Velas Technologies: Passwordless Authentication

Passwordless Authentication is one of the many quality of life security features within Velas that ensures the entire ecosystem is efficient for the user to engage with, while maintaining crucial security at its very core.

Motivation

Having to create multiple accounts across multiple applications and platforms negatively impacts a product’s attractiveness and convenience. Having a Facebook account, for example, enables users to seamlessly sign into other services with it, reducing friction. Paid services, however, request additional information such as credit card binding which is unavailable during user authorization.

This is why services that implement Passwordless Authentication look increasingly attractive, as they don’t require additional time for authorization.

This technology is promoted by centralized services like Google, Facebook, Apple, Microsoft.

The disadvantages of centralized systems are:

  • Every centralized system is a single point of failure. For example, during regularly scheduled maintenance operations on a platform, you won’t be able to authorize while this maintenance takes place.
  • Centralized systems can be blocked by other centralized systems — if you have access now, it doesn’t mean you will have it tomorrow.
  • If the centralized system doesn’t like the way you are using the services, your account could be deleted with little or no notice, and with little or no recourse to roll-back this deletion.
  • To collect more information about you, centralized system may block your account.
  • It is almost impossible to customize what is offered by centralized systems, especially when they become very large. You either agree with their rules, or choose another system.
  • What can be done if the service you are using doesn’t support authorization with your account in an already existing centralized system?
  • You still need to authorize in the old system using your password switching between. As a result, the system is no longer passwordless for you.

Meanwhile, the blockchain industry is growing rapidly and offers alternative authorization solutions, using seed phrases and the possibility of digital signing which allows you to sign authorization messages and providing all required information about the anonymous account:

  • Address of the account owner
  • Balance on account
  • Transaction History

Authorization without centralized services is the main blockchain advantage due to exchanging messages between the service and the user’s wallet. Some agents will be needed to connect your wallet to the service, but this is the only function; anyone can create a service, but without the possibility of maliciously affecting other users because all attacks are prevented by cryptographic protocols.

The disadvantages of the decentralized systems are:

  • Necessity to remember and save mnemonic phrases. No possibility to restore account access if it’s lost.
  • Necessity to keep mnemonic phrases secret — anyone who gets access to your phrase automatically becomes you, from a digital point of view, and has the ability to perform the action, and this action will be considered as prolonged.
  • Necessity of integration software with existing services. Centralized alternatives don’t facilitate implementation.

Please note that the centralized systems have the advantage of using a local database to store user data and interact with services without having to request additional information.

Each user action requires confirmation in the form of a transaction in decentralized systems. This means that the user has signed a message allowing the action and leading to a change of its state in the block, or a decrease in the balance (also, its state). Existing decentralized passwordless solutions don’t allow making quotas for certain actions that can be performed by a user without additional confirmation.

This feature is required to provide the same level of user experience that we are used to. For example, we want to like videos and leave comments on Youtube without confirming every action. This is possible if the device is authorized and permissions are granted on this service.

Also, users should be able to manage permissions and sessions of authorized devices to control their network activity and ensure the security of their account.

Decision

The fact that the database of all authorizations is located on the users’ device and decentralized authorization methods are a single entry point for all services, the problem of a device loss is not solved.

For developers, it’s necessary to make sure that:

  1. No one can get access to the seed-phrase from the device.
  2. No one can confirm authorization on behalf of the owner when the device is no longer owned (aka, in the case of loss or theft).
  3. It makes sense to replace the device database with a blockchain, where the ways to restore access to the account and blocking all devices become customizable. Also, losing a device doesn’t mean the loss of all active sessions. When an account is restored, all sessions are also restored.

So we receive the same usual functionality that we get in centralized services.

The user can choose different recovery methods:

Seed-phrase: The most secure, only the user knows it and is responsible for storing it, if a seed-phrase is lost, access is lost forever.

Google Account: Users trust google more than their devices. For example, when a user loses his phone, he is always able to restore everything from a Google account and never feels any inconvenience or security problems.

Apple Account: The same as Google Account.

Facebook Account: The same as Google Account.

Wechat Account: The same as Google Account.

Every selected option can be changed to another one at any time. In this way, the user can choose between full responsibility or delegation of responsibility for his security.

Another inconvenient factor surrounding decentralized authorization systems is that every action has to be confirmed on the device. If we want to leave a comment, we should generate the transaction that records this action on a blockchain. And this is different from the way centralized systems behave. YouTube users can immediately do this, without any additional actions.

Therefore, to emulate the functionality of a centralized system, a quota mechanism should be added to the decentralized system. Users will be asked to provide a quota for some actions at the moment of authorization.

For example, in the case of YouTube:

  • Like
  • Comment
  • Subscribe

So, the user allows certain actions from a certain device, but all these quotas can be recalled in the future, because all information is stored in the blockchain.

We are focusing on the tools that will help to provide premiere user experience for developers and end-users.

For the Velas Ecosystem and its various services, DApps and products, we have designed Velas Account. This is a convenient way to execute on-chain operations and manage identity.

Through the Velas Account users will be able to access services, execute payments within them, send tokenized assets to other users, and login to applications seamlessly, by using biometric security on their phones. Our main goal is to make this as convenient as WeChat, Google Pay, and Apple Pay did.

This is one of a series of articles outlining the complete package of Velas products on offer, and what the team has been working hard on over the past year. We’re covering everything from AIDPOS to Integrated Crypto Wallets and everything in between. You don’t want to miss it!

--

--

--

Build Your dApps and Projects with Fastest EVM Chain Powered by Velas 🧑‍💻 Visit: www.velas.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

EOS BP Security Statement

{UPDATE} Crossword Fit - Free Word Fit Game Hack Free Resources Generator

A Beginner’s Guide To Buying WISE Token

Remedy and Enforcement in the Digital Services Act by Professor Molly Land

Ntp Clinet

This week’s Tech Smart Boss Cool Tech of the Week -> Passcamp

Was Your Medical Information stolen in 2015–2019 (along with 157.4 Million other Americans)?

Bug Hunting Path

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Velas Official

Velas Official

Build Your dApps and Projects with Fastest EVM Chain Powered by Velas 🧑‍💻 Visit: www.velas.com

More from Medium

-1 to the IDO!

RAMP-rUSD Asset Market Launching on BSC Alongside Liquidity Incentives in 12 Hours!

Bridge Mutual Partners with Metis Protocol to Protect Assets

Velas welcomes the decentralized crypto wallet Trustee