Identity and password theft are becoming a great risk.
Identity and password theft results in the loss of funds, real estate and other digital assets.
In the WEB 3 world, this means getting locked out of the wallet and being unable to use the funds.
AI Brings Threats that are Hard for Humans to Deal With AI Can be used by attackers to impersonate account holders and service providers.
Thus, with the AI's emergence, identity protection becomes a major risk. The need for trust, biometircs, text messages, or passwords or central biometrics database makes the identity and account protection a nightmare.
Password Protection is not Secured
Stealing or abusing credentials to compromise identities is how most breaches begin.Passwords have existed since the beginning of computers, but they account for most hacks and breaches. According to Verizon’s Data Breach Investigations Report: 67% of account attacks result from compromised passwords and 82% of data breaches involve stolen credentials and phishing.
It is relatively easy to compromise or steal passwords which makes them the weakest link in the security chain.
MFA (multi-factor authentication) takes user authentication to the next level.
With MFA, a user should provide at least one additional “factor” of identification that only the authorized user could provide, still phishing, or SIM hacking, can overcome MFA.Finally, there is a solution for the password weakness.The Promise of Passkeys and Why it’s Not SecuredPasskeys serve as cryptographic keys, typically stored in a secure device like a PIN- or biometric-protected phone, allowing users to access specific websites without a password.Unlike passwords, passkeys do not rely on a shared secret, significantly enhancing security. They are specifically designed to thwart phishing, brute force attacks, and password stuffing attacks (exploiting compromised passwords from other accounts).Major industry players, including Apple, Microsoft, and Google, are actively endorsing passkeys, particularly advocating for the FIDO2 protocol. They have also introduced a mobile-based software-only solution, eliminating the need for additional hardware and promoting broader adoption. Notably, Noknok has reported over 1 billion logins per day using passkeys and FIDO2.Passkeys offer a blend of simplicity, security, and speed, particularly when users utilize their device's biometrics or PIN for website logins. Google has embraced passkeys as its preferred login method, signaling a shift towards this secure and user-friendly authentication approach.Using passkeys is not a perfect solution that addresses all issues. The current implementation introduces significant flaws, both in terms of security and privacy.
The private key (or passkey) is stored on the end user's device, and losing it results in being locked out of all user accounts.
To prevent this, Apple and Google back up the passkey in their respective keychains and cloud accounts. However, synchronizing passkeys with Google, Microsoft, and Apple cloud services poses major security and privacy risks.The current implementation is not entirely passwordless; recovering a lost phone requires the user to back up the secret key, typically behind a password, SMS, or recovery email-protected account. Breaching the Apple or Google account compromises the entire passkey protection.Passkeys are not as private as implied, as backing them up in Apple or Google's cloud means these companies have access to passkeys and, consequently, every passkey-protected website.
The standard running state on Arm-based phones allows malicious apps to access private keys, posing a significant security threat (see Pegasus)Passkeys have a single point of failure, such as losing access to the Apple or Google account, changing phone numbers, losing access to the phone, or providing the wrong recovery email address. Malicious actors can exploit SIM card theft (SIM swap) to trigger recovery processes, posing additional security risks.Most people store passkeys in the built-in password managers of their operating systems (Windows Hello, Google Password Manager, or iCloud Keychain). This poses a security risk, as a malicious actor gaining access to the Microsoft, Google, or Apple account can obtain passkeys for all other accounts.Passkeys lack convenience as they cannot be easily exported or ported between platforms, hindering users from switching between iPhone and Android devices without a significant risk of losing access to their accounts.The current passkeys implementation is centralized, making passkeys offered by OS providers potentially less safe. Relying on an OS provider for passkeys may lock users into security practices exclusive to those platforms, and OS providers have the power to change implementations or lock users into their environments.
WiKey Solution
WiKey frees the users from passwords, complex logins, and complex recovery procedures, and lets the user sign in with just a tap on the mobile device.In the Web3 world, the user will not be able to lose or forget his secret key, and transferring funds is done with a username and not a public key which greatly simplifies the interaction between users.
It actually makes web3 transactions simpler than FIAT transactions. With WiKey, the user’s passkeys and secret keys are not stored in the phone where they can get compromised but rather stored in a no-database, no-user controlled, decentralized cloud where no one, no jurisdiction, not us, not even the user has access to the passkeys.
Recovery via user’s details, email or text messages is not used as these can be easily hacked WiKey solves Key issues in identity and account Protection
MFA Fatigue: Constantly re-validating user identities negatively impacts productivity and usage. WiKey solves this with one-click access.
ATO Prevention: WiKey is a truly passwordless authentication solution that effectively prevents Account Takeover (ATO).
Phishing Resistance: WiKey, contains a FIDO-based authenticator that offers recovery protection, resistant to phishing and other attacks.
Freedom from a specific provider: WiKey, not hosted by any phone or OS provider, is resistant to account takeovers.
WiKey Presents Breakthrough Usability and Deployment
Memory-wise effortless: With WiKey, users don't need to remember any secrets, personal details, or recovery information.
Scalable: WiKey as a SaaS service integrates seamlessly with businesses or personal use, requiring no additional burden.
Cross-device compatibility: WiKey works on Android and iPhone simultaneously.
No extra hardware needed: Users don't require additional hardware for login or recovery.
Physically effortless: Beyond a PIN or biometrics, no physical activities are needed during login.
Easy to learn and adapt: WiKey is designed for user-friendly login to FIDO-compliant websites and WEB3 wallets.
Accessible: Users only need their phone to log in.
Near-zero cost implementation: Low financial cost per user with the option for a basic, cost-free service.
Browser compatible: WiKey can be used with any standard web browser without additional plugins.
Non-proprietary: Open source, free from royalties and trade secrets.WiKey provides Breakthrough Security Benefits
Transparent: All activities, requests, and configurations are transparent, enabling extension of the system.
Protection from physical observation: WiKey is fully protected from malicious users observing the user.
Protection from impersonation: WiKey prevents attackers from impersonating the user using any data obtained.
Protection from internal observation: Even if user input is intercepted (e.g., keylogger), an attacker can't imitate the user.
Protection from leaks from other verifiers: Data from social services that are or made public won't allow impersonation.
Protection from phishing: While an attacker may fake a provider or a user, they can't successfully impersonate the user to the service.
Protection from key theft: Even if an attacker gains possession of a user's device, they can't overcome the built in multi-signature login or transaction approval.
No trusted third party: The authorization process or recovery isn't based on a third party, preventing takeover or manipulation.Protected Account Recovery: Access recovery must only occur with the user's conscious consent.
Unlinkable: Any Information created by the user or as a result of the user’s activities cannot be used to deduce other services a user is using.
Open: The code and functionality is open source, and openly accessible.WiKey Technical OverviewWiKey uses blockchain technology and employs a decentralized blockchain platform to manage the system, and stores all data, configurations, and settings.
This blockchain, while public, can also be privately installed for enhanced security and privacy.
The absence of traditional databases for storing critical information makes the system immutable and impervious to hacking attempts.
The handheld device communication and commands uses a temporary secret key. The temporary secret key serves as a command mechanism for a permanent secret key securely stored within a zero-knowledge, trustless MPC system.
This serves several purposes: To prevent malicious attacks on the handheld device, to provide vastly extra protection by potentially using one or more devices for login, and to present a sophisticated yet simple to operate a recovery mechanism that is immune to AI-based and other types of attacks. To safeguard against unauthorized requests or Distributed Denial of Service (DDoS) attacks, all commands directed to the signing and login engine are signed exclusively with the temporary secret key.
This ensures the system's protection and resilience against potential security threats.Message signing for any blockchain activities or logins to web2 is accomplished through a Multi-Party Computation (MPC) engine and a decentralized Logic Engine.
These components work in tandem to receive and interpret commands, adding a layer of security.In addition, users are encouraged to declare recovery helpers. Recovery helpers are individuals such as friends, co-workers, or relatives possessing intimate knowledge not available on social networks.
The recovery helpers verify the identity of the person and re-enable the user to log in to all his accounts. The system is fully zero knowledge, which means that no one, not the recovery helpers and not WiKey, has access to the user’s secret keys.
This layer of personal connection makes the recovery process fully protected from AI bots or hackers that try to impersonate either the user or his service providers. WiKey further enhances security with a sophisticated, decentralized Logic Engine, facilitating features such as account login delegation, multi-user login, and advanced account protection policies for Web3 users. For the Web3 ecosystem, WiKey addresses perhaps the most significant challenges by removing concerns about secret key loss, secret key protection and backup and ensuring wallet funds protection, and enhancing the ease of Web3 usage through usernames rather than public keys. This comprehensive approach contributes to a more secure and user-friendly Web3 experience.