As long as we are establishing some standardized user-friendly methodology here for the non-geek common man or woman, I'd like to go ahead and document in the forum another idea I've had along this line.
If NXT is going to succeed, it is going to succeed because the average person worldwide starts using NXT via their cellphone.
yesLet me say that again.
If NXT is going to succeed, it is going to succeed because the average person worldwide starts using NXT via their cellphone.
The last thing a person with a cellphone is going to do is sit there and type in a 50 digit uppercase-lowercase password to buy a candy bar with NXT.
yesLet me say that again.
The last thing a person with a cellphone is going to do is sit there and type in a 50 digit uppercase-lowercase password to buy a candy bar with NXT.
So at some point between the geeks dreaming this stuff up and the average joe using it, there is going to be the creation of a user-friendly surrogate password method that is easier to use, just like the user-friendly surrogate account number method being brilliantly addressed by this Reed Solomon thread.
My proposed solution is a centralized (gasp - ha ha ha) trusted authority (just like the centralized trusted authority that manufactures and mails credit cards today) that manufactures sets of matching metal medallions sold in a tamperproof blister pack to everyday average people. They can buy them at the convenience store next to the cigarettes and the condoms. Heck, we might even give them away for free. Opening this blister pack lets them instantly create a NXT account on their cellphone.
As an aside, this person has just opened an NXT bank account at the same time he bought those condoms. Opening a bank account is a big deal and getting harder and harder for more and more people to do. Bank accounts in a box for the lower middle class are a booming business - see "Bluebird" from AmEx and Walmart here in America:
https://www.bluebird.com/?SOLID=BBSEMITS . There's still time for NXT to get in this game on the ground level...
Anyway, on these NXT metal medallions are QR codes purchasers scan with their phone.
Scanning the first medallion QR brings up an NXT client install package from Google Play or the Apple App store. The user runs this.
Once the client is installed on the phone, the user runs the NXT client for the first time and scans the second metal medallion QR. This loads the fresh client with a user account code - the same 20 character user code discussed above, which is also stamped on the back of the second medallion in human readable form.
The user puts the third NXT metal medallion on their keychain along with their key to their house / apartment and the key to their car. (Or in Africa, the padlock to their bicycle. Whatever). This medallion has a QR code containing the 50 character passcode for the account they've loaded in their cellphone. When they want to buy that candy bar, they scan the vendor's account medallion QR, then they scan their passcode medallion QR on their keychain. Boom. They've bought a candy bar, NXT has conquered the world.
They lose their cellphone, no problem, the passcode medallion is still on their keychain and their NXT is safe. When they get a new cellphone, they rescan their original two medallions and they are back back up and running as an NXT user.
They lose their keys, or a purse containing both their cellphone and their keys, they've got a problem. Whoever finds the keychain can use the medallion on the keychain to empty their NXT account once they read / decode its QR code and get to a desktop computer with a NXT client - or enter a home they're not supposed to be in, or steal a vehicle, or run up a tab on a stolen credit card. Hey, it's a bitch to lose your keys or purse.
This is why when they bought the original blister pack in the convenience store, there was a second passcode medallion in it. They have stored this second passcode medallion along with the user account number medallion in the safety of a home hiding place. If they lose their keychain or purse, along with changing the locks on their home or canceling their credit card, they have to go to the convenience store and buy another NXT blister pack with a new set of NXT medallions. They run the "emergency total funds transfer" option on their cellphone client by scanning first the original spare passcode medallion, then the replacement user account medallion. As long as they do this before a bandit finds and uses their lost keychain passcode medallion, they're OK. Hey, that's better than losing the cash in their purse - it's gone instantly! Use NXT instead of cash, common folks, it's cheaper than a credit card (psst - "cash back" is a total scam!!!) and unlike cash you've got a shot at transferring NXT to safety if it's lost or stolen!
People will buy into this scenario because it so closely matches what their current situation is on using and protecting their credit cards, which is a widely understood protocol. The big difference is that credit card companies will not hold them liable for losses on a stolen credit card - those losses are passed on to all credit card users in the form of higher fees and interest rates. With NXT, you are all on your own, and nothing can change that. Better hope you scan a new medallion to transfer your funds to safety before somebody else scans your lost or stolen medallion and takes all your NXT.
This whole scenario depends on a centralized (boo! hiss!) trusted source of the metal medallions - jut like there is currently a central trusted authority that manufactures and mails valid credit cards that get activated over the phone. That manufacturer has got to have iron clad security ensuring that only one set of medallions are produced that go into one blister pack, with no duplicates or records of what passcodes were generated. And for this scheme to work, people buying the blister packs on the street (the 50-90% of people in the world who aren't going to sit down in front of a computer and generate their own 50 character passcode in a random and secure manner) have got to trust that.
Which leads to the whole subject of scammers counterfeiting the blister packs and monitoring accounts they've created until somebody loads it with NXT for them to steal. I don't have all the answers, here. I think the correct answer is that the success and utility and usefulness of the mobile phone NXT system is so great overcomes the distraction of the inevitable but hopefully small vultures that prey on its outskirts and perimeter. [EDITED TO ADD: I guess an obvious measure to counterfeiting medallions would be for an offical client downloaded from a trusted source like Apple APP Store or Google Play to verify that a loaded user account number was on a pre-authorized list coordinated with the medallion manufacturer. Then you "only" have to monitor the App Store or Google Play to see that no rouge clients got uploaded as part of a fake medallion scam...]
So - metal NXT medallions sold in blisterpacks to the 50-90% of the world with a cellphone who will never sit down at a computer and create their own 50 character passcode securely and randomly. That's my concept. If you think it's unworkable, then I ask you:
How can people with cellphones buy a candy bar with NXT?
The pass codes medallions will be copied and when the customer uses them the retailer who copied them will steal the NXT.
Or family, friends, work colleagues will do this.
I agree with your thoughts but not the implementation, this suggestion below is rough, not perfect, and is similar to some of the mobile money implementations in existence - which while they don't use digital currencies they do create a 3DES key for control and access to funds.
The user downloads an app from the app store.
The user selects a pin for the app.
The app generates a passcode for a nxt account - using an algorithm - I would use a recoverable multi-part code - possibly the sim number or IMEI, the phone number and the pin (the app can hash it - the point is its hard to replicate and results in strong passwords but can be recovered)
Reason for this...
The user knows the pin, the network knows the phone number and the sim number / IMEI - the SIM/IMEI numbers are never re-used and globally unique
It also means if the user loses the phone then using phone company records (if they don't know the sim number) and a recover option on the app which knows the passcode algorithm the NXT can be recovered.
To steal something someone would need to know all parts of the code.
For an advanced user you could allow them to store their own strong passcode with a warning they need to keep a copy.
Access to the NXT account would be via the PIN and the customer would be advised to add a phone pin lock also you can add wipe on 5 fails option in case of brute force attack on the pin - which is usually enough to protect it.
To support the emerging market where the majority of phones are non-smart - i.e. only SMS and USSD services then either you don't go there or you need an STK sim application or a USSD gateway application which users can access, which would do the registration etc - this can be done and is in place for volume e-money applications today - you would need cooperation of the phone company to some degree.
Merchant transactions are tough - person to person transfers can have some lag, BTC is ludicrous but when you have a queue of customers in a shop even 10s of seconds are an issue for the shopkeeper. Also you need to have a clear app transaction model between the merchant and the customer and identity transfer using a method which is universally available and there are lots of places in the world which don't have electronic tills, scanners or readers. So a merchant transaction is subtly different from a normal P2P transaction - this is too long to articulate here but there are some card-less models in Africa which are being quite successful much to VISA/MCard/Googles annoyance.