Passwords are Passé

An alpha-numeric string wouldn’t save you

The massive data breaches in the last year have proven one thing for sure, data on the cloud isn’t safe! Not even in the hands of large enterprises who spend billions of dollars every year on shoring up their security.

And the problem has been lurking for a long time, we have just been ignoring it. Passwords are an archaic way of validating ownership. It worked fine till we were limited to an ISP account, one or two email accounts or probably even an eCommerce account or two. But that’s not the case any more. There are a plethora of web apps that one might consume in a day and almost every single one uses email to sign-on. And most users use same or similar passwords across all accounts. So if a hacker cracks one access using brute force, he can hijack your email as well. The web of inter-connectivity is complex and makes the whole online presence vulnerable.

We have been lulled into complacency. We are so used to using our email for signing up, we don’t even realize the exposure we are subjecting ourselves to when we give access through our email. As more breaches started being reported we were told to create a ‘strong’ password. It’s a band-aid companies have been using to keep us signing up on their services, assuring us that stronger passwords would be harder to crack.

Security structures are a trade-off between convenience and privacy. One can create a perfectly secure environment with eyes on the subject and a complex verification system but no user would consume that service. But you wouldn’t want a so-easy-to-use system that anyone can answer a couple of questions and get access to your account. A clever way to authenticate users, without loss of privacy or compromise on security, is through a zero-knowledge proof. Zero-knowledge proof is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true, without conveying any information apart from the fact that the statement is indeed true. The protocol never requires the user to enter any sensitive information on the (potentially compromised) device that they are logging in on.

An easy way to demonstrate how zero-knowledge proof works is through the following example:

Two balls and the colour-blind friend

A generic square placeholder image with rounded corners in a figure.
Software engineers Konstantinos Chalkias and Mike Hearn at a blockchain related conference in September 2017, showing live demonstration of this example

Imagine your friend is colour-blind (not being mean!) and you have two balls: one red and one green, but otherwise identical. To your friend they seem completely identical and he is skeptical that they are actually distinguishable. You want to prove to him they are in fact differently-coloured, but nothing else, thus you do not reveal which one is the red and which is the green.

Here is the proof system:

  • Process: You give the two balls to your friend and he puts them behind his back. Next, he takes one of the balls and brings it out from behind his back and displays it. This ball is then placed behind his back again and then he chooses to reveal just one of the two balls, switching to the other ball with probability 50%. He will ask you, “Did I switch the ball?” This whole procedure is then repeated as often as necessary.
  • Logic: By looking at their colours, you can of course say with certainty whether or not he switched them. On the other hand, if they were the same colour and hence indistinguishable, there is no way you could guess correctly with probability higher than 50%.
  • Inference: If you and your friend repeat this “proof” multiple times (e.g. 128), your friend should become convinced (“completeness”) that the balls are indeed differently coloured; otherwise, the probability that you would have randomly succeeded at identifying all the switch/non-switches is close to zero (“soundness”).

The above proof is zero-knowledge because your friend never learns which ball is green and which is red; indeed, he gains no knowledge about how to distinguish the balls.

Zero-knowledge proof finds tremendous application in block-chains and authentication. It can be used to guarantee that transactions are valid despite the fact that information about the sender, the recipient and other transaction details remain hidden. And is a similar way it is being fostered as a sign-up tool with no compromise on security and complete anonymity. Applied in a decentralized platform there is no concern of one company tracking all your moves.

Check out more about our zero-knowledge system to store and share your vital information securely and try out the app here.