Block.one, a Cayman Islands-registered firm that publishes open-source software and protocols for EOS, one of the largest platforms for deploying enterprise-grade decentralized applications (dApps), has argued that “current methods of authentication suffer” from the “Hearsay Problem.”
Explaining what Hearsay means, in general, Block.one noted in its blog post, published on April 17th, 2019, that Hearsay is “any information received from one party about the statements or actions of a second party that cannot be adequately substantiated.”
Current “State-Of-The-Art Methods” Of Authentication May Not Be Reliable
Block.one also noted in its official blog that its stance on this matter is that “all information sourced from systems which rely on current state-of-the-art methods of authenticating users would qualify as mere hearsay if any of the involved parties were to call the validity of the information into question.”
Going on to mention that this “characteristic is referred to as repudiability,” which is a property whereby a statement’s claim or validity can be rejected, Block.one’s post explained that “two primary factors” could potentially “lead to this characteristic of repudiability.” According to Block.one, the “first factor is an authentication scheme that requires disclosure of a secret in order to validate the possession of that secret.”
For instance, “security schemes” such as “passwords” which are “subject to this factor,” make it “impossible to create logs of user activity that are verifiable by anyone other than the party and the counterparty,” Block.one’s blog stated. Moreover, the software publisher’s post noted that the “second factor is the lack of means to prove that the data within a system that actually represents the intent of the user,” which results in another issue, referred to as “The Blank Check”.
“The Blank Check” Problem
As mentioned in Block.one’s blog, the “Blank Check problem is present in any system that can take action on behalf of the user without needing the user’s explicit consent on that specific action.”
This same problem “is also present if the means of capturing the user’s consent is anything short of a log of proof that the user was informed of the implications of every individual action and explicitly consented to each action,” the software development firm wrote.
“Nothing Preventing Banks From Liquidating Or Locking User Funds”
From strictly a technical perspective, Block.one believes “there is nothing to prevent your bank from liquidating or locking your funds, and there would be no means of proving any wrongdoing, as the Bank could fabricate records of seemingly legitimate transactions. This would no doubt pose grave consequences that affect many stakeholders in a material way.”
These issues can be attributed to “the lack of provable auditable logs,” Block.one claims. It adds that technologies which “address this fundamental shortcoming” on existing platforms are not designed to be user-friendly.
According to Block.one, systems that “rely on passwords” for authentication and authorization are “subject to the Hearsay Problem and the Blank Check problem.” In order to provide robust security, while accurately determining whether a user should be allowed to access a system, Block.one proposes creating what they refer to as the “Pass Manager.”
Pass Manager: Ultimate Authentication And Authorization System?
As described in its blog post, Block.one noted that a Pass Manager could be implemented using “a blend of technologies [that could] work in tandem to produce superior security and usability for users, including cryptographic signing, hardware keys, and biometrics for credential security, as well as a transport-agnostic protocol for portability.”
Creating Non-Repudiable Logs
Going on to describe how an actual Pass Manager-enabled system would work, Block.one stated that “anytime a user’s consent is sought by a Pass Manager, human-friendly descriptions of the action should be shown to the user, and that description (or a cryptographically verifiable derivative of it) should be included in the signed response from the Pass Manager.”
The software publisher further noted that the “use of keys means that logs are non-repudiable and can be verified by third parties, and the inclusion of the human-friendly description in the signed response can serve as proof of the user’s intent. These characteristics solve both the Hearsay and Blank Check problems,” Block.one’s developers claim.
As explained, a Pass Manager-powered verification system would not require users to input passwords – which would arguably make the authentication and authorization process more secure.