Fido Alliance formerly managed by Brett McDowell now heading up the Hedera council. The question in my mind is whether the standard proposed requires a DLT shared by all participants or if it is an option for participants, or if the exchange of public keys is just a transaction between user and the specific company server?
https://youtu.be/03XHeplKKyw
It would be interesting if in the near future every login event had to go through a DLT. DLT platforms would compete to provide this service. Competition would be on price but also the guarantee of security and speed. The DLT provider would be financially and legally liable for breaches but so also the companies that contracted the DLT . Companies would probably weigh security against cost speed and dependability, as well as the strength of the platform governance to carry the requisite liability. Hedera will be well placed in this competition and was possibly even created for this express purpose. If so....that will be a lot of transactions!
I'm still wrapping my mind around decentralized identity. With logins specifically though, what is the benefit of logins being tracked in a DLT?
I think it is the way that logins even happen. They are essentially turned into DLT consensus transactions. Your identity claim (eg driver's license) is hashed and posted to a public DLT and thereby verifiable via an image that hashes to match the public hash. Then a public private key pair attached to that identity claim (DL) is created in a secure enclave in your phone as already happens with your fingerprint. Then an identity transaction (eg showing your DL to a police officer or bar bouncer) would take the form of a consensus transaction signed by that private key (which never leaves your phone) establishing that you are the owner of that DL. This could be done on site or online with the same level of security and no need for a password. A higher level of security would be established if the ID transaction depended on your phone signing several transactions each referencing an independently verified identity claim (eg your DL, your work or school ID, other biometrics, past history etc) At $0.0001 per transaction Hedera would make this a very cheap and easy DLT authentication service for such a use case. Passwords are eliminated, any app can securely verify without the need for their own database of private ID information, use of your digital ID can be tracked by authorized users to prevent misuse or revoke access for privacy reasons.
Sheesh this is gonna take me a while to digest. Thank you for explaining it to me
Is your fingerprint essentially your private key then? And is the image of your driver's license also potentially a private key? Tracking unauthorized users seems tricky to me too. Would there still be IP addresses to figure out where people are logging in from?
What biometric would be used or what things would be used to login for devices that don't have fingerprint scanners(like logging into something with your PC)? It seems strange relying on video face scanners cuz I feel like that would be easily forged but I could be wrong
Your fingerprint gives permission for the phone to sign a transaction with the otherwise inaccessible private key as happens now whenever you sign in with your fingerprint. The driver's license is authenticated by a third party (government) and attached to your ID via a DLT transaction that allows your phone to create a public private key pair that signs on behalf of the owner of that DL. The same would happen with a school ID which would then corroborate the ID claimed by the DL. Both private keys are held in a secure enclave in your phone. Samsung is making phones with hard wired enclaves for this purpose and I think Apple products have something similar (the T2 chip in mabooks)
But yes the fingerprint scanner on your phone is a potential weak point...as it is currently....but it is also assumed that your phone is with you all the time and behaves in certain ways when it is with you. If it is lost or stolen you will get a new one quickly and the behavior of the stolen phone will change, giving notice for services to cancel access to your digital ID.
But using a public DLT method would allow you to authenticate on a phone to grant access to something via your computer...like Google authenticator is used today...but it requires users and websites to trust Google's private ledger whereas a Hedera public ledger would be a public utility for all to access that is trusted because Google together all the other global council members would be guaranteeing authenticity
Following up on this...from the Sevo thread yesterday...given logic of linked post above, the Apple press release on expansion of FIDO standard seems to imply a DLT-based standard...and Sevo is right that Hedera has high likelihood
I wonder why everything always has to be a secret. Instead of just saying they are testing on Hedera Ledger or anything at all. Just so odd. If I was a company testing functionality I would just say testing on a platform called Hedera.
Standard corporate practice...it's a high security initiative so why give it away? plus they won't announce anything like that until Hedera is proven...but Google joining council seems like a pretty obvious sign...not that the market cares...maybe when billions of daily login events are logged on Hedera...
Yeah, just frustrating..... lol.
Try this video. Brett McDowell explaining FIDO digital identity in 2017. https://youtu.be/tgEEnd1h-dM
Обсуждают сегодня