Thursday, February 15, 2018


We were discussing Remme and its use of blockchain for distributed identity management. Blockchain is a ledger that the public can use to verify grants and revocations without a centralized ownership. It mitigates tampering and can is therefore an irrefutable proof. Remme replaces passwords with an application which essentially manages certificates. This certificate exchange is similar to the way browsers work except that there is no certificate authority hierarchy. The PKI infrastructure relied on an issuing authority hierarchy and the blockchain helps mitigate that. Remme seems to use Bitcoin in its current version instead of the public blockchain but what they have not explained is how different it is from Google's initiative in the certificate transparency project. There is no denying that Blockchain can prove a great storage for storing and processing digital identity data. Moreover, applications today currently find a way for passwordless mechanism by having the server generate random information which the application with the consumer can then use. While these can be based on SMS and push notifications, they need not be based on six digit one time passcodes. They can be based on links instead of codes with the links providing sufficiently unique random hash that it works like a password especially if the mobile application with the consumer individual can open it in a browser. While some applications may be prevented from their appstore policies to open a link that can lead to a marketplace outside the application, there is no restriction to using SMS to send a link. Although SMS has its own limitations as a channel of notification, the idea that the server creates a passcode or passhash to admit the individual is not new. The only difference is whether there is a central authentication server and a database that keeps track of timestamp, individual, passcode or passhash and a flag that it has been used. When an individual sends this information to the server, it calculates how much time has expired and whether the flag that this one time entry has been used, is set. The individuals submission of the launch parameters which includes this information is then directly treated as a login credential to allow it. This notion is very similar to how tokens are issued and validated today. The token issuing protocol such as OAuth never mandated a database for tokens in the first place even if they are bearer mode and last up to an hour although the protocol does call out to reduce the time for the token expiration and use scopes with the tokens. Blockchain provides this mode for credential storage. Since the credentials are issued by the server for a short time when the end user application with the individual launches, there is no need for the user to remember the passwords. This technique is very powerful in having users get notifications to what amounts to a seamless entry to their resources.  The only question that remains is in what cases will a user interface provide comfort to the user with a process of actual or simulated signing in?

No comments:

Post a Comment