This interview is originally posted on the PIA website.
PIA sat down with Locke Brown, Co-founder and CEO of NuID. We spoke about the importance of Trustless Authentication, the issues surrounding the traditional online password, the future of NuID, and he gave some tips for staying secure online.
Private Internet Access: Hi Locke, thank you for taking the time to speak with me today. Can you tell me a little bit about yourself and how you got into cryptocurrency?
Locke Brown: I’m originally from Birmingham, Alabama. Then I went to school just outside of Los Angeles at Claremont McKenna College. I studied math and econ. I was the lunatic running around campus in 2013 talking about Bitcoin.
I’ve always been into computers, gaming, tech, not coding so much, although I have built a lot of websites when I was younger. Math, science, and econ are kind of my jam. I’ve always been into investing. In fact I also got my master’s in finance while I was at Claremont McKenna.
During college I did an internship at Google, and decided I wanted to go into finance following school. So I went and worked up in Seattle after I graduated in 2014, for Bill Gates’ private Investment office. It was pretty wild; I was a trader there for a couple years and then moved over to the private investment side.
The last year and a half or so that I was there, around 2016, myself and the COO started an internal blockchain working group because blockchain was kind of getting hot again. At that point, I had lost way too many Bitcoin, like online gambling and random stuff. Of course, it wasn’t worth as much as it is today. It’s worth noting that I mined Bitcoin back in my college dorm. I had one of the first ASIC miners, so I’ve always been into this space, and it was good to get back into the space and follow it more closely. It was also around that time that I started using PrivateInternetAccess, I had a dedicated IP back in 2016, so I thought it was cool when you guys reached out.
PIA: What motivated you to start NuID?
LB: I was thinking about digitizing things like real estate assets and car titles. Then I happened to meet this guy Nolan Smith through a mutual friend. He was a data scientist at Microsoft at the time. We met on a hike outside of Seattle, and we hit it off immediately. We ended up getting dinner and going down the rabbit hole. We spent a lot of 2016 in my basement, called it the cave. Just exploring a lot of stuff in the cryptography and blockchain world and stumbled into zero knowledge proof cryptography, which ended up becoming a large part of what we do in our core technology.
We had a lot of ideas, but for them to work we needed a certain type of distributed system. We also needed identity to be trusted, right? A better version of identity than what we have today, which is just create a username and password with every service you use and let it get hacked.
So we’re like, okay, authentication is the layer there that needs to be fixed really, because if you can authenticate yourself as me, then how can you ever trust the digital identity representation of me if someone else is going to authenticate that.
We had fortunate timing, pairing these two technologies that were relatively unheard of, or new at the time: distributed ledgers and zero knowledge proofs, and devised a protocol to what we said at the time was abstracting identity from the device to the individual. In January of 2017, we got connected with Professor Matthew Franklin at UC Davis. He’s a professor in cryptography, known for the Boneh-Franklin scheme of identity based encryption, and a ton of other stuff in public key infrastructure that we use today. In fact, PIA uses some of the technologies that he helped invent back in the day. So he ended up vetting and validating the kind of protocol we had devised. Later in January that same year, I think it was a Sunday night, I decided I had to go all in. I quit my job and filed the initial patent applications, and then founded the company NuID. A month later, I raised a small seed round, and the rest of his history. So that’s the abridged version.
PIA: What is NuID’s flagship product?
LB: One thing you might hear in Silicon Valley is fail fast, you know, break it and iterate. That does not work for authentication and identity. So, we were super meticulous and thorough, and it was all about doing it right, not quick. Despite what some people were pushing. Because, if authentication fails it’s over. You can’t fail once, right?
So, we released our product, Trustless Authentication, NuID’s authentication solution, which is a B2B SaaS product. It was and is a monthly subscription API plugin for companies to completely replace their authentication workflow.
In the current user login experience, you can imagine you build an app or a website or what have you, that has users that need to log in. In today’s paradigm, the status quo is that you have the user put in a username, or an email address, and a password. Then that goes from their device to the server. Then if they’re decent, they would hash the password and/or encrypt it at the source and store it on a database. This way, the next time the user signs in and enters their credentials, it goes over their server, where it’s compared and if the passwords are the same, it checks out and logs you in, creating a session.
So that is, as we are all realizing, a huge problem for a number of reasons. Each of the servers have to store this big database of credentials. Now you have a huge target for hackers and people that compromise systems. And it can create this cascading snowball effect, because when that server is breached, 9 times out of 10, it’s a compromised credential that’s used to actually execute the breach, or hack it. For instance, with a big hack like LinkedIn, Twitter, or any of these big sites, other subsequent hacks are done because someone’s credential was found, and some admin was using the same password for his email or this or that site, and people reuse passwords.
NuID’s authentication system is designed to eliminate that workflow, and we have 57 claims patented on this in the US. It’s free to use, up to a point, and can be installed in under 30 minutes. It sits behind the log-in box, so as far the user is concerned, there’s no added friction, and their login experience doesn’t change. What happens on the backend is that when the user creates an account, they enter a username, password on their device. On that user’s device, that password is used to generate what’s called a zero knowledge proof. So, you can think about that as magic – I’m kidding, or half kidding. It’s basically a lot of math is done to it, right?
The password entered on the user’s device is deleted. It’s never transmitted over the internet to any server, and it’s not stored locally. The public reference parameter output from that then gets stored on a distributed ledger. We default to Ethereum, but it’s ledger agnostic and in the future we’re going to be coming out with the KiiChain ledger. We are actually launching the token Kii that underpins that. I won’t go into that right now. But the idea there is that this public reference parameter is decentralized and immutably stored. So that, you know, there’s no single party holding it.
PIA: Is NuID just for businesses or do you have a consumer product?
LB: We launched the beginning of the Nu Identity Ecosystem recently, and we’re gearing up for that. We’ll be launching our consumer products next year. It’ll be a credential wallet that allows users to manage their own credentials.
I like to say what we’re doing is making cryptography accessible to everyone. Right now, managing keys is difficult, right? I mean, if we use public key infrastructure, public private keys, for login, which we should, it’s a nightmare for people to manage and use that. For example, with a Bitcoin wallet it gives you that seed phrase that basically says if you lose your private key, you’re done, you’re X-ed out. Right?
That’s public key infrastructure for you. It’s not very forgiving. There needs to be a good way and a good interface for people, and that is what NuID is doing. We needed the enterprise solution first because, if I went out on the street three, four years ago, and said, “Hey, I’ve got this great new authentication solution, do you want to try it,” and you’re like, great, where can I use it, and the answer was nowhere, it’s not going to help you very much.
So, getting our protocol ingrained and used by services was step one. So we launched that a few years ago. And now like I was saying, we have a self-service developer portal for anyone who’s building an app or website, and they can go implement it for free, and play around with it.
PIA: Do you have any tips for the average person to protect their password? To increase their online privacy?
LB: The longer the better. A lot of times the websites will say, use a number, use uppercase, lowercase, and symbols, whatever. But the truth is, length is the biggest thing on your side.
Use different passwords for more important things. I’m not going to tell somebody to use different passwords for every account, because people have 50, 60, 70 different accounts, maybe even more now. I will also say this with a little asterisk, but use Password Managers like LastPass or 1pass. These are a godsend, we require everyone at NuID to use them. However, they perpetuate the problem, for sure, and they don’t solve anything real. So it can be pretty scary to have to trust them. That being said, they are a step in the right direction. The convenience you get is worthwhile, if you use it correctly, which means you use their auto secure password generator. You can use it to generate a random string of numbers, characters, and symbols that’s 32 digits long and they’re all different. So, if you’re going to use something like that, take advantage of the capabilities of the secure password generator.
Lastly, make sure you always have two factor authentication on that if that’s an option. So those are the biggest things. Otherwise, stay tuned to NuID and get a verified credential when we launch it in a few months.
PIA: Are you still involved in cryptocurrency?
LB: Yeah, in fact, we are about to be launching, five years in the making, our token Kii.
I still follow cryptocurrency. I’ve traded it a bit. I go in waves on how into it I am, depending on how busy I am. But ya know, I definitely follow it, I definitely stay abreast because it’s so relevant to cryptography. It’s worth noting as well that NuID credentials, because crypto is built on public key infrastructure, can serve as your private key to crypto assets.
So the NuWallet that we are going to be launching this next year will serve as not only a credential wallet, but your crypto wallet as well. Because your authentication credentials can secure any crypto asset. This is huge in cryptocurrency because you are your identity. You should have your assets follow you around, and only you should be able to authenticate those things.