Velas Technologies: Passwordless Authentication

[Jee]

According to research by NordPass, the average user holds 70–80 passwords each. That is a *lot* of passwords to remember. It is no surprise, then, that digital users’ security is a bottleneck and the main goal of hackers — this is why passwordless authentication becomes more and more popular, and more and more vital in a modern digital landscape.

Motivation

Having to create multiple accounts across multiple applications and platforms negatively impacts a product’s attractiveness and convenience. Having a Facebook account, for example, enables users to seamlessly sign into other services with it, reducing friction. Paid services, however, request additional information such as credit card binding which is unavailable during user authorization.

This is why services that implement Passwordless Authentication look increasingly attractive, as they don’t require additional time for authorization.

This technology is promoted by centralized services like Google, Facebook, Apple, Microsoft.

The disadvantages of centralized systems are:

• Every centralized system is a single point of failure. For example, during regularly scheduled maintenance operations on a platform, you won’t be able to authorize while this maintenance takes place.
• Centralized systems can be blocked by other centralized systems — if you have access now, it doesn’t mean you will have it tomorrow.
• If the centralized system doesn’t like the way you are using the services, your account could be deleted with little or no notice, and with little or no recourse to roll-back this deletion.
• To collect more information about you, centralized system may block your account.
• It is almost impossible to customize what is offered by centralized systems, especially when they become very large. You either agree with their rules, or choose another system.
• What can be done if the service you are using doesn’t support authorization with your account in an already existing centralized system?
• You still need to authorize in the old system using your password switching between. As a result, the system is no longer passwordless for you.

Meanwhile, the blockchain industry is growing rapidly and offers alternative authorization solutions, using seed phrases and the possibility of digital signing which allows you to sign authorization messages and providing all required information about the anonymous account:

• Address of the account owner
• Balance on account
• Transaction History

Authorization without centralized services is the main blockchain advantage due to exchanging messages between the service and the user’s wallet. Some agents will be needed to connect your wallet to the service, but this is the only function; anyone can create a service, but without the possibility of maliciously affecting other users because all attacks are prevented by cryptographic protocols.

The disadvantages of the decentralized systems are:

• Necessity to remember and save mnemonic phrases. No possibility to restore account access if it’s lost.
• Necessity to keep mnemonic phrases secret — anyone who gets access to your phrase automatically becomes you, from a digital point of view, and has the ability to perform the action, and this action will be considered as prolonged.
• Necessity of integration software with existing services. Centralized alternatives don’t facilitate implementation.

Please note that the centralized systems have the advantage of using a local database to store user data and interact with services without having to request additional information.

Each user action requires confirmation in the form of a transaction in decentralized systems. This means that the user has signed a message allowing the action and leading to a change of its state in the block, or a decrease in the balance (also, its state). Existing decentralized passwordless solutions don’t allow making quotas for certain actions that can be performed by a user without additional confirmation.

This feature is required to provide the same level of user experience that we are used to. For example, we want to like videos and leave comments on Youtube without confirming every action. This is possible if the device is authorized and permissions are granted on this service.

Also, users should be able to manage permissions and sessions of authorized devices to control their network activity and ensure the security of their account.

Decision

The fact that the database of all authorizations is located on the users’ device and decentralized authorization methods are a single entry point for all services, the problem of a device loss is not solved.

For developers, it’s necessary to make sure that:

• No one can get access to the seed-phrase from the device.
• No one can confirm authorization on behalf of the owner when the device is no longer owned (aka, in the case of loss or theft).
• It makes sense to replace the device database with a blockchain, where the ways to restore access to the account and blocking all devices become customizable. Also, losing a device doesn’t mean the loss of all active sessions. When an account is restored, all sessions are also restored.

So we receive the same usual functionality that we get in centralized services.

The user can choose different recovery methods:

Seed-phrase: The most secure, only the user knows it and is responsible for storing it, if a seed-phrase is lost, access is lost forever.

Google Account: Users trust google more than their devices. For example, when a user loses his phone, he is always able to restore everything from a Google account and never feels any inconvenience or security problems.

Apple Account: The same as Google Account.

Facebook Account: The same as Google Account.

Wechat Account: The same as Google Account.

Every selected option can be changed to another one at any time. In this way, the user can choose between full responsibility or delegation of responsibility for his security.

Another inconvenient factor surrounding decentralized authorization systems is that every action has to be confirmed on the device. If we want to leave a comment, we should generate the transaction that records this action on a blockchain. And this is different from the way centralized systems behave. YouTube users can immediately do this, without any additional actions.

Therefore, to emulate the functionality of a centralized system, a quota mechanism should be added to the decentralized system. Users will be asked to provide a quota for some actions at the moment of authorization.

For example, in the case of YouTube:

• Like
• Comment
• Subscribe

So, the user allows certain actions from a certain device, but all these quotas can be recalled in the future, because all information is stored in the blockchain.

We are focusing on the tools that will help to provide premiere user experience for developers and end-users.

For the Velas Ecosystem and its various services, DApps and products, we have designed Velas Account. This is a convenient way to execute on-chain operations and manage identity.

Through the Velas Account users will be able to access services, execute payments within them, send tokenized assets to other users, and login to applications seamlessly, by using biometric security on their phones. Our main goal is to make this as convenient as WeChat, Google Pay, and Apple Pay did.

.........

This is one of a series of articles outlining the complete package of Velas products on offer, and what the team has been working hard on over the past year. We’re covering everything from AIDPOS to Integrated Crypto Wallets and everything in between. You don’t want to miss it!

.........