DEV Community

loading...

Discussion on: The Password Struggle

Collapse
tootomthumb profile image
tootomthumb

The need to replace usernames/passwords with something that is easy to use, operates on any platform, inexpensive and secure has been a challenge that many security experts have recognised for over 20 years. Unfortunately that's a big challenge.

By developing a whole new field of cryptography MIRACL miracl.com has managed to do just that. It uses Identity Based Encryption and a Zero Knowledge Proof protocol meaning this one-step login process is resistant to Credential Stuffing, Man-in-the-Middle and Phishing attacks, just to name a few.

The Multi Factor Authentication is provided with Something You Own being a software token and Something You Know being your PIN. Importantly the PIN only remains in your head and is not stored or verified by any other server. It works by recombining your PIN with the software token to create a cryptographic key - LOCALLY! Once you have a key you can prove your rights to authenticate on the service verifying you. Importantly NO PERSONAL DATA is stored or transferred at any point!

There's bucket loads to explain but in comparison to some other alternatives mentioned here like SQRL, MIRACL Trust doesn't require any form of hardware like a secure keycard, biometric reader or even mobile. So it can be deployed on any platform such as desktop, mobile, smart TVs or anything that can run a browser or a native app.

Unlike 2nd step protocols using things like SMS Texts or authenticator apps, it is single step. One PIN and you're in. Nor does it require a download or installation of any software, although a native mobile app will need to incorporate some SDKs.

Versus Biometrics, no personal information is collected directly or passively (your face/fingerprint or the way you type for instance). You use a PIN and the PIN is YOUR secret and yours alone. You do not have to send it anywhere and it cannot be stolen from the infrastructure. If you do forget it, it is a simple matter to re-enroll your accessing device/browser.

I know it sounds almost too good to be true and since it is proprietary you might be worried that it's priced for big banks. True, big banks use the solution but it has been designed to work with large, relatively low value, B2C networks of any size...1-100,000,000. The first 1000 uses are free each month and it is entirely free for any non-profit/charitable/academic use. You can try it out here trust.miracl.cloud/get-started.

FULL DISCLOSURE: I'm the Chief Commercial Officer of MIRACL Technologies Ltd but disregarding my conflicted position, I think it is an awesome solution that I would be proud to have you guys test, (try to) break and hopefully use in the future!

More than that I would love to have the discussion or debate(!) here, to get some real feedback from the folks who make things happen.

Collapse
cristinaruth profile image
Cristina Ruth Author • Edited

This is an interesting concept. Thanks for sharing!

Are you able to share any data in terms of your production use today? What is the largest system your solution implemented on, and how many estimated users are on that?

Since this solution requires only a PIN, I would assume that there would be very low occurrences of forgot password cases. Is this correct?

Collapse
tootomthumb profile image
tootomthumb

Hi Christina, I can share a bit :)

Experian UK and Credit Agricole are both users of the SaaS system and those numbers are quite large although not the whole enterprise/customer network.

Our cryptographic IP has been purchased and is in use by some of the largest companies and organisations in the world, given these are embedded in their products I have to be careful with details. Includes one of the top two largest internet and semiconductor companies. Also organisations like a branch of the US Military.

Our solutions are not limited for PINs either we can create a solution which we call Password + which has all the advantages ZKP, single pass MFA, blocks 98% of attacks BUT uses a password!!! (all locally).

PINs are great because there is a lot of user familiarity with Chip-n-Pin and as you say they are relatively short and easy to remember versus a 12 digit, alphanumeric, uppper/lowercase, inc symbol password!

So you would expect a reduction in forgetting them, but if they do, it is easy to re-enroll.