A Broken Model
Every single day, you use passwords to log into some kind of online service. If you're like most people, you probably reuse some of the same passwords across multiple services. That this is bad practice is something we've all heard so frequently that it's as easy to ignore as the “Promotions” section of our inboxes.
Remembering all your passwords is hard enough, but changing them regularly, and keeping them 12+ characters long with a whole bunch of $#!? thrown in is a challenge for even the most security-minded among us.
Password managers like LastPass, 1Password, and Dashlane are a godsend in this regard. But while password managers are super helpful, they address the symptom instead of the root cause of the problem.
The symptom, in this case, is the difficulty of managing passwords. The reason that passwords are difficult to manage is because there are so damn many of them. And the reason there are so many of them is because every single service you use has to store their own copy of your password, so that they can verify that you are who you say you are when you try to access their service.
Passwords are supposed to be secrets. And yet we share these secrets, duplicate them, and spread them across databases all over the internet. There's even a name for it: it's literally called the “shared secret” paradigm of authentication. We wish we were kidding.
Shared secret is an oxymoron. And this oxymoron is the root of the authentication problem. Shared secret means there are countless siloed password databases strewn all over the internet containing your secrets, waiting to be compromised by increasingly sophisticated attackers.
There’s a high chance that at least one of the services you've used in the past has been breached, and it’s likely that your authentication data was part of that breach. There's a helpful tool for finding that out here, but it only works for services that report breaches...and not every service does. Many services don’t even know they’ve been breached!
What's worse is that more often than not, attackers use previously breached passwords to compromise new accounts and services, so it's a vicious cycle and a self-perpetuating problem that only gets worse by the day.
At the heart of this problem is the fact that authentication to date has been built to convenience businesses rather than their users (you): it's simply easier for a company to design something that works for just their service vs. something that works for all services. The irony is that this design has created systemic vulnerabilities that put every business and user at risk. Furthermore, security is a 24x7 job, and most companies don’t keep their database security up to date in real time.
We believe that the solution to this root problem is a user-owned authentication method which doesn’t rely on sharing secrets. That's where NuID comes in. We enable services to authenticate you without them having to store your passwords. Passwords are secrets after all, and only you should know your secrets.
A Secret Cave
But how do you prove you know your secret to the service you want to use, if you haven’t previously shared it with them? And if they don't know the secret, who does? No one? How would that work?
These are some of the questions that make what is known as zero knowledge cryptography so interesting as well as pertinent to solving the shared secret problem. A zero knowledge proof is a way of proving to a verifier that you know your secret without revealing anything about that secret.
A classic example of a zero knowledge proof: imagine you visit a mountain with your friend Locke (the “prover”) and see two caves next to each other. You enter into each cave separately, thoroughly inspect them, but find no connecting passageway between them.
Locke claims he knows a secret passageway between the caves. He wants to prove it to you but without (a) giving away the secret, or (b) allowing you to prove to others that he knows the secret. In effect, he wants to prove he knows the secret while giving away zero knowledge.
So now you and Locke stand outside the two caves and you turn around so that you can’t see the entrances. Locke walks into one of the caves, though you don’t know which one. You then turn around and randomly choose the left or right entrance and call to Locke to come out that side. If Locke does so correctly, there is a 50% chance that he got lucky and was already in the cave you called out. But there is also a 50% chance that he was in the other cave and did in fact use his knowledge of the secret passageway to come out the side you called.
If you then repeat this process many times over and Locke is able to correctly exit the cave you call out every single time, you will conclude that it is nearly impossible that Locke got lucky every time and that therefore, he must have knowledge of the secret passage (to learn more about this metaphor, check out the detailed story linked above). In this case, Locke has proven to you that he knows the secret between the caves in zero knowledge.
At NuID we decided to point this technology at the shared secret problem: we use zero knowledge proofs to generate, based on your password, non-sensitive zero knowledge reference parameters, akin to a mathematical version of the caves in the example above, and register these parameters immutably on a blockchain. When you next want to authenticate yourself to a service that uses NuID, NuID's solution enables you to prove you know your password without having to reveal or share it with that service.
You can now prove you know your secret without revealing it to anyone, just like Locke.
Putting the User in Control
For services with a need to authenticate users, zero knowledge authentication removes the need to take on the risk of storing passwords, which completely eliminates the risk of a password breach—with nothing to store, attackers have nothing to steal. From a risk mitigation perspective, this is pretty huge. It’s akin to a bank that doesn’t store cash: it doesn’t stand to lose much if it’s robbed and it’s less likely to get robbed in the first place.
Eliminating the risks of storing passwords isn’t the only benefit of zero knowledge authentication. This authentication method turns what used to be a private secret, that needed to be stored independently by every service, into a public challenge (your “mathematical caves”) that only you can solve in zero knowledge. As a result, these public credentials don’t need to be controlled or managed by individual services to keep them safe.
Instead, NuID stores these parameters on a decentralized blockchain network because, as it turns out, blockchains are really good for storing things that you don’t want tampered with or owned and controlled by anyone else (more information on how blockchains work).
For NuID, a blockchain serves the function of a secure public registry where authentication parameters can be immutability stored and used for logging into services, without relying on an intermediary to manage those parameters. And because those parameters are scoped specifically for the creation of a zero knowledge proof of your password during authentication, your passwords themselves are never stored on the blockchain (or anywhere!). With NuID, you’re the sole proprietor of your authentication data.
The confluence of blockchain technology and zero knowledge cryptography afford us this new way to authenticate users online, where you own your own credentials. We call this “trustless authentication” because you don’t need to trust anyone to store, protect, or control your authentication data.
A New Model
With these public, blockchain-based credentials, users can bring the same identity to many, or all of the services they use online.
Think of it like a drivers license. Instead of having a unique ID for every bar, store, and place that requires you to prove who you are, you have just one unified identity card which you use everywhere. In essence, what NuID provides is similar to “Sign in with Google/FB/Twitter”, but instead of linking to your social media account (or requiring you to have one in the first place), you as the user would provide a zero knowledge proof to a previously registered blockchain entry.
We started with a problem: passwords are hard to manage. The root cause of the problem is that every service needs to store their own copy of your password. Rather than finding new ways to keep track of passwords, we feel that the the solution demands an entirely new model that enables users to bring their own identity to different services they use, which would mean no longer needing a different password for every service you use on the Internet.
We hope to build on this foundation of trustless authentication to one day enable other personal data to be owned only by the individual, allowing businesses to focus more on building value for their users.
At the end of the day, we believe that users should be able to own and control their own digital identities. Since authentication data is the primary enabler of digital identity (you can’t access your accounts without your passwords), we think that the best way to herald a user-owned digital identity model for the Internet is by first enabling user-owned authentication.