 |
|
The Internet of Value ~ An Open Letter to Microsoft, Apple, Google and the other Members of the FIDO Alliance
|
|
|
|
|
| The Internet of Value
|
|
I hope that everyone who reads this letter is healthy and happy. This crisis will eventually pass. Humans have an incredible capacity to respond to adversity with creativity.
|
|
Just as the Black Death (1347-1350) transformed European society and
made the Italian Renaissance possible, this current pandemic will have a transformative impact on our entire world. When this crisis passes there will be a greater sense of community. The world will become even more connected. There will truly be a sense that, "We are all in this together." We will realize that we have an incredible capacity for transformative change.
|
|
Social and business structures will be transformed by the currents of this crisis. Technology will be the catalyst in this transformation.
The world's leading technology companies have a choice to either lead this transformation or be left in its wake.
|
|
This letter presents a clear path forward. By the time you complete reading this letter, you will have a clear vision of an incredible future.
|
|
Imagine that authentication was simple and secure and that for every business process and every financial transaction it was possible to touch a button on your smart phone that would generate a hashcode that represents all the elements of the process/agreement and then that hashcode would be cryptographically signed by your private key, thus bringing complete security to the process.
|
|
The elements, hashcode and signature would all become part of a cryptographically secure distributed ledger (not a "blockchain", which has turned out to be problematic technology); this ledger will be "chained" to your secure digital credential and provide an inviolable record that could be further extended in a similar process. These private cryptographically secure distributed ledgers will be the foundation of the Internet of Value.
|
|
Because these cryptographically secure distributed ledgers will have a structured JSON format (see the image below), they will be easily processed by Artificial Intelligent Systems; in some cases these intelligent systems will also extend the distributed ledgers. Our technology platform will usher in the age of practical AI (lots of structured decision making data harvested for optimal decisions).
|
|
The Internet of Value will be the "next great wave in technology". Just as the information Internet transformed the world of information, the Internet of Value will transform the worlds of value transfer (finance, business process management, consumer goods and services, government services, NGO services... everything). Combined with Artificial Intelligent Systems, the Internet of Value has the potential to
ignite a worldwide Renaissance by providing, "ubiquitous access to efficient financial systems and the ability to transact with anyone in the world."
|
|
In the very near future, all business processes and agreements (including all financial transactions) will be confirmed by a cryptographic signature of a JSON Distributed Ledger. The signature will be implemented by a simple touch on a user's smart phone.
|
|
All financial services will be transacted through digital credentials issued by a user's bank or financial services provider (which may very well be you mobile network operator). If your financial services provider knows you and trusts you, everyone will be able to trust the digital credential they issue.
This extension of trust will eliminate fraudulent financial transactions and uplift the Third World by providing secure and efficient financial services for everyone on the planet.
|
|
This technology will generate great benefits for all businesses, from startups to multi-national corporations to impoverished villagers in the third world. Cryptographically Secure JSON Distributed Ledgers will become the standard format for secure processes/transactions. Some have estimated that the resulting economic efficiencies (by reducing time, costs and risk) will be measured in trillions of dollars.
|
|
Ask anyone with any experience in artificial intelligence, "Would vast amounts of well structured data aid in the creation of systems that can learn?" The answer will be yes.
|
|
| Some Incredible Implications for the Future
|
|
In the late Seventies and early Eighties computer names were maintained by using handcrafted HOSTS.TXT files. As networks became more interconnected this process became unmanageable. Everyone knew that something needed to be done. When the
Domain Name System (DNS) was created everyone saw it as the obvious solution.
|
|
Similarly, when the solution to cybersecurity authentication emerges, everyone will say, "Of course, this is how it had to be."
|
|
Whenever a significant technology problem is solved, incredible new opportunities arise. Solving the Domain Name System (DNS) problem made the creation of the information Internet possible. Solving the authentication problem will make the Internet of Value possible.
|
|
Supporting these processes will be a new multi-billion dollar profit center for each of the world's leading technology companies,
especially in cloud computing. The ledgers will be stored in the cloud and be accessible through an interoperable service; supply chain provenance will probably be the first major application (Would you like to know where your prescriptions or your food came from?).
|
|
A point of emphasis, these cryptographically secure distributed ledgers have nothing to do with crypto-currencies, blockchains or distributed databases; this has nothing to do with the blockchain hype.
This has everything to do with transforming business process management and financial services.
|
|
|
Beyond business process management and financial services, there are significant social and political implications.
|
|
Secure authentication will greatly influence political events by
reintroducing classical Greek democracy to the world. Unlike current on-line polls that can be "spammed" multiple times by a single user or a group of users, on-line polls conducted within the ecosystem of the Internet of Value will be validated for user uniqueness.
|
|
Users could also volunteer to provide their demographic profiles to the on-line pollsters enabling political scientists to extricate more meaningful conclusions from their
polls. Ultimately, secure on-line voting will become a reality that will lead to an ever-increasing number of local, national and world plebiscites. There will come a time in the near future when a consortium of major news organizations will call a worldwide referendum. Citizens will be able to vote using their digital drivers license or digital passport.
|
|
The technologies of the Internet of Value will be transformative. These technologies will exceed all initial expectations.
It is possible for authentication to be simple, secure and trusted. It is possible to create a cryptographically secure shared source of truth where all participants are trusted, privacy is maintained and all participants are instantaneously notified of changes. It is possible for intelligent systems to create great economic efficiencies by processing JSON distributed ledgers. There will be additional advances that we cannot yet imagine.
|
|
The rewards in creating the technology foundation for the Internet of Value will be extraordinary. Everyone will benefit. The world economies will flourish; the increase in trade, trust and opportunity will ignite a new Renaissance.
|
|
It all starts with secure authentication.
|
|
| The FIDO Alliance
|
|
There are many MFA solutions on the market; unfortunately, none of the current MFA solutions mitigate against the new
advanced attacks.
|
|
Many are placing great hope in WebAuthn from the FIDO Alliance; however, their solution is
problematic and has not gained traction in the marketplace despite years of intensive lobbying by FIDO. Rather than giving consumers what they really want, the FIDO Alliance is pushing physical security keys and biometrics. Their goal is "passwordless authentication".
|
|
The WebAuthn promise of "simpler stronger authentication" is a noble goal; however, the current implementation of
WebAuthn (approved as a W3C recommendation last year) is convoluted and complex.
The WebAuthn document reads like the blueprint for a massive suspension bridge to be built across a "narrow creek". The problem that needs to be solved for secure web authentication is actually very simple: insure the user is on the right web page; "www.chase.com" not "www.chaze.com". This could be accomplished by a simple change to the
Web Bluetooth API; the complexity of WebAuthn is completely unnecessary.
|
|
Also, does anyone truly think that
consumers really want the inconvenience of physical security keys, which are a security threat if left plugged into a system and an annoyance when lost, misplaced or stolen? Does anyone really think consumers are comfortable with biometric surveillance? Most consumers do not trust biometric surveillance (whenever I get a new laptop the first thing I do is put a piece of black electrical tape over the camera; my webcam for my workstation is unplugged most of the time). Consumers also feel that biometrics are intrusive (Big Brother really is watching.).
|
|
When the person is present and the biometric data can be verified in the presence of a security agent or in a public place that diminishes the possibility of hacking (e.g., an airport kiosk, a retail check out, a police state check point or surveillance video), the utility of biometric processes increases significantly; in fact, this is the only valid use case for biometric factors. Over a network or in a physical location with no monitoring, biometric
identifiers can NEVER be trusted.
|
|
Biometrics can also play a significant role in the credential restoration process.
Click here for more detailed information on biometrics.
|
|
Also, the success of any new standard will require extensive support for developers. The FIDO Alliance has failed miserably in this regard. Where is the FIDO reference implementation for WebAuthn? Where are the simple step by step instructions for setup?
|
|
Those who are focused on WebAuthn from the FIDO Alliance are on the wrong path. In my judgement, by the end of 2021 WebAuthn will be seen as just another failed authentication standard.
|
|
It is our hope that technology leaders within the FIDO Alliance will eventually realize that by simply focusing on "passwordless authentication" they have missed the far greater potential of creating a
cryptographically secure shared source of truth that can be processed by intelligent systems; they have missed the Internet of Value.
|
|
| What does the marketplace think?
|
|
If you think it is impossible that Google and Microsoft (and the other high tech companies in the FIDO Alliance) have gotten things completely wrong and
a tech startup in Austin has gotten things completely right, Google on, "WebAuthn SUCKS" or use Bing to perform the search. Two of the best links returned are blog posts by Sami Lane, Director ~ Technology Strategy at Okta:
|
|
|
|
Sami Lane presents a scorecard on WebAuthn (presented below with attribution):
|
- GMail: Yes! But alas only as a U2F security key after password.
- Another email: No, but at least they support generic TOTP second factors.
- Apple iCloud: Proprietary multi-factor authentication, but that's a different story.
- Cellular provider: LOL NOPE! Security PIN only and SMS, which they helpfully are willing to send to my kids' phone numbers too in case they ever guess my password!
- Top modern robo advisor: No, but at least they support generic TOTP.
- Top online brokerage: No, but at least they support a proprietary third-party TOTP app.
- Top retirement account: LOL NOPE! SMS!
- Top-three credit card issuer: LOL NOPE! SMS!
- Another top-three credit card issuer: LOL NOPE! No strong authentication of ANY kind.
- Top-five bank: LOL NOPE! SMS! Or they'll sell you a 90's-style hardware TOTP token!
- Local credit union: LOL NOPE! They got nothing, but the last time I tried to log in my account was locked out, so good to know that somebody's trying to brute-force my complex, globally unique password :)
- Online crypto currency wallet: Yes! But alas only as a U2F security key after password. Also, they block my FIDO2 platform authenticator and only allow USB security keys. And once you add a security key, you lose your TOTP! It's one or the other!
- My DNS / hosting provider: Yes! But alas only as a U2F security key after password.
- Facebook: Yes, but just as a second factor, U2F mode.
- Twitter: Yes, but just as a second factor, U2F mode, and the settings are buried deep.
- Zoom: Nope. Just a well-hidden option to add a generic TOTP second factor.
- Dropbox: Yes, but just as a second factor, U2F mode.
|
| "So, the score is 0 (zero) out of 17 for going passwordless with WebAuthn. Sigh." [emphasis mine]
|
| Nick Burka, founder of the technology company sileverorange, wrote a
detailed article on the practical user experience of WebAuthn and found it "difficult to use", "confusing", overly technical, too many steps and in general "there will need to be more focus on usability".
|
| Java is still the most prevalent programming language for web applications. I challenge any journalist to go to any Java user group meeting
(JUG, there is one in almost every major city on the planet) and ask for a show of hands for how many people have or plan to implement WebAuthn from the FIDO alliance. The response will be minimal. WebAuthn from the FIDO Alliance has failed to capture the "mind share" of the development community.
|
| For additional criticisms of WebAuthn from the FIDO Alliance,
click here.
|
|
| The Nirvana of Simple Passwords
|
|
The "Nirvana Solution" for authentication will enable users to keep simple passwords (which is what they really want).
|
|
What if users could easily reset their own passwords and these passwords could be incredibly simple (e.g., "asd", "123")?
|
|
About a year ago I attended a FIDO (WebAuthn) conference here in Austin. After that conference my hope was that I would be able to touch a credential icon on my smart phone and securely authenticate to a web application (multi-factor out of band). I thought it was
brilliant to use Web Bluetooth (BLE) for the out of band confirmation.
|
|
Using Web Bluetooth solves
one of the fundamental problems of secure web authentication: insure the user is on the right web page; "www.chase.com" not "www.chaze.com" (this completely stops phishing scams).
|
|
However, even Google is having a difficult time getting WebAuthn functional from a smart phone (and they are just focusing on Google apps and Google Android phones)! This implementation from Google fails most of the time (with a new Pixel 4A). There is no way to fully test the system or to help out because Google (one of the leaders in the FIDO Alliance) is keeping their source code secret from the development community.
|
|
Also, in Google's "solution" the mobile device is only used as a proxy for a biometric identifier. Google and the other members of the FIDO Alliance have made a significant mistake: by defining their problem as "the elimination of passwords" they have constrained their "solution". The Groupthink of the FIDO Alliance prevented the consideration of a solution that gives consumers what they really want.
|
|
After weeks of research, I gave up on WebAuthn and set off to find Nirvana: secure web authentication through a mobile device with the option to chose a simple password on a trusted system. I knew that Web Bluetooth was the key.
|
|
| WebAuthn+
|
|
I have been creating Internet applications since the early days of the Internet. I am currently an Application Architect for a technology company in the Austin area. When I mentor junior developers I always tell them that simplicity and clarity are the hallmarks of good code. The more complex a technology system is, the more difficult it is to maintain and extend.
|
|
We have created a system which we call WebAuthn+. In all sincerity, we think WebAuthn+ is the "Holy Grail" of authentication: simple, elegant, cryptographically sound and user friendly.
|
|
Architecturally, WebAuthn+ is completely different from WebAuthn (which has significant dependencies on the Credential Management API).
|
|
The UX process flow for WebAuthn+ can be seen here.
|
|
The the technical overview of WebAuthn+ can be found here.
|
|
Insights on the Philosophy of Identity can be found here. Some key insights:
|
- Your identity is not determined by a collection of attributes; your identity is determined by a cryptographically secure digital credential that associates "you" to a public key. For each specific context, the essence of "you" is determined by an institutional validation.
- If your corporation validates you and issues you a digital credential, your identity does not matter, all that matters is that you are the only person who can utilize that credential.
- Think of the past when the king's seal represented a stamp of approval; your identity did not matter, all that mattered was the validity of the king's seal and that you were the rightful holder of the credential. In the age of technology it is possible to create a "valid seal" with a
secure private key on a smart phone.
- When third parties must rely on credentials, surprisingly, there is no need to store user credentials or identity data in any type of worldwide data structure. All that is necessary is to have sufficient information to validate the credential provider (bank, insurance company, government agency, etc.) because their private key is used to sign a hash within the credentials they issue.
- There is a distinction between legal identity and application identity. When you establish an account with Netflix or some other service organization there is no need to provide your absolute legal identity; all that is needed is an application identity.
- In the near future, the credential restoration process for legal identity will become simplified and highly secure with the implementation of
DNA ID; for now, some other form of biometric (e.g., facial recognition) may be sufficient.
|
|
One of the key aspects of WebAuthn+ is that once the user successfully authenticates for the first time (with the full WebAuthn+ process through a digital credential on a mobile device), he/she can designate the system as a "trusted system". In the future, the user can authenticate to that system with a simple user name and password.
|
|
If a bad actor can steal the user's password and gain access to the "trusted system", the user's account can be compromised; however, a bad actor cannot gain access to a user's account through a phishing scam, a MITM attack, by stealing user names and passwords from a server or by any of the new
advanced attacks.
|
|
The risk involved with a "trusted system" (e.g., a home system or a work system that you exclusively use) is far less than the risk of using a digital certificate or the risk of
storing user names and passwords within a browser. If high security is necessary (e.g., banking applications, government applications), the full WebAuthn+ process can be required; this process is impervious.
|
|
The efficiency gains are significant. The problems of forgotten passwords and resetting passwords go away completely.
|
|
The convenience for users is also significant. The user is in complete control of his/her identity credentials. Decentralized Identity will become a reality.
|
|
For everyone who has secure applications at work: Imagine that your security team provisions a digital credential to your smart phone and you can securely authenticate to a secure application from anywhere in the world by simply touching the "Sign On" button in your credential manager app.
|
|
Once you have successfully signed on, you have the option to designate the system as a "trusted system". In the future, you can authenticate on this system with a user name and simple password ("asd", "123", or even simpler).
|
|
If your smart phone is lost or stolen, the bad actors cannot utilize your credential manager app or access any data on your device (we have a unique and impervious solution for securing data on a mobile device).
|
|
Credential revocation is simple in WebAuthn+, just flip a switch in a database table.
|
|
What happens if a user loses his/her smart phone? The credential restoration process is straightforward: buy another smart phone, install the TNX WebAuthn+ mobile app and have your digital credential reissued by whatever process the institution establishes (for Netflix it may be a simple email process; for your bank it will certainly be much more).
|
|
Extended aspects of our technology, like the ability to embed biometric signatures within cryptographically secure digital credentials will open new market opportunities, especially in the area of credential restoration (every financial institution will eventually implement this technology and it will some day be based on DNA ID). Most significantly, embedding biometrics within a digital credential that the user controls (not within an
Orwellian data repository) will end the debate over biometrics and privacy/surveillance.
|
|
| Some Technical Details
|
|
The password on a trusted system can be incredibly simple because the value that the user enters is combined with a UUID salt value that is stored on the user's system as a cookie; hence, the system needs to be trusted and secure (within a browser, cookies can only be accessed by the domain that generated the cookie). The password and the UUID salt value are used to generate a cryptographic hash using the PBKDF2 function from the Stanford JavaScript Cryptography Library.
|
var out = sjcl.misc.pbkdf2(password, sjclSalt, sjclIterationCount, sjclLength);
var passwordHash = sjcl.codec.hex.fromBits(out).toUpperCase();
console.log("passwordHash: " + passwordHash); // TODO: remove
|
| A simple user password of "asd" becomes
"7C3249A2415F53FC1A8A150C60C9347CBC14AE0C62C7C5C73FF4BC45A15ECFCA"; this value is essentially a generated password
and is sent to the server over encrypted HTTPS. On the server the value is hashed once again with the Argon2id hashing algorithm (most secure) and stored on the server as a set of Argon2id parameters:
|
| '$argon2id$v=19$m=1048576,t=4,p=8$HQiUtZvto2icGsXVTF/BJw$emWzw24cLFhmnd8WUhZDyjRJHCg1C0J9542yTPCiACE' |
| Whenever the user signs on, the hash values are recalculated and compared with the stored hash value. Without access to the user's physical system and knowledge of the user's password, it is impossible for a bad actor to sign on,
even if there was a complete breach of the server data. The user can use the same simple password across multiple sites because each time it will be combined with a different salt value and will be stored on different servers as a completely different hash value.
|
| A cookie with a password on a trusted system is actually more secure than a digital certificate on a "trusted system". With a digital certificate
a bad actor just needs to access the system, either physical access or through malware.
When a cookie and a password are required a bad actor would need both. Essentially, the cookie turns your trusted system into a
"something you have" authentication factor.
|
|
Also, the user can always reset his/her own password. There is no need to call tech support.
|
| Many assumed that user names and passwords had to be eliminated in order to solve the authentication problem.
The paradox of the WebAuthn+ solution is that most users will be able to keep their user names and passwords,
and passwords can become even simpler. We truly have solved the authentication problem by attaining the
"Nirvana of Simple Passwords" (which is what consumers really want).
|
An open source reference implementation is provided for WebAuthn+ with a step by step guide for developers.
A system is secure if the plans for the system are public, and the bad actors can still not break in.
|
|
| Trust Nexus
|
|
I know it sounds incredible, but as a tech startup in Austin we have
solved the web authentication problem; any IT expert who examines our system architecture will realize its simplicity and elegance. After review, the question most people ask is , "Why isn't this already being done?"
|
|
The goal of the Trust Nexus is to create new standards for authentication and cryptographically secure distributed ledgers (NOT blockchains). Our technology, WebAuthn+, is far superior to the WebAuthn "standard" being promoted by the FIDO Alliance. In addition to simple, secure authentication from a mobile device, our working prototype includes the capability to securely sign a distributed ledger with one touch on a user's mobile device (see the image below).
|
|
Our authentication solution, WebAuthn+, succeeds where
the FIDO Alliance has failed.
|
|
If you spend thirty minutes and review three sections on our website you will
grok the paradox of simple passwords and you will also experience the joy of creative insight:
|
|
|
|
The Trust Nexus is willing to make our foundation technology completely free for all players big and small (the very big, 10,000+ employees, will happily pay a nominal license fee). Service providers will be able to incorporate
WebAuthn+ into their offerings; some organizations will "roll their own" and create their own internal implementation based on the open source code. Everyone will be able to build on our foundation and create value added products and services.
|
|
If we act with wisdom and grace, everyone will benefit form creating the ecosystem for the Internet of Value. If everyone plays by the same rules the game will be fair for everyone and more fun for everyone.
|
|
There is only one piece of the puzzle that we want to hold onto:
The Worldwide Distributed Ledger for Credential Providers.
|
|
This ledger will provide a trusted reference to the credential providers' public keys, and the metadata required for the validation process and the credential revocation process.
|
| The Worldwide Distributed Ledger for Credential Providers will contain at most a few hundred thousand entries for
credential providers worldwide; it is a limited set (banks, other financial institutions, insurance companies, national governments for passports,
other government agencies for government programs,
state/provincial governments for driver's licenses, educational institutions, etc.). In terms of data structures,
less than a million records is an incredibly small data structure.
|
|
We will make this data structure available for free for every major cloud based infrastructure so that services can be easily created off of the data.
|
|
Important note: An organization can maintain complete control
of its authentication process under the Trust Nexus. Our infrastructure technology can exist as an
insulated microcosm within corporations or government agencies.
The Worldwide Distributed Ledger for Credential Providers
is only necessary when there is a requirement for third party validation of credentials (e.g., when a user presents his/her banking credentials to a merchant
or the holder of a passport presents the passport for identification, or in processing insurance claims, etc.).
|
|
In order to maintain the infrastructure for the Internet of Value there will be a nominal license fee. This annual license fee will be paid by every business organization and governmental organization with 10,000+ employees.
|
|
Key aspects of WebAuthn+ and the Internet of Value:
|
- secure Web authentication without biometrics or physical security keys (biometrics will be used just for credential restoration)
- users are in complete control of their digital credentials
- the Nirvana of simple passwords
- eliminates fraudulent financial transactions and uplifts the Third World by providing secure financial services
- transformation of business process management through cryptographically secure distributed ledgers
- the age of practical AI (lots of structured decision making data harvested for optimal decisions)
|
|
| The Path Forward
|
|
There are some minor details to be worked out. Most significantly, there needs to be a simple change in the Web Bluetooth API so that the method "writeDomainNameCharacteristic()" is run from within the browser application context (so that it cannot be modified within the JavaScript). Also, the browsers need to implement "Session Specific Pairing" so that the very annoying Bluetooth pairing screen does not appear and force a user interaction. More details on these two issues can be found on our website: WebAuthn+
|
|
The reason Microsoft, Apple and Google are so important to this endeavor is because they currently control large segments of the browser market share and it would be very helpful if they would implement the changes just mentioned.
|
|
Apple has great respect for consumer privacy. If Microsoft and Google are dead set on their plans for WebAuthn, it is most likely because they have a strategy to harvest data from every authentication in every web application and every application running on Windows and every application running on Android; that utilization data would be exceptionally valuable data (and ethically, I think it would be an unfair competitive advantage).
|
|
If Microsoft and Google adhere to a failed strategy based on WebAuthn, they will most assuredly ignite a new browser war. They will be fighting this war against an alliance that includes nearly every government on the planet. Corporations spying on their users has become a
major problem.
Corporations should become proactive participants in the privacy debate. If they do not help guide the debate, the tide of public opinion will result in punitive legal restrictions.
|
|
The Internet browser market could also fragment and a company like
MITRE with their ties to NIST
could establish national standards for Internet browsers that provide security and protect privacy; no company would use any browser that was not
"NIST Certified". Additionally, international organizations could become involved.
|
|
Rather than having a browser war, it would be far better for everyone to "play nice" in a cooperative ecosystem. The Trust Nexus has the technology to create that ecosystem and we are willing to give most of it away for
free.
|
|
Our technology truly is superior to WebAuthn and all other MFA systems. All those who are committed to existing multi-factor identity management systems are like engineers in the 1890s working diligently to perfect the telegraph system; all their work will soon be eclipsed by a much better technology.
|
An open source reference implementation is provided for WebAuthn+ with a step by step guide for developers.
A system is secure if the plans for the system are public, and the bad actors can still not break in.
|
|
Our goal is to create a worldwide ecosystem for secure authentication and cryptographically secure distributed ledgers.
We are going to create the foundation for the Internet of Value.
This cooperative endeavor truly has the potential to change the world.
|
|
Imagine that in 1989 someone had approached you and said, "There is this new technology called HTML that is going to change the world." In the near future, the impact of the Internet of Value in transforming business processes, enhancing governmental services and uplifting the third world will have a far greater impact than the information Internet.
|
|
I hope that you will join us in this endeavor. We truly would appreciate any guidance leading technology experts are willing to offer. We are willing to collaborate. If this technology is going to reach its highest potential it will be because the "best and the brightest" make a determined collaborative effort.
|
|
Initially, I hope that we can take three simple steps together:
|
- Conceptual Review
- Testing the Fully Functional Prototype
- Setting up an Incubation Project
|
|
In terms of game theory it would be a wise decision for the leading technology companies to invest a small amount of time in the evaluation of WebAuthn+ because the potential rewards are extraordinary.
|
|
Everyone will benefit from this endeavor. The world economies will flourish; the increase in trade, trust and opportunity will ignite a new Renaissance.
|
|
I look forward to talking with you soon.
|
Kind regards,
Michael Duffy
CEO / CTO ~ Trust Nexus
http://www.trustnexus.io
|
|
|
P.S. In addition to secure authentication, our working prototype includes the capability to securely sign a distributed ledger with one touch on a user's smart phone. Here is an image of a signed distributed ledger (simple example with three text fields) from our test page:
|
|
|
|
P.P.S Apologies for the extensive amount of information in this letter; but if you have read this far...
|
|
Those who are focused on WebAuthn from the FIDO Alliance are on the wrong path. The FIDO Alliance's promise of
"simpler stronger authentication", is a noble goal. How did the implementation get so screwed up? How did an alliance of the world's leading tech companies set out on a path that in my opinion has lead to failure?
|
|
The problem affecting WebAuthn is the same problem affecting many aspects of our society, especially our politics: the mindset of the tribal group.
|
|
"Groupthink is a psychological phenomenon that occurs within a group of people in which the desire for harmony or conformity in the group results in an
irrational or dysfunctional decision-making outcome. Group members try to minimize conflict and reach a consensus decision without critical evaluation of alternative viewpoints by actively suppressing dissenting viewpoints, and by isolating themselves from outside influences."[ref]
|
|
"Groupthink requires individuals to avoid raising controversial issues or alternative solutions, and there is loss of individual creativity, uniqueness and independent thinking. The dysfunctional group dynamics of the 'ingroup' produces an 'illusion of invulnerability' (an inflated certainty that the right decision has been made). Thus 'the ingroup' significantly overrates its own abilities in decision-making and significantly underrates the abilities of its opponents (the 'outgroup')."[ref]
|
|
Sadly, Groupthink is prevalent because our business and governmental organizations are often lead by egomaniacal despots who value loyalty over creativity. Most business and governmental organizations are managed in the same manner as North Korea: The "Great Leader" dictates a vision and all must become subservient to that vision. Any deviation is an act of disloyalty that must be punished. True collaborative creativity is rare in most organizations; that is why most organizations eventually fail.
|
|
It is sometimes possible for one individual to breakthrough the the mindset of the tribal group, even when he/she is going up against some incredibly smart people who are absolutely certain they know what they are doing.
The story of John C. Houbolt from the early days of NASA is a story that should be taught in every engineering program. John C. Houbolt was THE guy who figured out how to go to the moon. He succeeded against strong opposition because his solution was technologically superior and because his ultimate concern was the success of the mission.
|
|
|
A final note: As the recent bestseller
Loonshots points out there are many great ideas that are rejected or ignored before they finally attain success. I am certain this endeavor, "WebAuthn+ The Internet of Value", will exceed all initial expectations. I hope the members of the FIDO Alliance will not become just like another major corporation, Excite, that failed to realize the potential of a transformative technology.
|
|
"Early in 1999, Brin and Page decided they wanted to sell Google to Excite. They went to Excite CEO George Bell and offered to sell it to him for $1 million. He rejected the offer. Vinod Khosla, one of Excite's venture capitalists, talked the duo down to $750,000, but Bell still rejected it."[ref]
|
|
Intelligent systems, acting on cryptographically secure distributed ledgers, will have a
transformative impact on improving financial and managerial processes. While there is a great deal of unwarranted hype surrounding blockchains and crypto-currencies, it would be unwise for anyone to underestimate the potential of cryptographically secure distributed ledgers in creating the Internet of Value.
|
|
The following is another incredible historical anecdote:
|
| |
"The telephone is so named by its inventor A.G. Bell. He believes that one day they will be installed in every residence and place of business. Bell's profession is that of a voice teacher. Yet he claims to have discovered an instrument of great practical value in communication which has been overlooked by thousands of workers who have spent years in the field."
|
| |
"Bell's proposals to place his instrument in almost every home and business place is fantastic. The central exchange alone would represent a huge outlay in real estate and buildings, to say nothing of the electrical equipment. In conclusion, the committee feels that it must advise against any investments in Bell's scheme. We do not doubt that it will find users in special circumstances, but any development of the kind and scale which Bell so fondly imagines is utterly out of the question."
|
| |
~ From the minutes of the 1876 meeting in which Western Union considered a proposal by Bell to sell all rights to the telephone for a mere $100,000.[ref] ~
|
|
|
|
|