Solving the authentication problem would have an immediate and significant impact on improving cybersecurity worldwide. So has a garage-level tech start-up based in Austin done just that?
The Trust Nexus (https://www.trustnexus.io) claims to have solved the authentication problem without the passkey, ensuring the longevity of passwords that still remain a popular authentication method for users. The company is not following FIDO’s consensus of passkeys over the password. The technology has been notably recognised for ensuring simple passwords become highly secure on trusted systems and that the user’s private key stays securely on the user’s mobile device.
In FIDO Passkeys (Microsoft, Apple and Google) the operating system controls the user’s private key and it can be transferred to other systems through the user’s account. It also means that Microsoft, Apple and Google have access to your private keys (and data metrics on every application you use).
“We have created a simple and elegant solution to the authentication problem that is completely phishing resistant. All those who are committed to existing multi-factor authentication systems, including FIDO passkeys, are like engineers in the 1890s working diligently to perfect the telegraph system; all their work will soon be eclipsed by a much better technology.” – Michael Duffy, Trust Nexus. Their authentication technology is called WebAuthn+. Unlike the approach from the FIDO approach that uses the Trusted Platform Module of your computer to store and manage your private keys, under WebAuthn+ the user’s private key is stored securely on his/her mobile device and can be used to authenticate to any system without pre-registering the system, which FIDO requires.Under WebAuthn+, securing data on a mobile device is accomplished by creating a cryptographic key that is stored off the device and is brought down to the device when the WebAuthn+ app is initiated. A user is locked out of the application after a configurable number of failed logon attempts so there is no way a bad actor could launch a brute force attack against the application. Your data and digital credentials are secure even if you mobile device is lost or stolen.WebAuthn+ cannot be compromised even if there is a complete breach of the server data because the user’s private key is stored securely on his/her mobile device and never leaves the mobile device.In order to make this all work, they had to create our own version of the Chromium browser: “Nexus Chromium”. The prototype code will be made available to all.This prototype version of Chromium writes the domain name characteristic through Web Bluetooth from the browser application context to the GATT server running on the user’s mobile device and not from the JavaScript context of the web page which can be easily hacked by anyone creating a fake web page.In order for the bad actors to compromise your authentication under WebAuthn+ they would need to install malware on your system or a completely fake version of the Nexus Chromium browser on your system (in this case, it is game over, the bad actors have won). Corporate desktops or home workstations with decent anti-malware systems will be secure.This prototype version of the Nexus Chromium Browser also supports “Session Specific Pairing”; a far more secure and user friendly Web Bluetooth pairing mechanism than is used in Google Chrome, Microsoft Edge or any other Chromium based browser.Their most amazing claim is that simple passwords will become highly secure on trusted systems (e.g., your home computer or office work station). They assert, “This is what consumers really want. They do not want physical security keys or biometrics. They do not want to be required to use their smart phone for every authentication to every web application. They want simplicity (this is why basic user names and passwords have stuck around for so long).”Time will tell if this is for real. The Trust Nexus is in the process of setting up tests of their prototype with government and university labs.Their technology will be open-source and mostly free: “We are going to give this technology away for free to everyone for authenticating their own users (both internal and public). For three party credential transactions (e.g., finance, insurance, government services), we will maintain the required meta-data infrastructure, creating a worldwide identity ecosystem that surprisingly will contain no personal data. We will also maintain cloud-based services for organisations who do not want to run their own private ecosystem.”
Some of the key aspects of the technology:
- It is open-source and mostly free (they retain the rights to cloud based services).
- It can be run as a closed ecosystem within a corporation or government agency
- Eventually, for three party digital credentials (finance, insurance, government services, etc.) there will be a worldwide identity ecosystem, that surprisingly will not contain any private user data.
Trust Nexus are attempting to form a research consortium that will first perform an in depth technical review and then deploy a POC.Their dream scenario is to engage major financial institutions, leading universities and key government agencies; most notably, the National Cybersecurity Center of Excellence: “At the NCCoE, we bring together experts from industry, government, and academia to address the real-world needs of securing complex IT systems and protecting the nation’s critical infrastructure.”https://www.nccoe.nist.gov/They also hope to engage some of the major players in biometrics, which can be integrated into their digital credentials.
