Identity manager in the making - your thoughts?

[jeph3]

We’ve been working for a few months now on a tool to change the way people sign in online and keep their personal information secure.

This is our first step towards a decentralized identity solution. We want to create something useful, so we’re keen to get some initial feedback: https://lynxid.tech

What do you think - does it look like we are heading down the right path?

[AT101ET]

Can you explain the idea please?
What makes it decentralised and how is it different from 2FA?
I was also wondering what would happen if someone was to have access to your phone. Surely the App should be password protected every time it is opened (something like using Touc ID or Face ID).
Just some constructive criticism: The name and domain name aren't great. I'd change it something more unique and something that can help people identify your brand. Personally I was constantly thinking of he other LYNX while looking at your website.

[jeph3]

Hi AT101ET, thanks for the feedback!

This is our first version that is akin to a form filler/password manager, but our mission is to create an ethereum-based self sovereign identity hence the decentralized property.

This system uses principles related to 2FA (something you know (passcode)/something you are (touch id) and something you own (phone)) then signs a challenge issued by the website to authenticate yourself.
Your data is encrypted on your phone and protected by the phone’s keystore/keychain (passcode) or touchid.

For the name, do you have any suggestions?

[TryNinja]

This is our first version that is akin to a form filler/password manager, but our mission is to create an ethereum-based self sovereign identity hence the decentralized property.

This system uses principles related to 2FA (something you know (passcode)/something you are (touch id) and something you own (phone)) then signs a challenge issued by the website to authenticate yourself.
Your data is encrypted on your phone and protected by the phone’s keystore/keychain (passcode) or touchid.

So you would need to convince every service to setup this technology as an alternative method of login right? What is your plan to do something like that?

I myself, would only use this if services like Gmail, Steam, Reddit, Facebook, etc had this option;

[jeph3]

Hi TryNinja, thanks for the comment and questions.

The autofill feature provided by our browser extension means that you can use Lynx for the sites you listed from day one.

Our step after that would be to get a lot of services directly involved. One way to achieve this is to make the service dead simple to integrate for the devs. The aim is to make the service plug and play through things like wordpress plugins and javascript widgets.

Even if a service decides not to take direct advantage of our ID verification feature, you’ll still be able to use the autofill function to connect to those sites.

[MoonIsBlue]

We’ve been working for a few months now on a tool to change the way people sign in online and keep their personal information secure.

This is our first step towards a decentralized identity solution. We want to create something useful, so we’re keen to get some initial feedback: https://lynxid.tech

What do you think - does it look like we are heading down the right path?

If I get it correct, anyone with acces to your phone can now log in to anything you have your account linked with?
Also the name doesn't help very much, it is a bit confusing.

Assuming you need some kind of fingerprint to acces the phone, this is really easy to get and I'd say fingerprint security is overrated.
(you can get it with a bit of cinnamon and adhesive tape, thats the most basic way).

It can probably also use rebranding, LYNX is a pretty well known brand already and it would just confuse people. Why not Sloth? ( it is a bit of a lazy solution)

Password hackers are getting more and more advanced, so you need passwords that are not easy to recognize, and a unique password for each online service you use. We encourage you to review if each of your passwords is unique and sufficiently complex to keep you safe online, and then consider if Lynx is right for you.

As for myself I use a ton of different passwords for every site I register to. I keep this all handwritten down on a piece of paper. I remember the passwords really quick and often don't even need the piece of paper for over 30 different passwords I have. I'd say it would not be a product for me.

I think this is a lazy man's product and it fits right in todays age. I don't think it is secure, at all.

[LeGaulois]

The idea itself is interesting but some things are confusing to me. So the browser extension is something similar to LastPass, Roboform, etc? The difference it each time the user needs to scan a code right?
But don't you think the average user will be annoyed to use this smartphone multiple times daily? While for example with LastPass you just click a button in your browser.
Would not it be more convenient if, for example, it works with a session, for example, you scan a code and a session is active for let's say 3 hours and then there is no need to scan for each website.

I think this kind of app can be popular, I suggest LynxPass, LynxKey, Lynx as a name

[jeph3]

Hi MoonIsBlue, thank you for the feedback and the name suggestion, we'll take it all into consideration!

[jeph3]

Hi LeGaulois, thanks for the feedback. We love the suggestion, we’ll look into it!

[buwaytress]

Actually, it's been recently said by security experts (by whom, I can't recall,MIT?, but the same people who are responsible for current US conputer security recommendations) that the current advice of "change passwords regularly" and memorise it are no longer recommended. Password managers like what you're suggesting is the new recommended way to go, since they're immune to keylogging and can prevent phishing, which are now the most common way accounts are compromised.

I have been using one myself for years now and it's been a saviour every time I've lost a phone or computer.

Fintech projects in this area focus on biometrics and device authentication I see but I'm not a fan.

What would be your product's innovation, though? I'm not sure how a decentralized solution could improve the manager I already use. Except that my encrypted data is stored on some central server I guess...

[Patatas]

We’ve been working for a few months now on a tool to change the way people sign in online and keep their personal information secure.

This is our first step towards a decentralized identity solution. We want to create something useful, so we’re keen to get some initial feedback: https://lynxid.tech

What do you think - does it look like we are heading down the right path?

I wish you could have listed the details down here instead of just linking us to your project.
To start with,you took a good initiative to bring this into attention of the general public.People often don't realise the mistake of signing up on random websites with their personal information.Being a hardcore decentralisation supporter,I think it's very important to protect your identity online.That also means,no third party whatsoever should be used to trust your information with.I'll check out the webpage soon.

[mobnepal]

I have just registered for beta testing and looks like nothing have been developed on the platform, when you are going to start beta testing? I would love to test it out.

Concept of your project looks brilliant but what you guys have achieved till now? How you gonna decrypt those data in normal site, I mean you will store users details like their username and password in their mobile phone than they will just scan QR code given by browser extension when they will visit site to login, but how those webpages gonna recognize those encrypted username and password pair? 

[jeph3]

Hi buwaytress, thank you very much for your feedback.

In our first iteration, we want to increase usability by reducing the perceived complexity of managing multiple credentials. We do this by hiding all form fields and replacing them by a one step login/registration process. This first iteration is really about refining the user experience of a would-be identity manager.

Then, we want to get rid of passwords altogether, because let's be honest: passwords are not the best solution to signing in online anymore. We believe that public/private key cryptography authentication like what's used in Bitcoin really is where the innovation lies and that it must be put to good use in this area - and that's what we aim to do.

[jeph3]

Hi Patatas, thanks for your feedback - looking forward to hearing what you think of the webpage.

It’s still early days for us, so our aim was to allow people to make up their up own mind about what they find important about this kind of solution, rather than us speaking too much beforehand of what we assume is important. But you are right that we could indeed have explained a bit more up front, thanks for making us aware of that.

[buwaytress]

Hi buwaytress, thank you very much for your feedback.

In our first iteration, we want to increase usability by reducing the perceived complexity of managing multiple credentials. We do this by hiding all form fields and replacing them by a one step login/registration process. This first iteration is really about refining the user experience of a would-be identity manager.

Then, we want to get rid of passwords altogether, because let's be honest: passwords are not the best solution to signing in online anymore. We believe that public/private key cryptography authentication like what's used in Bitcoin really is where the innovation lies and that it must be put to good use in this area - and that's what we aim to do.

Appreciate your response jeph. I guess I misunderstood the concept, thinking it was still, after all, a password manager. For me, what I use is already essentially a no-step login, past the initial first step of setting it up of course. As long as I am on the correct site with recognised credentials, all information is already filled in for me so I never have to type anything. This is actually why I don't normally use 2FA - I especially do not like the added risk of losing access if my device is lost or malfunctioning.

But yes, passwords are not the best solution, I can certainly agree. I would like to see how cryptographic authentication can replace that (while being easier than passwords) though. So are you saying there's no blockchain innovation here? Just cryptography?

[warningsigns]

Entrusting a new service with one's most personal, confidential and sensitive information, biometrics even, is a formidable trust issue. It's not just about winning your users' consent to willingly part with and disclose that information. It's also about ensuring without a shred of doubt that this identity manager is secure and sustainable and is designed with robust protection systems to prevent information leakage or misuse. That's the main challenge.

There are established credential managers in the market and they all have to contend with security breaches as a very real risk element. And this they have to do and keep in mind 24/7/365.

Where you keep the information and who has access to that information and how that information is protected are the core questions you will need to address thoroughly.

[jeph3]

Hi mobnepal, thank you very much for the feedback and for signing up as a beta tester.

Our work on the mobile application is almost complete, then we'll be working on the browser extension. The browser identifies the required information by the website. It sends a request to the phone for the information, the phone sends back the requested encrypted information to browser which is decrypted by the browser.

[jeph3]

buwaytress,

We use the Ethereum blockchain for the low level identity management features of our system. It takes care of things like attribute management, certification issuance and management and identity profile control. The blockchain is useful it provides an unequivocal source of truth about the state of someone's identity.

One other problem with regular cryptographic authentication is that people lose their key which essentially amounts to you losing your account. But if your "Identity profile" is a contract address instead of a public key or a wallet address, you can define rules (think multi party enforced rule) to change who controls an "identity profile contract" and use this as a secure yet simple recovery mechanism.

[jeph3]

Hi warningsigns, thank you for your feedback.

You are 100% right, and we know we will have to prove our trustability. We will open our code and make it auditable. And we are designing our system with the philosophy that any user data is a "liability" for us, and we want to reduce this liability. All the data is encrypted client side with your private key, all the identity management system can only be controlled by your private key, and we are looking into decentralized storage systems as a mean of eliminating any form of central point of failure.

[buwaytress]

buwaytress,

We use the Ethereum blockchain for the low level identity management features of our system. It takes care of things like attribute management, certification issuance and management and identity profile control. The blockchain is useful it provides an unequivocal source of truth about the state of someone's identity.

One other problem with regular cryptographic authentication is that people lose their key which essentially amounts to you losing your account. But if your "Identity profile" is a contract address instead of a public key or a wallet address, you can define rules (think multi party enforced rule) to change who controls an "identity profile contract" and use this as a secure yet simple recovery mechanism.

Thanks jeph. Blockchain immutabilty certainly offers a way to store and keep track of the (evolving) state of identity. I actually foresee it being used in the future as a historical log of the world's global population by identity, which would be of great interest to historians and sociologists.

Like the idea of rule-based recovery but can mutli-party be something that will address inheritance? If I were to die suddenly for example, I couldn't ensure my next of kin could access my private keys without me having to first share it with them  - still something I wouldn't do while alive haha! I assume I would also need to be alive for multi-party rules.

P.S. I just ran across this post now, and wondered if it had any similarities to your concept (not the same idea for sure since it directly targets KYC): https://bitcointalk.org/index.php?topic=2250016.0