Venus
Lek ؋ $ ƒ $ ₼ $ $ Br BZ$ $ $b KM P лв R$ $ ៛ $ $ $ ¥ $ ₡ kn ₱ Kč kr RD$ $ £ $ € £ $ ¢ £ Q £ $ L $ Ft kr ₹ Rp ﷼ £ ₪ J$ ¥ £ лв ₩ ₩ лв ₭ £ $ ден RM ₨ $ ₮ MT $ ₨ ƒ $ C$ ₦ kr ﷼ ₨ B/. Gs S/. ₱ zł ﷼ lei ₽ £ ﷼ Дин. ₨ $ $ S R ₨ kr CHF $ £ NT$ ฿ TT$ ₺ $ ₴ £ $ $U лв Bs ₫ ﷼ Z$
Trust Nexus
WebAuthn+ JSON DLT ~ The Internet of Value
Home Identity Distributed Ledgers Finance Demo IVY Test Contact License
WebAuthn+ will end the identity crisis by providing secure authentication.

Distributed Ledger Technology (DLT) will end the blockchain hype.
  
WebAuthn+ JSON DLT ~ The Internet of Value
This first wave of Blockchain/Distributed Ledger applications will most certainly fail; however...
Eventually, Distributed Ledgers (not crypto-currencies), as a cryptographically secure shared source of truth that can be processed by intelligent systems, will provide great benefits to all businesses, from startups to multi-national corporations to impoverished villagers in the third world.
The Internet of Value will become a reality.  Some have estimated that the resulting economic efficiencies (by reducing time, costs and risk) will be measured in trillions of dollars.[ref]
Secure authentication is the key.
A W3C Recommendation was recently published:  Web Authentication: An API for accessing Public Key Credentials
This recommendation is commonly referred to as WebAuthn; it is exceptionally detailed and complex, perhaps unnecessarily so.
The WebAuthn document reads like the blueprint for a massive suspension bridge to be built across a "narrow creek".  The problem that needs to be solved for web authentication is actually very simple:  insure the user is on the right web page; "www.chase.com" not "www.chaze.com".
Even though WebAuthn has support from some of the major corporate players, the recommendation has glaring deficiencies:
  • A physical security key, which must be plugged into the computer's USB port, is required to authenticate to a desktop system.  While inconvenient for the user (and insecure if the user leaves it plugged in), this is a great deal for anyone selling security keys.
  • The need for physical security keys explains why Yubico is one the the major driving forces for WebAuthn and why Google (another major driving force) is now selling security keys.
  • A secondary implementation requires an NFC Reader which must be attached to any computer the user wants to use for secure authentication.
  • A tertiary implementation involves "platform authenticators" (e.g., fingerprint readers, iris scanners, voice authenticators, etc.).  While some new mobile devices and some new laptops have fingerprint readers, older mobile devices, older laptops and most desktops do not.
  • There are limited resources for developers (just some brief code samples).  There is no open source reference implementation in the WebAuthn documentation.
  • Browser compatibility is a glaring deficiency for any web app provider with a large user base.  Only the newest versions of Chrome, Edge and Firefox will support (some aspects) of WebAuthn.  Internet Explorer, Opera and Safari (Apple) have no support.
  • Portions of the WebAuthn recommendation (e.g., bluetooth communication from the browser to a smart phone) are not yet supported.
  • The most glaring deficiency of WebAuthn is privacy protection.  The WebAuthn API seems designed to give the makers of browsers the ability to monitor a user's sign on to every application and to harvest data from that process.
  • The banking community will NEVER adopt a platform that allows others to harvest their customer data.  Banking IT professionals will want to inspect every line of source code in an authentication system.
  • While the WebAuthn recommendation mentions privacy in terms of keeping user credentials private from other users, there is no mention of restrictions on the providers of browsers and operating systems in harvesting a user's personal data.
  • Anyone familiar with Identity and Authentication Management (IAM) who reads the WebAuthn recommendation will realize the proponents of WebAuthn are attempting to co-opt a large portion of the IAM process.  Control is being centralized.
  • When there is centralized control, bad actors both in big corporations and in big governments can corrupt the process.  Our Orwellian future is close at hand.  "Big Brother" is watching.
There are some incredibly smart people promoting WebAuthn.  When incredibly smart people engage in tribal mentality, bad things usually happen.
"Groupthink is a psychological phenomenon that occurs within a group of people in which the desire for harmony or conformity in the group results in an irrational or dysfunctional decision-making outcome.  Group members try to minimize conflict and reach a consensus decision without critical evaluation of alternative viewpoints by actively suppressing dissenting viewpoints, and by isolating themselves from outside influences."[ref]
"Groupthink requires individuals to avoid raising controversial issues or alternative solutions, and there is loss of individual creativity, uniqueness and independent thinking.  The dysfunctional group dynamics of the 'ingroup' produces an 'illusion of invulnerability' (an inflated certainty that the right decision has been made).  Thus 'the ingroup' significantly overrates its own abilities in decision-making and significantly underrates the abilities of its opponents (the 'outgroup')."[ref]
A revised standard, WebAuthn+, will remedy the deficiencies of the current proposal:
  • The foundation of WebAuthn+ is a simple Cloud to Mobile Authenticator that enables users to simply touch a "Sign On" button on their smart phone and securely authenticate to a web application.
  • No extraneous physical security keys are required.
  • WebAuthn+ utilizes simple JavaScript. There are no specialty APIs or frameworks.
  • WebAuthn+ works with or without bluetooth communication.  Users with older systems are not excluded from the process.
  • WebAuthn+ provides an open source reference implementation.
    "A system is secure if the plans for the system are public, and the bad actors can still not break in."
  • WebAuthn+ protects privacy.  It is not designed to harvest data from the authentication process.
  • WebAuthn+ provides secure support for Distributed Ledger Technology (DLT) which will make the Internet of Value a reality.
  • The user experience (UX) for WebAuthn+ is simple and friendly.
  • WebAuthn+ is incredibly secure.  There is only one threat vector:  If a bad actor "looks over your shoulder", steals your six-digit HEX pin and then steals your smart phone before you can report it lost or stolen, the bad actor can access your account.
The graphic below is from a Google I/O presentation which provides a comprehensive overview of WebAuthn.
The key difference between the architecture for WebAuthn and WebAuthn+ is that in WebAuthn the process is primarily controlled by the browser.  WebAuthn is an extension of the JavaScript Credential Management API which, "lets a website [through the browser] store and retrieve user, federated, and public key credentials."
In WebAuthn+ the authentication process is in complete control of the web application provider (the code is open source and available to all).  Credentials are stored on the user's smart phone and within the data structures of the web application provider.
Hover over the numbers below in sequence and you will realize how simple and elegant the WebAuthn+ process truly is.
Imagine a world where user names and passwords are no longer necessary, and authentication is simple and secure.
Imagine a world where Distributed Ledgers are a "cryptographically secure shared source of truth" and the Internet of Value is real.
Imagine a world where funds transfers are simple, secure and fast.  SWIFT, ACH, Venmo, Zelle and all others will soon be replaced by a system that is open source, secure and enables billions of transactions in parallel worldwide.
The Internet of Value will enable, "ubiquitous access to efficient financial systems and the ability to transact with anyone in the world."
~ W3C - Internet of Value Manifesto ~
The Internet of Value will be realized with WebAuthn+ and Distributed Ledger Technology (DLT).
The authentication process will soon become incredibly simple and secure. A user will go to a web application's "Sign On" page:
Through an encrypted Firebase channel the Authentication Code (displayed on the web page: WHSL LRTU FLVM) and the session UUID will be sent from the web server to the user's smart phone:
The user will verify the Authentication Code and then touch Sign On.  The sign on web page will "auto-magically" transform:
A Verification Code, generated in the user's smart phone and sent through an encrypted channel to the web server, will be displayed on both the web page and the user's smart phone (HCB 121):
This is not theoretical; for all processes we have a functioning prototype and almost everything works:
  • Identity Management
  • Distributed Ledger
  • Funds Transfer
The messaging from the browser to the smart phone over bluetooth (step 2) is not yet supported by the browsers.  Once it is supported in the WebAuthn process, we will be able to utilize that portion for WebAuthn+.  It is also possible that the communication from the browser will eventually be supported by the Web Bluetooth API. Even now, the One Touch Sign On™ process is more secure and convenient than SMS authentication codes.
You can test this for yourself.  Install the TNX One Touch mobile app and then go to our Test page.
How can a user's smart phone provide simple and secure authentication?  It's simple. 
Click here for more details.
The One Touch Sign On™ process will also be used to sign transaction blocks within a JSON Distributed Ledger.
Click here for more details.
How can funds transfers be simple, secure and fast (replacing SWIFT, ACH, Venmo, Zelle and all others)? 
Click here for more details.
© Copyright 2019 ~ Trust Nexus, Inc.
All technologies described here in are "Patent Pending".