Lek ؋ $ ƒ $ ₼ $ $ Br BZ$ $ $b KM P лв R$ $ ៛ $ $ $ ¥ $ ₡ kn ₱ Kč kr RD$ $ £ $ € £ $ ¢ £ Q £ $ L $ Ft kr ₹ Rp ﷼ £ ₪ J$ ¥ £ лв ₩ ₩ лв ₭ £ $ ден RM ₨ $ ₮ MT $ ₨ ƒ $ C$ ₦ kr ﷼ ₨ B/. Gs S/. ₱ zł ﷼ lei ₽ £ ﷼ Дин. ₨ $ $ S R ₨ kr CHF $ £ NT$ ฿ TT$ ₺ $ ₴ £ $ $U лв Bs ₫ ﷼ Z$ | |||||||||||
Trust Nexus WebAuthn+ ~ Unhackable Authentication |
|
||||||||||
|
The Trust Nexus is a technology startup in Austin. We have solved the authentication problem. |
We employ out-of-band confirmation from the browser application context, not the Java Script context of the web page which can be easily hacked by anyone creating a fake web page. |
Simple passwords become highly secure on trusted systems; this is what consumers really want. |
Our solution also enables the cryptographic signature of single purpose distributed ledgers, a technology that will transform the world of finance (nothing to do with the blockchain hype). Not a distributed database, rather, a single purpose "cryptographically secure shared source of truth". |
Our technology is open source and mostly free. |
Intro video: WebAuthn+ Unhackable Authentication ~ (Why FIDO will fail.) |
All current forms of multi-factor-authentication (MFA) can be hacked!!! |
Everyone knows that user names and passwords are insecure. |
For more than ten years, the most common "solution" to the password problem has been to send a sign-on token to a user's mobile device; however, the FBI has warned (for more than four years) that these multi-factor authentication (MFA) schemes are subject to advanced attacks, especially when the tokens are sent through text messages (SMS). |
Roger Grimes, one of the world's leading security and authentication experts has written a book, Hacking Multifactor Authentication. If you think your current authentication processes are secure, read Roger's insightful analysis. |
In a comprehensive White House memo, released January 26, 2022, all current approaches to MFA have been deprecated. |
FIDO Passkeys May Open a Backdoor Into Secure Systems |
For more than ten years an alliance of the world's leading technology companies, the FIDO Alliance, has attempted to solve the "Identity and Authentication" problem. |
The FIDO Alliance never gained the mind share of the technology community. |
Two years ago they did a complete reset. |
On March 17, 2022 the FIDO Alliance put out a press release and white paper essentially admitting their failure and setting off on a new (very doubtful) path. |
Their new process, Passkeys, might be even worse than anything they have done in the past. Passkeys may open a "back door" for evil corporations and evil governments; the technology will never be implemented on a wide scale. Seriously, any senior developer/architect who reads about the new FIDO process for trusting the operating system to transfer keys between systems will have an "OMG!" reaction. |
If anyone can access your private keys, that access can be hacked or that access can be sold to an evil government or corporation. |
George Jenkins, Security Architect for Beyond Identity clearly elucidates this problem in a recent webinar: |
Legal Note about the FIDO Alliance |
The FIDO Alliance itself is just a standards organization; they do not sell products or services. The main players in the FIDO Alliance are Microsoft, Apple and Google (the owners of the three main operating systems). Any criticism of the FIDO Alliance (on this website or in our videos) is intended to be a criticism of their standards and of the members of "Big Tech" who implement those standards. |
If you do not think "Big Tech" will lie to you and act in a completely unethical manner, read this:
Google settles $5 billion consumer privacy lawsuit (DEC 29 2023). |
New: WebAuthn+ is Unhackable!!! |
Imagine a world where authentication is convenient, simple and secure. |
Imagine a world where cybersecurity threats are greatly diminished. |
Imagine a world where single purpose Distributed Ledgers are a "cryptographically secure shared source of truth", fraudulent financial transactions are eliminated, fraud in government programs is eliminated and the Internet of Value is real. |
"We have discovered a process of great practical value in authentication which has been overlooked by thousands of workers who have spent years in the field, especially those working on FIDO Alliance technologies." |
All those who are committed to existing multi-factor authentication systems, including FIDO passkeys, are like engineers in the 1890s working diligently to perfect the telegraph system; all their work will soon be eclipsed by a much better technology. |
WebAuthn+, a simple and elegant open-source project from the Trust Nexus, is the answer to the "Identity and Authentication" problem. |
WebAuthn+ is secure. It is impossible to attack WebAuthn+ through a phishing scam, a MITM attack, by stealing user names and passwords or by any of the new advanced attacks. |
WebAuthn+ does not require a physical security key. WebAuthn+ does not require biometrics; however, biometrics can be integrated into the digital credentials. |
With WebAuthn+ simple passwords like "123", "asd", or even "pw", become highly secure. |
A technical overview of WebAuthn+ can be found here: WebAuthn+ ~ Unhackable Authentication |
The Simple Essence of WebAuthn+ Technology |
Unlike the approach from the FIDO Alliance that uses the Trusted Platform Module of your computer to store and manage your private key and... (this is really ridiculous) FIDO uses a very convoluted Passkey architecture to register new systems and transfer your private key through the operating systems by scanning QR codes. |
Under WebAuthn+ the user's private key is stored securely on his/her mobile device and can be used to authenticate to any system without pre-registering the system, which FIDO requires. |
If you do not think data (especially private keys) can be stored securely on a user's mobile device, you need to read the technical overview of WebAuthn+ which can be found here: WebAuthn+ ~ Unhackable Authentication |
There is a simple problem that needs to be solved for web authentication to be secure: Create a secure "out of band confirmation" that the user is on the "right" web page (e.g., www.chase.com, not www.chaze.com). The WebAuthn+ solution is a simple addition to the Web Bluetooth API that writes the "domain name characteristic" from the web browser's application context to the GATT server running on the user's mobile device. |
Most importantly: This Web Bluetooth confirmation process is done from the application context of the web browser, not the Java Script context of the web page which can be easily hacked by anyone creating a fake web page. |
In order for the bad actors to compromise your authentication under WebAuthn+ they would need to install malware on your system or a completely fake version of the Nexus Chromium browser on your system (in this case, it is game over, the bad actors have won). |
Corporate desktops or home workstations with decent anti-malware systems will be secure. |
Under WebAuthn+ your authentication can not be compromised by clicking on a phishing link and going to a fake web page or by any of the other advanced attacks. |
WebAuthn+ cannot be compromised even if there is a complete breach of the server data (because the user's private key is stored securely on his/her mobile device and never leaves the mobile device). |
Again, the technical overview of WebAuthn+ contains complete details: WebAuthn+ ~ Unhackable Authentication |
Nexus Chromium Browser |
In order to make this all work, we had to create our own version of the Chromium browser: "Nexus Chromium". The prototype code will be made available to all. |
This prototype version of Chromium writes the domain name characteristic through Web Bluetooth from the browser application context and not the JavaScript context of the web page which can be easily hacked by anyone creating a fake web page. |
User Friendly!!! Low Friction!!! |
The user experience for WebAuthn+ is friendly and elegant. A user goes to a web application's "Sign On" page: |
When the user clicks the WebAuthn+ button the browser communicates securely with the server over TLS and with the user's mobile device over a paired Web Bluetooth Low Energy (BLE) connection. |
Using Web Bluetooth from the browser's application context, not the web page's Java Script context, to confirm the Domain Name solves one of the fundamental problems of secure web authentication: insure the user is on the right web page; e.g., "www.chase.com" not "www.chaze.com" (this completely stops phishing scams). |
The same values that are sent to the browser are sent to the user's smart phone over an encrypted Firebase channel with local confirmation over Web Bluetooth. |
The user verifies the Authentication Code and then touches Sign On on his/her smart phone. |
The session UUID is signed by the user's private key (which resides on his/her smart phone) and that signed value is sent to the server. |
Cryptographic magic happens on the server. The sign on web page "auto-magically" transforms: |
A Verification Code, generated in the user's smart phone and sent through an encrypted channel to the web server, is displayed on both the web page and the user's smart phone (UHJ 375): |
The simplicity of this authentication process is that the user goes to a web page, receives a notification on his/her smart phone and simply touches the sign on button. The video above has a complete demonstration. |
...but users do NOT want to have to use their smart phone every time they sign on to a web application. |
Establishing a Trusted System ~ The Nirvana of Simple Passwords |
The "Nirvana Solution" for authentication will enable users to keep simple passwords (which is what they really want). They do not want physical security keys or biometrics. They do not want to be required to use their smart phone for every authentication to every web application. They want simplicity (this is why basic user names and passwords have stuck around for so long). |
Once the user successfully signs on, he/she can designate the system as a "trusted system" (e.g., a home computer or an office workstation); in the future the user can sign on to that "trusted system" with a user name (e.g., your email address) and a simple password (anything you choose, even "asd" or "123" or "pw"). |
If you forget your password, you can simply reset it without making a support call. Everything is done with high levels of cryptographic security. |
The password can be incredibly simple because the value that the user enters is combined with a UUID salt value that is stored on the user's system as a cookie (hence, the system needs to be secure). The values are used to generate a cryptographic hash using the Stanford JavaScript Cryptography Library. |
var out = sjcl.misc.pbkdf2(password, sjclSalt, sjclIterationCount, sjclLength);
var passwordHash = sjcl.codec.hex.fromBits(out).toUpperCase(); console.log("passwordHash: " + passwordHash); // TODO: remove |
A simple user password of "asd" becomes "7C3249A2415F53FC1A8A150C60C9347CBC14AE0C62C7C5C73FF4BC45A15ECFCA"; this value is essentially a generated password and is sent to the server over encrypted HTTPS. The value is hashed once again on the server with the Argon2id hashing algorithm (most secure) and stored on the server as a set of Argon2id parameters: |
'$argon2id$v=19$m=1048576,t=4,p=8$HQiUtZvto2icGsXVTF/BJw$emWzw24cLFhmnd8WUhZDyjRJHCg1C0J9542yTPCiACE' |
Whenever the user signs on, the hash values are recalculated and compared with the stored hash value. Without access to the user's physical system and knowledge of the user's password, it is impossible for a bad actor to sign on, even if there was a complete breach of the server data. The user can use the same simple password across multiple sites because each time it will be combined with a different salt value and will be stored on different servers as a completely different hash value. |
A cookie with a password on a trusted system is actually more secure than a digital certificate on a "trusted system". With a digital certificate a bad actor just needs to access the system, either physical access or through malware. When a cookie and a password are required a bad actor would need both. Essentially, the cookie turns your trusted system into a "something you have" authentication factor. |
Also, the user can always reset his/her own password. There is no need to call tech support. |
Everyone assumed that user names and passwords had to be eliminated in order to solve the authentication problem. The paradox of the WebAuthn+ solution is that most users will be able to keep their user names and passwords, and passwords can become even simpler. |
WebAuthn+ provides an open source reference implementation.
A system is secure if the plans for the system are public, and the bad actors can still not break in. |
See the section on WebAuthn+ for more details. |
Test the Fully Functioning Prototype!!! |
This is not theoretical; for all processes we have a functioning prototype and everything works: |
|
You can test this for yourself. Install the TNX WebAuthn+ mobile app (Android only for now) and then go to our Test page. |
Important! You must use our prototype browser: Nexus Chromium Browser. |
Messaging from the browser application context to the user's mobile device over Web Bluetooth is fully supported. |
Our prototype version of the Nexus Chromium Browser also supports "Session Specific Pairing"; a far more secure Web Bluetooth pairing mechanism than is used in Google Chrome, Microsoft Edge or any other Chromium based browser. More info about this can found in the section on WebAuthn+. |
Important note: The Nexus Chromium Browser is a prototype! It is meant for conceptual testing. The download consists of a 504 MB zip file (which is too large for Google drive to scan for viruses; but you really can trust us); this zip file needs to be unzipped and then the browser is launched by double clicking on "...\Nexus_Chromium\chrome.exe". |
For more technical details please see the Cryptographic Overview. |
The Internet of Value |
Secure authentication, based on WebAuthn+, will make the Internet of Value possible. |
The Internet of Value has the potential to ignite a worldwide renaissance by providing, "ubiquitous access to efficient financial systems and the ability to transact with anyone in the world." ~ W3C - Internet of Value Manifesto ~ |
With WebAuthn+, fraudulent financial transactions will be eliminated. |
In addition to secure authentication, our working prototype includes the capability to securely sign a distributed ledger with one touch on a user's mobile device. The image below is a signed distributed ledger (simple example with three text fields) from our test page. |
This ability will enable us to create a change the world technology platform that will lead to creation of the Internet of Value and the widespread implementation of practical artificial intelligent systems. Our technology platform will secure identity, enhance value transfer and usher in the age of practical AI (based on lots of structured decision making data, harvested for optimal decisions). |