Reverse two-factor authentication

Ever got one of those moments when you feel like you realized you just understood what something means and even though you knew it before, you now understand that you didn't fully get it earlier? I love those moments. After the initial "damn, I'm dumb" reaction you forget it and start to appreciate this new found wisdom you have.

Two-factor authentication was one of my recent ones. People think it's a security feature, and it is, but it's so much more. Or could be if we wanted.

Walk with me

Let's walk through what two-factor authentication is and how it works.

So when you register to a service, you create a username and a password. Service then stores these, and whenever you want to use the service, you log in by proving your username and password. This gives you an authorized user session with the service.

But what if somebody steals your username and password? If this happens they can use your account to do anything they want under your name. The whole computer security industry is built upon minimizing the risk of theft and limiting the damage of impersonation.

What is two-factor authentication

To improve security, we have a method called two-factor authentication. Two factor is a fancy way to say that you when you log in, your username and password are the first factor (or key if you like) and the second factor is a one-time password. If somebody steals your username and password, they can't do anything with them without having access to your one-time passwords as well.

Most of us have used online banks where you need to have a "key list" that the bank sends to you. When you log in, the service asks you to provide a specified key from the list. This is two-factor authentication in action. The key list provides the one-time password. More tech-savvy people use apps like Google Authenticator or Authy which are essentially digitalized key list with ability to generate infinite supply of one-time passwords.

But with tight security comes great responsibility.

When you use two-factor authentication you are responsible for keeping the key list safe. If you use a digital key list app, your key list is your phone. On top of being responsible of your phone, you still need to store so-called "recovery codes" in case you lose your phone. Recovery codes allow you to recreate the key list on another device.

Main takeaway Two-factor authentication is a way for you to have full control over your digital security. The price you pay for this freedom is the responsibility of not losing your phone and recovery codes.

The realization

Think about this: What if you could have a digital id that you own and it would live in your devices? This digital id would enable you to use any digital service that accepts it without having to create a new account. It would act as "a digital passport" but it wouldn't be tied to any government or corporation. It would a global identifier that everyone owns but nobody controls.

Today we are using two-factor authentication now as a security enhancer but what if you reverse the flow and treat two-factor authentication as your user account?

I know this is confusing but bear with me.

Imagine that instead of a username and a password you would have a magical device that contains a secret algorithm that is uniquely yours. You control the device and you can use this magical device to prove your identity. The proof the device generates is so secure that even with the fastest computer humans have built it would still take longer than universe's predicted life time to crack it. True story. Cryptographics are the bee's knees.

In practice it would work like this: When somebody needs to verify your identity, they will give you a number of their choosing. You then type the number into your magical device and it outputs a new number which proves you are you. You then give this proof to who asked you to prove your identity and they can verify the proof at their end.

If you are using that magical device and secret algorithm to prove your identity, what are they if not your identity? When I say "identity", I don't mean your "inner being" that is you. I mean identity like how passport or driver's license are your identity.

After you have proved your identity, you can then sign you messages with your id. Signing simply means that you use cryptography to generate a digital signature that can be used to prove that the message hasn't been tampered with and that it was you who created it. Technically this "signature" is your username. Of course you can still choose to your own username that gets displayed as your name to others but in computer's eyes the signature is your username.

In its core, everything here is still the same old two-factor authentication, but we have flipped the factors. Instead of identifying with usernames and passwords, we identify with one-time passwords. We then use our identity to inject our identity to the data we exchange with the service, constantly proving that it is still us and that the data hasn't been forged.

This magical digital id sounds like something we will have, but nobody knows how to build it yet. Fortunately, they are wrong.

Let's go over the recipe I came up how to build it.

The ingredients

  • Some sort of mechanic that allows you to prove your identity without 3rd parties.

    • We have this already. It's called public key cryptography, and it has been battle-tested since the 70s

  • A digital key list that generates new one-time pass based on a number.

    • In the registration process, the service and the id exchange signatures and they pick a shared security number that both store. The security number alone can't be used to verify identity.

    • In the login process, service generates a random number and sends it to the id.

      • The random number is cryptographically combined with the pre-agreed security number to create a proof that you know the pre-agreed security number

      • The id signs the proof and sends it to the service

      • Service does the same cryptographic combining process with the pre-agreed security number it has, and if the proofs match, an authorized user session is granted to the id

  • A common digital communication standard

    • We already have multiple well-tested APIs available that are treated as common standards

    • I'm working on this with Datagram project

  • People, lots of people

    • We need people to start using these digital ids so you can actually use yours somewhere

  • 100% free, no strings attached open-source specifications and code

    • Open-source guarantees that nobody has to worry about fees or licensing issues when deliberating which digital ids to support

    • Anybody should be able to use digital id no matter what the context is

    • Nobody should have the ability to ban or delete digital ids, except their own

Digital id are not a new thing, you already have several All internet-connected people already have several digital ids they use. These digital ids just happen to be owned by multi-billion dollar advertising companies like Google, Facebook, Twitter, and Apple. What is new is a digital id that you own 100%.

Reverse two-factor authentication: The project Avatar

I decided to make this happen so I created a place where the code and specifications can be found.

By the way, I dubbed the project Avatar because avatar means something that represents you, and it has been used as a name for an online user account for ages.


Oh and if you got mad skills, you are welcome to help.