in the world. But even those who use complex unique passwords and keep them in an inaccessible place are not immune from hacking the system: there are other weak points to traditional methods of protection.
2. Cyber attacks incur huge losses to business.
The main vulnerability of many systems is the main server. If there is a central point of failure, then the system can be hacked. Most often this is due to the human factor. According to Alexander, 100% of accounts on the Kraken exchange are hacked precisely because of this factor, including using phishing, stealing information from the channel, using repeated passwords, brute-force and server hacking (the source of information is insider information). And it is on the exchange, which has the reputation of the safest.
As an example, Alexander also mentioned cyber attacks in Ukraine on critical infrastructure and videos, where they hacked a traveling smartcar. He also cited statistics from Deutsche Bank, which make hundreds of thousands of attacks annually, and a few examples of loud cryptocurrency exchanges: Coincheck (half a billion dollars stolen, unknown circumstances of hacking) and Bitfinex (800 Bitcoins stolen; there is information that the Exchange administrator was caught phishing).
REMME also encountered phishing scans when they spent tokensale. But since the company specializes in cybersecurity, the attacks were not successful.
So, in most cases, cyber attacks are directed at the central server and use the human factor. The total damage from them each year is $ 6-7 trillion.
3. Phishing Cure - Website Authentication
REMME works in the field of cyber security in two markets in parallel. First, they issue security certificates for sites with protection against hacking and falsification. This is not a very large market, it is estimated at about $ 2 billion. A well-known analogue is what Google offers: a means of checking the validity of a certificate.
Secondly, the company operates in the market of access-management. Now in this area there is such a solution as 2fa - two-factor authorization. It is not very popular among cryptocurrency resources, but large firms, banks, financial companies make up a large market, which is already valued at $ 10 billion. In a few years, it will reach approximately $ 15 billion.
According to Alexander, in any technology that enters the market, there must necessarily be three qualities: simplicity, safety and business value. Otherwise, it will not become popular.
A negative example, in his opinion, is two-factor authentication on Bittrex. During authorization, you must enter a username and password; when logging in from a new IP address, you must also verify with the help of mail, and then enter your login and password again. This 2fa complicates the authorization process on the site, so many simply disable it. The current technology norm is: in order to do something better and safer, they usually complicate it.
4. Simple 2fa on blockchain and instant messengers
REMME is based on the already existing SSL TLS technology. This is the certificate that is used to verify the site. But in the project this certificate is used differently. It not only shows the validity of the site, but also confirms the identity of the user, ensuring his access to the server.
To more clearly show the principle of REMME, Alexander cited the airport as an example. Upon arrival of a passenger to another country, his document is checked on the basis. If a citizen is not on the list of wanted persons, he is allowed into the country. REMME works in a similar way: the status of the certificate is in the blockchain (active / inactive). If the certificate is active, then the user can be started. The second factor is the confirmation of the identity of the user in the Telegram or in any other messenger. The result is two-factor authentication in two clicks. No data is entered, and phishing attacks become impossible.
The blockchain in REMME is used only to store the certificate status. This information is publicly available, it does not need to be encrypted. Moreover, all user data (for example, a private key, computer certificate) is stored on it, and not on the server. All the necessary information can be obtained from the certificate. This solves the problem of storing user data.
According to Alexander, now REMME developers are solving the problem of integration into traditional businesses. Some of the company's clients (telecoms, power plants) use SCADA-systems from Siemens, ABB, General Electric. Therefore, REMME solutions need to be integrated on the manufacturer’s side of these programs. Then companies can simply connect REMME authentication to the boxed product.
REMME offer users to pay for a $ 1 certificate. This is cheaper than the average for the market, where its cost reaches $ 500. Nodes on the REMME blockchain have the right to issue a certificate: if the consensus is respected, with 100% probability the certificate will be valid. The probability that he will be kidnapped or something will happen to him is extremely low, because there is no central authority to which such an attack can be carried out. The token is used to issue a certificate: to do this, a virtual coin must be sent to the node's address; then the blockchain network node will allow it to be generated. More tokens are needed to raise your node. Plus a small amount is used in every transaction to protect the network from DDoS.
5. A good custom blockchain is reliability.
REMME works on a custom blockchain, but the project tokens are ERC-20 standard. The main reason for choosing this standard is the need to integrate into existing exchanges and other services. The custom blockchain was chosen for security and reliability reasons. The interaction is performed via the inter blockchain migration mechanism (the ERC-20 token transfers to the internal blockchain).
Alexander explained why the REMME project was originally created not on the Ethereum blockchain: “We are doing something on Ether, and the nuclear plant employee cannot then log in to the system — I personally would not want this situation to be.” According to Alexander, Vitalik Buterin’s network is now at an early stage of development. The probability that something will happen with the “ether” is quite high, and the project creators themselves do not deny this. REMMEs believe that when entering into business contracts, they must take risks. Also, the task of the developers was to create a blockchain with a large bandwidth, since the potential customers of the company (telecoms) number of users reaches hundreds of millions. The possibilities of Ethereum in this regard seemed to developers to be insufficient.
7. Tokens and dollars
At REMME, the price of the certificate is fixed in dollars, but the cost of the token is quite volatile and is determined on the exchange. Therefore, there is a course of the ratio of token and certificate. As Alexander explains, such a system is built for the convenience of partners, because they need a fixed figure for building budgets. Now the certificate price is $ 1 per year for one user, and the price of the token, according to coinmarketcap.com, is $ 0,019. The project team laid the groundwork for a rise in the price of a token: each node will receive 90% of the certificate value. Of these, 45% it will receive immediately, and 45% will be blocked for a year and gradually released. This will create conditions for the rise in the price of the token.
Alexander Momot speaks at Blockchain & Bitcoin Conference Kyivin the flow of Develpoment & Tokenization (the second flow was Finance & Regulation). Other speakers were Infrastructure Minister Volodymyr Omelyan, head of the State Agency for Electronic Governance Oleksandr Ryzhenko, President of Ukrainian Investment Holding Mark Ginsburg, and partner in CKR LAW LLP Gordon Einstein.
Our next blockchain conference in the CIS will be held in Tbilisi on June 20 . Details and the program - on the official site .