The modern protection system is a modern protocol, a set of instructions on the technologies underlying these protocols.
The main technology underlying the security systems is cryptography.
Cryptography, any system, is built on the methods of using the key, which is used as the instruction needed to configure individual (for this key) encryption algorithms.
Therefore, any protocol based on modern cryptography will always ask you for the key, password, biometric identifiers, which are essentially the same password, password-constant, it cannot be changed.

As soon as you build a system that has a weak link in its foundation - a password or key, so prepare yourself immediately for the fact that scammers will not break you in the forehead, they will look for access to keys and passwords.

Modern cyber crime research, their statistics, reports from companies dealing with this issue, even a Microsoft report - all this clearly shows that keys and passwords are almost always stolen.

Any security system, the most sophisticated and modern, even postquantum ones, if based on passwords or keys, will have a vulnerability in this very weakest link - the key (password).

Only keyless encryption systems will allow to build more reliable security systems.

In password authentication systems - there are passwords, there are digital identifiers. 2FA is a way to combine your permanent digital identifier (e.g. password) and a variable (e.g. code in the SMS that is not repeated anymore). The essence has not changed, the response time of the cheater has changed and the complexity of the attack.

Today, the most reliable system 2FA - is no longer reliable.

Any 2FA - easy to break, especially if the second factor is your smartphone! SMS - much easier to intercept than to find out your master password.

You need the next step, 3FA, 4FA ... - playing cat mouse, not solving the authentication problem.
Only passwordless authentication, real authentification without a password, not a temporary password like 2FA is the solution.

For those who trust 2FA, this is the material:

1. scammers have learned to intercept SMS with security codes sent by banks and withdraw all the money that is on the card. Not so long ago this way in Germany cybercriminals pulled off a major operation to steal money from credit cards of hapless users.
It should be noted that 2FA via SMS has already been officially recognized as an insecure authentication method due to unrecoverable vulnerabilities in Signaling System 7 (SS7), which is used by mobile networks to communicate with each other.
A few years ago Positive Technologies specialists showed how SMS is intercepted.

2. In fact, the assumption of inconvenience (and insecurity) was confirmed by Grzegorz Milka, the same speaker from Google. The Register journalists asked him why Google will not enable two-factor authentication by default for all accounts? The answer was usability. "It's about how many users will leave if we force them to use additional security."
That's a good, honest answer.

3. Even before I started studying IT security science, I thought 2FA authentication was a guaranteed way to secure my account and no "these hackers of yours" could, say, steal my internal currency to buy... on your account. But over time, it has been proven by experience that a two factor authentication system can have many vulnerabilities. The code authentication system is very common, used everywhere on various sites and can connect for both primary and secondary login.

4. - bypass rate-limit by changing the IP address...
Many blockages are based on the restriction of receiving requests from IP, which has reached the threshold of a certain number of attempts to make a request. If you change the IP address, you can bypass this restriction. To test this method, simply change your IP using Proxy Server/VPN and you will see if the blocking depends on the IP.

5. - Bypass 2ph by spoofing part of the request from a session of another account...
If a parameter with a specific value is sent to verify the code in the request, try sending the value from another account's request. For example, when sending an OTP code, it verifies the form ID, user ID or cookie that is associated with sending the code. If we apply the data from the account settings where we need to bypass the code-verification (Account 1) to a session of a completely different account (Account 2), get the code and enter it on the second account, we can bypass protection on the first account. After rebooting the 2FA page should disappear. This is like another example.

6. - bypassing 2FA with the "memorization function"...
Many sites that support 2FA authorization have "remember me" functionality. This is useful if the user does not want to enter the 2FA code when logging into the account later. It is important to identify the way that 2FA is "remembered". This can be a cookie, a session/local storage value, or simply attaching 2FA to an IP address.

7. - insufficient censorship of personal data on page 2FA...
When sending an OTP code on a page, censorship is used to protect personal data such as email, phone number, nickname, etc. But this data can be fully disclosed in endpoint APIs and other requests for which we have sufficient rights during the 2FA phase. If this data was not originally known, for example we entered only the login without knowing the phone number, this is considered an "Information Disclosure" vulnerability. Knowing the phone number/email number can be used for subsequent phishing and brute force attacks.

8. - Impact of one of the reports:
Linking to other vulnerabilities, such as the previously sent OAuth misconfiguration #577468, to fully capture the account, overcoming 2FA.
If an attacker has hijacked a user's email, they can try to regain access to the social network account and log on to the account without further verification.
If the attacker once hacked into the victim's account, the attacker can link the social network to the account and log into the account in the future, completely ignoring 2FA and login/password entry.

9. - Everybody is so confident in the reliability of 2FA that they use it for the most demanding operations - from Google authorization (which is instant access to mail, disk, contacts and all the history stored in the cloud) to client-bank systems.

The ability to bypass such a system has already been demonstrated by the Australian researcher Shubham Shah.

In early 2019, Polish researcher Piotr Duszyński made Modlishka reverse proxy available to the public. According to him, this tool can bypass two-factor authentication...

10. - A security breach was discovered by the leading hacker at KnowBe4, Kevin Mitnick. The new exploit allows you to bypass protection with two-factor authentication (2FA). An attacker can direct a user to a fake authentication page, thus gaining access to the login, password, and cookie session.

11. - The "ethical hacker" Kuba Gretzky developed the evilginx tool to bypass two-factor authentication. The system uses social engineering principles, and can be directed against any site.

12. - Two-factor authentication mechanisms are not reliable enough. Shortcomings in the implementation of such mechanisms are found in 77% of online banks.

13. Nothing new, the issue of hacking into the 2FA mechanism was commented by Pavel Durov himself.  The mechanism is simple, here it is:

1. Interception of SMS by various means.

2. Login to your account on a new device or web version of Telegram.

3. Resets two-factor authentication via tied mail.

4. Mail is "opened" by receiving the same sms through the "Forgot Password" button (you will be lucky if the numbers do not match).

5. We enter the mail and enter the code in Telegram.

6. We open all chats, groups and not remote correspondence, except for secret chat rooms (green chat rooms with a lock).


So what are we doing?
We're waiting for 3FA, 4FA... PFA or looking for technology, options for new password-free authentication methods?

-------------------------
The modern protection system is a modern protocol, a set of instructions on the technologies underlying these protocols.
The main technology underlying the security systems is cryptography.
Cryptography, any system, is built on the methods of using the key, which is used as the instruction needed to configure individual (for this key) encryption algorithms.
Therefore, any protocol based on modern cryptography will always ask you for the key, password, biometric identifiers, which are essentially the same password, password-constant, it cannot be changed.

As soon as you build a system that has a weak link in its foundation - a password or key, so prepare yourself immediately for the fact that scammers will not break you in the forehead, they will look for access to keys and passwords.

Modern cyber crime research, their statistics, reports from companies dealing with this issue, even a Microsoft report - all this clearly shows that keys and passwords are almost always stolen.

Any security system, the most sophisticated and modern, even postquantum ones, if based on passwords or keys, will have a vulnerability in this very weakest link - the key (password).

Only keyless encryption systems will allow to build more reliable security systems.

So, on this subject, today the press writes:
 "Last month, ThreatFabric discovered the first ever malware to steal two factor authentication codes generated by Google Authenticator. The researchers named the malware Cerberus. Cerberus is a hybrid of the banking trojan and remote access trojan (RAT) for Android devices. After infecting the device with the bank trojan functions, the malware steals bank data. If the victim's account is protected with Google Authenticator's two-factor authentication mechanism, Cerberus acts as a RAT and provides its operators with remote access to the device. Attackers open the Google Authenticator, generate a one-time code, take a screenshot, and then access the victim account. According to researchers at Nightwatch Cybersecurity, Google could have fixed the problem back in 2014, after a GitHub user wrote about it, but didn't do so. The problem remained unsolved in 2017, when Nightwatch Cybersecurity reported it to the company, and remains so today.

What's next?

Interesting revelation.
On the subject of which wallet to use, I would add the following.

When using any wallet you choose, you should always take extra precautions:   
1. Your wallet should be used from 1 of your device. It is not recommended to use from 2 or more devices.
2. From that one device which is used for work with a purse it is impossible to perform any other operations in a network, namely:
- never go to your email account;
- do not use GSM connection (this one device must not be your phone at the same time);
- don't have any messengers on it (!);
- only a clean licensed operating system:
- do not use (not once!) social networks (!!!!) in any form, no;
- do not put any antivirus;
- do not browse, never visit any sites (!), it is desirable not to use Google search, known American or unknown Chinese search engines (frankly speaking, I do not know what is safe to use);
3. never access the network from this device without a VPN (or TOR), not displaying your IP on the network.
4. Do not use an Internet access point if at least one other (your) device, home IOT devices, is connected to this access point).

Can you do all this in your real life? I don't think so.

Unfortunately, these are the most superficial security measures. They are not able to protect you 100% from programs stealing your manual movements on the screen of your device (stealing passwords and so on confidential data), because there are known vulnerabilities right in the devices you buy. And the more widespread your device is in the world, the greater the danger it can contain.

I won't lay out all the information on this issue, pay attention at least to the most obvious - Samsung's products, I won't write anything, who is interested in finding the last revelations at the end of 2019 and making conclusions himself.

In general, your safest hardware wallets are really the safest until you start using them. That's when the screen of your device - become the object of increased interest to spyware in your device, sometimes installed there - even before you buy it in the store.

Be vigilant!
Do not trust anyone.
Unfortunately...

----------------------------
What exactly are the dangers of quantum computing today, which is not there now, but can be tomorrow?
It's very simple and consistent.
My answer is this.

I'll talk about global danger, the danger to most cases, not to one person.

All protection protocols, we will talk only about cryptographic methods of protection, built on a principle:
1. Asymmetric cryptography is the first step in any protocol to agree on a common session key for symmetric cryptography.
2. The second step is symmetric cryptography encryption, where secrets are encrypted securely (AES).

Why is a quantum computer dangerous today that will work far tomorrow?

Because all of our encrypted messages are stored.
Details:
- those encryptions that are very interesting - stored many times, it's communication between interesting and big people of our time;
- all other messages are also stored, just in case, they can be interesting, probably.

Now how quantum cheaters will work:
1) they will only crack the first stage of the encryption protocol - only asymmetric cryptography, where the shared session encryption key was encrypted. That's it.
2) They use the resulting key to quietly read the AES cipher, the second step of the encryption protocol.

And now, everything falls into place: AES-256, the symmetric system, is not cracked, and RSA (with any length of key) or ECC (with any length of key), the asymmetric system is cracked without a doubt, even by very weak, first quantum computers.

That's why everyone is so concerned, that's why post quantum asymmetric encryption systems are already needed.

Yes, not all people encrypt good messages, there are so many that lead two lives at once and one of those lives is very bad.
But the bad thing is to read and decide what's bad and what's good will be guys with the same questionable reputation as the first ones.

Here is the real vulnerability of all the key encryption methods: everything secret, sooner or later, becomes known and not secret.

This vulnerability is completely devoid of new keyless encryption systems.

-------------------------------------
What exactly are the dangers of quantum computing?
It's very simple.
I'm talking about the global, the danger to a lot of people, not to private cases.

All protection protocols, I'm talking about cryptographic methods of protection, built on a principle:
1. Asymmetric cryptography is the first step in any protocol to agree on a common session key for symmetric cryptography.
2. The second step is symmetric cryptography encryption, where secrets are encrypted securely (AES).

Why is a quantum computer dangerous today that will work far tomorrow?

Because all of our encrypted messages are stored.
Details:
- those encryptions that are very interesting - stored many times, it's communication between interesting and big people of our time;
- all other messages are also stored, just in case, they can be interesting, probably.

Now how quantum cheaters will work:
1) they will only crack the first stage of the encryption protocol - only asymmetric cryptography, where the shared session encryption key was encrypted. That's it.
2) They use the resulting key to quietly read the AES cipher, the second step of the encryption protocol.

And now, everything falls into place: AES-256, the symmetric system, is not cracked, and RSA (with any length of key) or ECC (with any length of key), the asymmetric system is cracked without a doubt, even by very weak, first quantum computers.

That's why everyone is so concerned, that's why post quantum asymmetric encryption systems are already needed.

Yes, not all people encrypt good messages, there are so many that lead two lives at once and one of those lives is very bad.
But the bad thing is to read and decide what's bad and what's good will be guys with the same questionable reputation as the first ones.

Here is the real vulnerability of all the key encryption methods: everything secret, sooner or later, becomes known and not secret.

This vulnerability is completely devoid of new keyless encryption systems.

--------------------------
The existing encryption is not under anyone's control.
There is a general consensus, there is certification, there is advertising, it is enough for everyone to be vigilant.
This is used by large companies using their authority to produce products based on publicly available encryption libraries.
Small companies mistakenly think that what big companies have done is 100% correct and they do the same.
And so the whole world is connected by a chain of authoritative opinions, a pyramid from one "guru" to all ordinary pipels.
This is a system of general trust, on which the security for ordinary users is built.
Very few brave people who understand themselves, make their own conclusions, come to the essence, but make mistakes themselves.

It's good to be able to dig that deep.
And if you're not, if you don't even have time for it, what do you do?
I'm trying to find the answer to that question.

In my opinion, the only thing left to us who have not studied cryptography is to draw conclusions by getting indirect information, namely:
- why is there domestic cryptography and government cryptography?
- why in household cryptography the system of encryption at the level of algorithms is not updated, and in government cryptography it is obligatory?
- why are they so stubbornly searching for replacements for existing systems rather than just increasing the length of the key?

And here's another thing that can happen to those who believe in this general trust system:
- the Swiss government has filed a complaint in a criminal case against the CIA for using a Swiss supplier of encryption equipment to intercept communications from 120 governments over 50 years. The encryption products supplied by Crypto AG contained backdoors allowing the US and German intelligence agencies to easily read encrypted correspondence.

The security system, built on trust, which now exists in the world, seems to have collapsed completely.

Key-based encryption systems will never provide security for the average client, the average user, because it is the keys that will be stolen, this is the easiest way, because encryption algorithms are known and established as a constant.

------------------
Authentication without a password does not mean that you do not have a password.
I take it it it's not clear, what's the difference and what's new with this technology?

What's new here is that you only use a password once when you register on a site (like a site).
Password, of any complexity - for a site always looks different for you, it looks like a digital code. And the numerical code - by appearance of which it is impossible to find out your password.
This is a so-called one-way cryptographic function, which makes from your alphanumeric password - a hash, a numeric identifier by which your device will be recognized, not you.
Regardless of whether you enter the password manually, or if the password is written in a program (e.g. in a browser) and the browser enters it itself, the server will identify you as "the device that provided your numeric identifier. Dot.
No identification is made.
Proof:
- If a fraudster enters your password, the server will be more than happy to identify you.

So, password technology is dangerous. And above all it is dangerous because you have a permanent digital identifier, which is produced by a one-way function from your "password" is always the same. A scammer does not need to guess your password, it is enough to have this numeric identifier.

For this reason, all biometric identifiers are a form of password, but they are even more insecure than a password, because they are very easy to forge.

Some banks, even refuse to serve customers, to
that prove themselves not by a password, but by biometrics.

These are all technologies based on your permanent digital identifiers, no matter how they are obtained.

They are stolen, tampered with, guessed (passwords) and cheated by the server.

The idea of passwordless authentication is based on your ever-changing numeric identifier. But not as primitive as Google did - every 30 seconds, and at another higher level - at the level of every packet of data, at the level of keyless encryption technology.
   
You don't enter your password a second time. If you want, you can confirm yourself with an additional password or your biometric data.
But this is additional, not basic confirmation.  In this variant, if steal your password - then nothing at the swindler will not work.  Because the server before entering the password, identifies you in the face of your device, as its user.

And one more thing.

If your password or your numeric identifier is stolen - it is not the fact that you immediately find out about it, it can be done remotely.

But if I steal your device, you will immediately notice it and take action.
Moreover, you cannot steal your device remotely.
It's a fact.

---
Quantum computers cannot generate new encryption.
It is just a tool in human hands, not smart machines that can encrypt better than classic, ordinary, modern computers.
But they can decrypt, crack and do cryptoanalysis. Well, at the very least, they can do the whole thing, the brute force attack.
A new encryption, which should be absolutely stable against quantum computers, is now being generated by the best minds of mankind. And new encryption technologies will only work on ordinary computers, on our consumer digital devices.
But the problems of stealing encryption keys, the vulnerabilities that are exploited today, will also be relevant for all new postquantum encryption technologies without exception.
The only global method that eliminates these flaws is the keyless encryption technology that may emerge in the near future.

э
-Yes, you're right, to identify someone, that someone must have a personal ID.
The idea of keyless encryption, and the idea of passwordless authentication does not violate this principle, the principle of having a personal identifier that allocates one of all.
On the contrary, this idea - has received unexpected development from the point of view of logic, from the point of view of the theoretical concept on which all this technology is built.
If in a conventional system, a password authentication system, you have the same password until you change it yourself, you have the same identifier, a digital identifier that can be stolen at any time and used on your behalf.
Option with a 30-second change of Google's incremental entry to your password (cryptographic salt and hashing amount) - I don't discuss it because the idea is diluted by the time factor, but not fundamentally changed.
We propose a radical change to the idea of password authentication (which automatically means using keyless encryption, I'll explain why this is the case later), which is in this protocol:
1. The client registers, designates himself and gets his digital ID;
2. gets its first authentication, and therefore authorization (obtaining the rights of its account);
3. Connects a keyless encryption technology that changes the encryption key for each packet of data, which is completely similar to the lack of a key, in fact, only the encryption scheme always changes, the word key is from the old concepts of encryption, but so far familiar to our hearing; 
----------------------------
Important - the encryption scheme changes for each new packet of data, not for the time. For each and every one of them, both sent and received. For 1 data packet, for example, for every 256 bits of information encrypted in the packet. The law of changing each bit is different and has 256 values. If you like the word key, it means the key for every single bit. This is a complete analogy to the Vernam cipher. The encryption process, in the most recent round 8, uses disposable binary tape. And it's not the main encryption round, it's an auxiliary one. The basic elements of vector-geometric, keyless encryption technology are completely different, see the diagram above in my posts.
------------------------------
4. now your identifier has floated, it has started its infinite digital voyage, it is now a variable, a variable for every packet of sent data. The server doesn't know in advance what it's going to be. And you don't know ahead of it. Forward, it means forward to the normal human reaction time, like the next second. All that your encryption system and the symmetric encryption system on the server know is how to form a new data packet. For this reason - stealing the encryption scheme (there is no key, you can't steal the key) that is used to encrypt the current data packet - doesn't make sense, because the cheater will never have time to use it until he processes it - the encryption scheme changes many thousands of times.

This is the root of the idea of passwordless authentication - in a constantly, continuously changing, variable identifier. 

Here's another, another example, confirming the failure of modern security systems based on key and password cryptographic protocols.
Obviously, for modern cryptography, including post quantum cryptography, the fact of having a key will level out any cryptography. Fraudsters always scream the keys, not crack the encryption.
We study the news carefully:
-
Officers of the Cyber Police Department of the National Police of Ukraine identified a 25-year-old local resident who had broken into and emptied crypt currency wallets.
Crypt wallets, not any others!
According to the press service of the Cyberpolice, the man was a participant in closed forums where he bought logins and passwords from crypt wallets. In addition, he purchased and modified malware to gain unauthorized access to protected logical systems of protection of Internet resources. With its help, the attacker gained access to accounts on crypt-currency exchanges and withdrew funds.

This is the price for key protection systems - a paradise for scammers, and a fiction for users.

Here's a confirmation:

- During the search of the residence of the case, a laptop, a mobile phone and a computer were seized. A preliminary inspection of the equipment revealed that it contained malware and confidential data related to electronic payment systems, e-mail passwords and keys to cryptocurrency wallets.

Clearly, keyless encryption systems and passwordless authentication, if created, would be more secure than today's.

Here's another, another example, confirming the failure of modern security systems based on key and password cryptographic protocols.
Obviously, for modern cryptography, including post quantum cryptography, the fact of having a key will level out any cryptography. Fraudsters always scream the keys, not crack the encryption.
We study the news carefully:
-
Officers of the Cyber Police Department of the National Police of Ukraine identified a 25-year-old local resident who had broken into and emptied crypt currency wallets.
Crypt wallets, not any others!
According to the press service of the Cyberpolice, the man was a participant in closed forums where he bought logins and passwords from crypt wallets. In addition, he purchased and modified malware to gain unauthorized access to protected logical systems of protection of Internet resources. With its help, the attacker gained access to accounts on crypt-currency exchanges and withdrew funds.

This is the price for key protection systems - a paradise for scammers, and a fiction for users.

Here's a confirmation:

- During the search of the residence of the case, a laptop, a mobile phone and a computer were seized. A preliminary inspection of the equipment revealed that it contained malware and confidential data related to electronic payment systems, e-mail passwords and keys to cryptocurrency wallets.

Clearly, keyless encryption systems and passwordless authentication, if created, would be more secure than today's.

You've noticed correctly that this is the most famous example. What I don't like here, or rather a security concern:
1. And what examples do we not know?  What have mathematicians found, whose names do not appear in public publications?
2. it's a crude attack on 795 bit number, it's a crude force, it's not as effective as cryptanalysis as mathematical solutions, because in the schemes with public and private keys of the whole set of numbers, only prime numbers are involved in the encryption scheme.

If I concealed information that there are mathematical solutions to the problem of factoring and discrete logarithmization, I would contribute in every possible way to the spread of such information.

What does it mean to introduce quantum computers into a locking system?
As for encryption, I agree, encryption will change. But the existing encryption can only change to some post quantum public key cryptographic system.
The fact is, all post quantum systems require more computing resources than the existing elliptic encryption.
That's why I don't understand how I can increase the speed. After all, today if you buy a cup of coffee for bitcoin, it will become cold while the calculation is done.
How can I increase the speed in the future?

-----------
The reliability of a cryptographic system is determined by the reliability of its keys.
It makes no sense to use AES-256 (or a longer key length) to transfer keys - disposable notebooks, because the key length is equal to the length of the message, and Vernam's encryption reliability will drop to AES reliability.

The problem of generating disposable notebooks is solved by the technologies mentioned in my previous posts. It makes no sense to transfer a disposable notebook using any, even a post (double post) cryptography. If you want to make the most secure of all possible ciphers - the Vernam cipher - then your keys should never and never be transmitted, not even through the channels of quantum cryptography (solving the problem of common key coordination for a symmetric encryption system). It is connected with that fact, quantum communication is communication with the big errors, on small distances, and the quantum channel is easily muffled by hindrances. besides, it supposes up to 11 % of information leakage. It's a huge drop in reliability relative to Vernam's cipher.

How to create identical disposable notebooks symmetrically, without necessity of their transfer on communication channels, to create Vernam's cipher, it is solved in technology of keyless ciphering and password-free authentication, in a variant of vector-geometrical model which author I am. We can talk about this topic in detail.

But the Vernam cipher method still needs that original authentication to start things off, right? I'll concede it may be me not understanding it properly, but the paper seems to skim over that a bit. If you have that initial 100% secure channel for authentication, then just use that for everything, you don't need anything else.
[/quote]
------------------
I think that as in the optical implementation of the OTP method, and just as in the QKD method, and just as in any other encryption method, there is always the issue of second party authentication. It is a question of verifying the other side of the communication.

But I do not think that the issue of authentication and the issue of having a closed, secret channel are the same thing.
Just the opposite, authentication must be done over an open channel in order to verify the originality of the conversation partner. If this confidence appears, then a closed channel based on encryption is established with the help of some kind of cryptography.

So, you're right, and the description of this method explicitly refers to the question of authenticating the conversation partner.

Now let's analyze what solutions we have now on this crucial issue.

We have numeric identifiers that are formed from either:
- A password that only the original interlocutor (Alice or Bob) presumably knows;
- biometrics, which ultimately always takes the form of a numeric code, a numeric identifier;
- keys that are not transmitted in the same pure form as a password or other, but as a numeric code obtained by a one-way cryptographic function;
- and so on.

And what in essence: - a constant digital code (one or more) digital code, digital identifier.

All these technological rudiments can be successfully used both in optical OTP, and in all advertised QKD.

All of them have the same drawback, from which neither quantum technology nor post quantum cryptography saves, it is a constant digital identifier.

Attacks are all similar as two drops of water, only come to us from different sides, always the same thing happens:
- stealing our digital identifiers;
- passwords;
- keys.

These attacks are only possible for one reason - because of the constant constants that identify us, identifying one user from the multitude of others.

Getting out of this enchanted circle, I see only one thing - variable numeric identifiers.
For example, your identifier has 256 bits of binary code.
If it changes all the time, but in such a way that only the party that has formed a closed channel with you knows about it (of course with normal encryption, not with quantum technological rudiments that are promoted and prepared for sale), it means it changes synchronously, then his stealing - it makes no sense.

And if your ID changes when you send each new packet of data, no one will ever even think about attacking your personal data.

I think that this kind of technology is possible, and the future belongs to it.
I call them: Keyless encryption and passwordless authentication technologies.
As an example of how to demonstrate the theoretical feasibility of such a communications channel and such technologies, I developed my own version, tested it, and came to the conclusion that it is not a utopia.

From all the above, we can conclude that humanity lives by faith.
Modern cryptography is not an exception, but a confirmation of this rule.
The concept of encryption will live exactly as long as the absolute majority will trust this assumption.
It should be noted that the absolute majority of people do not understand anything about the problematic issues of modern cryptography and will never understand.
That's the way a person works. If he does not understand something, he does not try to understand it, but looks at people around him, who do not understand it as well as he does. And the herd feeling, the instincts, conquers everything else.
If someone separates himself from the herd and starts doing things differently from the majority, has his own opinion, he will be branded as he wants, no one will go into unpopular discussions about generally accepted things.

Long live modern cryptography, human delusions and herd mentality. In this religious atmosphere of trust, there is no place for reason.   

-----------------
Information about the existence and use of working quantum computers - can not be publicly available, because in the world there is a global information confrontation, cyberwar.   
And like any war, there are secrets, secret developments.
Why do we always expect to be told everything, informed?
No, of course not.
Here's an example that confirms my speculation:
"Speculation on the subject intensified when NASA published a document on the site, but soon deleted (a copy available to ForkLog) a document with insider information about Google's success in the direction of the existence of a working model of a quantum computer and the company's achievement of "quantum superiority". In the media, the information was replicated by the authoritative British publication The Financial Times.

And it's still unclear why cryptography was separated:
- one cryptography for all of us;
- a second cryptography that we don't have access to.


Commercial cryptography must be based on the same standards around the world.
But state standards for cryptography are much better, they cannot be distributed anywhere, they will only be used within state structures.

And despite the high level of protection of state cryptography, they must be updated every five years (at the algorithmic level).

Then it is even more interesting.

Commercial structures should not have access to this algorithm itself. Thus, it will be possible to apply simultaneously public "commercial" algorithms - for us, simple and naive, and completely different algorithms for the chosen ones.

Of course, skeptics will immediately argue that state secrets are very serious, so the cryptography is different.

My answer to this is this: why, then, at the NIST open competition, which is held on the post quantum encryption systems, starting from 2015, are not accepted systems based on the same principles as modern RSA and ECC?

1. There was no direct threat from quantum computers back then.
2. Even then (2015) leading experts in cryptography warned that no key length would save modern commercial systems if at least one was cracked. This is a hidden explanation of the fact that these systems are afraid not of Shore algorithms, which only simplify the complete search for the key, but the achievements of cryptanalysis.
3. Why all ECC patents from Koblitz and Menezes, previously purchased by the NSA, were forgotten without explanation when the results of research by UK mathematicians became known in 2016. This study was ordered by the NSA itself.

Koblitz and Menezes have every reason to consider themselves competent in the field of cryptography on elliptic curves, but they did not hear absolutely anything about new hacking methods that compromised "their" crypto scheme. So everything that happens around ECC amazed mathematicians extremely.
People who have close contacts with this industry know that large corporations that provide cryptographic tasks and equipment for the US government always get some kind of advance warning about changing plans. But in this case there was nothing of the kind.

Even more unexpected was the fact that no one from the NSA addressed the people from NIST (USA), who are responsible for the open cryptographic standards of the state.

The ETSI/IQC International Symposium on Quantum Secure Cryptography (in 2016), from which this story began, has several notable features.
Firstly, it was very solidly represented by the heads of important structures, special services of Great Britain, Canada, Germany. All these national special services are analogues of the American NSA. However, absolutely no one was mentioned explicitly from the NSA. And this, of course, is not an accident.

This event is interesting for the reason that there was a highly unusual report on behalf of the secret British secret service GCHQ (P. Campbell, M. Groves, D. Shepherd, "Soliloquy: A Cautionary Tale"). This is a report from the CESG information security division, which was personally made by Michael Groves, who leads cryptographic research at this intelligence agency.

It must be emphasized here that it is completely uncharacteristic for people from the British special services to talk about their secret developments at open conferences. However, this case was truly exceptional.

The story of the great cryptographer CESG speaking at the public symposium was extremely sparsely covered in the media, and the slides of articles and presentations about Soliloquide can only be found on the Web for those who know very clearly what they are looking for (on the ETSI website, where these files are exclusively found, there are no direct links to them).   

Details can be found here, second post dated December 04:
https://bitcointalk.org/index.php?topic=5204368.40.

For these reasons, we conclude that there may be both unknown quantum devices and a secret mathematical apparatus that unambiguously compromises all modern commercial asymmetric cryptography.

The entire security system today, these are key encryption systems and password authentication technologies.

Scammers, government, corporations are the ones on the other side, not ours. We're the victim to them, they're hunting us, we're defending ourselves against them. It's the real picture.

They're not hacking into cryptography, they take our keys and passwords and use them.

What was suggested above is encryption systems where the keys are variables, not stored, not used twice and not transmitted over any communication channels.
Option 1 is an almost keyless system:
https://www.nature.com/articles/s41467-019-13740-y.
Option 2 is a completely keyless system:
https://bitcointalk.org/index.php?topic=5204368.0.

They have the future behind them.
And today:
Penetration and surveillance systems are evolving.
There is an accumulation of data on all users without exception.

Such exotic attack vectors are also used to capture information about passwords and keys:
- the level of power consumption;
- the sound of keystrokes (the information is taken remotely from window panes - by laser);
- electromagnetic background of the monitor, allowing at a distance (about 300 meters) to determine the area of the mouse movement on the screen or move the active items "menu" windows;
- modulation of electromagnetic radiation at the points of mechanical contacts of electrical connectors (for example, a 3.5 jack from a headset inserted into the device, modulates the useful signal to the frequency of radiation of the device processor and successfully demodulates at a distance);
- removing information from the LED light bulb to signal system access to the PC hard drive (via a hidden spyware pre-installed on the PC. This is what the Israeli security services did with the help of a drone helicopter, which captures information through a window from the LED winchester at speeds up to 6000 bits per second);
- a two-way communication channel established by means of ultrasound through conventional acoustic devices - speakers, a portable device or a personal computer.
Interestingly, a normal speaker, notebook, even a modern smartphone, is able to not only emit in the ultrasonic range (above 22 kHz), but also act as a microphone for such signals.

In general, the situation with our personal security is not only bad, but it is also deteriorating.

That's why, when developing keyless encryption technology, all possible attacks on third-party channels should be taken into account.

Let's continue the topic of vulnerability.
We're probably hiding the fact that any modern device is vulnerable, total and inevitable, it's a competition in which we users are inventory.

I argue that there is no point in having modern cryptography if you always have a 100% vulnerability through keys, passwords and other technological rudiments.

Once you have entered a password into such a device, you have lost it, and no matter what, you will never know.

What's more, exploited at a new level, software vulnerabilities that allow you to compromise your system without the user being involved (for example, without the victim clicking on a malicious link) are of great interest to scammers.

The experts from Google Project Zero, who have devoted several recent months to studying this issue, are no exception.
We are watching.
On Thursday, January 9, security researcher Samuel Gross from Google Project Zero demonstrated how Apple ID alone can remotely hack an iPhone, access passwords, messages, emails and activate a camera with a microphone in a matter of minutes.

The researcher described his attack method in three separate articles on the Google Project Zero blog. The first one provides technical details on the vulnerability, the second one on the ASLR hacking method, and the third one explains how to remotely execute code on the device under attack bypassing the sandbox.
"The research was mainly motivated by the following question: is it possible to remotely execute code on an iPhone using the remote memory corruption vulnerability alone without using other vulnerabilities and without any interaction with the user? A series of publications on this blog proves that it is indeed possible," Gross said.

What do you think of the traditional security concept after reading this news?