Keyless encryption and passwordless authentication

[Voland.V]

To me, it doesn't make sense. Yet. I just don't understand how you can identify someone without knowing at least one detail about them. 2FA (time based) works on a secret and the current time, changing every 30 seconds.

Encryption, works on a key, whether that's a shared secret key, or a public/private keypair.

э
-Yes, you're right, to identify someone, that someone must have a personal ID.
The idea of keyless encryption, and the idea of passwordless authentication does not violate this principle, the principle of having a personal identifier that allocates one of all.
On the contrary, this idea - has received unexpected development from the point of view of logic, from the point of view of the theoretical concept on which all this technology is built.
If in a conventional system, a password authentication system, you have the same password until you change it yourself, you have the same identifier, a digital identifier that can be stolen at any time and used on your behalf.
Option with a 30-second change of Google's incremental entry to your password (cryptographic salt and hashing amount) - I don't discuss it because the idea is diluted by the time factor, but not fundamentally changed.
We propose a radical change to the idea of password authentication (which automatically means using keyless encryption, I'll explain why this is the case later), which is in this protocol:
1. The client registers, designates himself and gets his digital ID;
2. gets its first authentication, and therefore authorization (obtaining the rights of its account);
3. Connects a keyless encryption technology that changes the encryption key for each packet of data, which is completely similar to the lack of a key, in fact, only the encryption scheme always changes, the word key is from the old concepts of encryption, but so far familiar to our hearing; 
----------------------------
Important - the encryption scheme changes for each new packet of data, not for the time. For each and every one of them, both sent and received. For 1 data packet, for example, for every 256 bits of information encrypted in the packet. The law of changing each bit is different and has 256 values. If you like the word key, it means the key for every single bit. This is a complete analogy to the Vernam cipher. The encryption process, in the most recent round 8, uses disposable binary tape. And it's not the main encryption round, it's an auxiliary one. The basic elements of vector-geometric, keyless encryption technology are completely different, see the diagram above in my posts.
------------------------------
4. now your identifier has floated, it has started its infinite digital voyage, it is now a variable, a variable for every packet of sent data. The server doesn't know in advance what it's going to be. And you don't know ahead of it. Forward, it means forward to the normal human reaction time, like the next second. All that your encryption system and the symmetric encryption system on the server know is how to form a new data packet. For this reason - stealing the encryption scheme (there is no key, you can't steal the key) that is used to encrypt the current data packet - doesn't make sense, because the cheater will never have time to use it until he processes it - the encryption scheme changes many thousands of times.

This is the root of the idea of passwordless authentication - in a constantly, continuously changing, variable identifier. 

[1714054319]

1714054319

[1714054319]

1714054319

[1714054319]

1714054319

[1714054319]

1714054319

[1714054319]

1714054319

[Sanugarid]

In the world where hackers and such exists, I don't think keyless and passwordless authentication is possible yet. I'm not even satisfied with how fingerprint and face detection work yet especially if it involves a huge amount of money. I can't even think of a good security measure to counter those hackers, honestly. Even if there's a lot of security measures involve they are still able to hack accounts in just a few clicks.

With the world of cryptocurrency, many people have much money on their digital wallets; for the safety of the users, the developers make a hashing of the passwords before the passwords are not encrypted; it was just a verification for the user's authenticity for having good security. They make the passwords harder and not prone to hacking they use the hashing to make a different text, numbers, and symbols combined together, and this is the essential thing today if you want to develop a website and system. But the hackers are ethical too, so the developers make another way of encryption this is the two-way authentication that sends the code to their users and verifies by the computer.

I do not really think that this can happen because when I've started here passwords are really important because it makes your wallet really secured and to avoid also from hacking. Maybe because of technology is keep on innovating this can happen but I can say that password is still important to every wallet, it makes your money secured.

To me, it doesn't make sense. Yet. I just don't understand how you can identify someone without knowing at least one detail about them. 2FA (time based) works on a secret and the current time, changing every 30 seconds.

Encryption, works on a key, whether that's a shared secret key, or a public/private keypair.

Yes, the only problem with that is when they steal your 2fa privkey at the time of creation, or when your device time isn't exactly in sync, or when the user loses the privkey (because GA was in the stolen phone, etc)...

To me 2fa is not an excuse to replace a solid good randomized password made with a decent password manager (not online sites, free open source software) that also uses a very good password running in a secure OS unlikely to have random malware of the week sniffing.

Passwordless solutions have always been defeated at some point, they are way too dangerous. You can do a "one time", and then go asymmetric like with SSH you add public server keys to your client and never input login passwords again, but only if your OS is secured.

And very likely some of the passwordless proposals include fingerprinting you to the point of uniqueness. What happens when THAT info falls into the wrong hands? Same as with KYC/AML.

Indeed, using 2FA authenticator really makes your money safe so even if it is not convenient I will still support a project or wallet that has this kind of stuff to make my money safe. I will not risks my own money supporting a wallet that has no encryption and authentication. It can make hackers easy to hack your wallet account. But we cannot say that this is not possible, maybe in the future, they can produce a wallet like that but there must be security information that is needed like making other stuff other than authentication.

[fiulpro]

Password less authentication ?
Okay so what do you think would be used instead of a password ?
Fingerprint ?
Face lock ?
Voice recognition ?
The authenticator by Google?
----
Except the last one , I do believe each and everyone of them comes with a fault , come on one can actually do something to a person to connect with the device .. unfortunately us traders hold most in our mobile phones and I do think not just passwords , but everything at once all the things that I listed are not enough too  you can never be more secure .

[Voland.V]

Password less authentication ?
Okay so what do you think would be used instead of a password ?
Fingerprint ?
Face lock ?
Voice recognition ?
The authenticator by Google?
----
Except the last one , I do believe each and everyone of them comes with a fault , come on one can actually do something to a person to connect with the device .. unfortunately us traders hold most in our mobile phones and I do think not just passwords , but everything at once all the things that I listed are not enough too  you can never be more secure .

------------------
Authentication without a password does not mean that you do not have a password.
I take it it it's not clear, what's the difference and what's new with this technology?

What's new here is that you only use a password once when you register on a site (like a site).
Password, of any complexity - for a site always looks different for you, it looks like a digital code. And the numerical code - by appearance of which it is impossible to find out your password.
This is a so-called one-way cryptographic function, which makes from your alphanumeric password - a hash, a numeric identifier by which your device will be recognized, not you.
Regardless of whether you enter the password manually, or if the password is written in a program (e.g. in a browser) and the browser enters it itself, the server will identify you as "the device that provided your numeric identifier. Dot.
No identification is made.
Proof:
- If a fraudster enters your password, the server will be more than happy to identify you.

So, password technology is dangerous. And above all it is dangerous because you have a permanent digital identifier, which is produced by a one-way function from your "password" is always the same. A scammer does not need to guess your password, it is enough to have this numeric identifier.

For this reason, all biometric identifiers are a form of password, but they are even more insecure than a password, because they are very easy to forge.

Some banks, even refuse to serve customers, to
that prove themselves not by a password, but by biometrics.

These are all technologies based on your permanent digital identifiers, no matter how they are obtained.

They are stolen, tampered with, guessed (passwords) and cheated by the server.

The idea of passwordless authentication is based on your ever-changing numeric identifier. But not as primitive as Google did - every 30 seconds, and at another higher level - at the level of every packet of data, at the level of keyless encryption technology.
   
You don't enter your password a second time. If you want, you can confirm yourself with an additional password or your biometric data.
But this is additional, not basic confirmation.  In this variant, if steal your password - then nothing at the swindler will not work.  Because the server before entering the password, identifies you in the face of your device, as its user.

And one more thing.

If your password or your numeric identifier is stolen - it is not the fact that you immediately find out about it, it can be done remotely.

But if I steal your device, you will immediately notice it and take action.
Moreover, you cannot steal your device remotely.
It's a fact.

[Voland.V]

In the world where hackers and such exists, I don't think keyless and passwordless authentication is possible yet. I'm not even satisfied with how fingerprint and face detection work yet especially if it involves a huge amount of money. I can't even think of a good security measure to counter those hackers, honestly. Even if there's a lot of security measures involve they are still able to hack accounts in just a few clicks.

Indeed, using 2FA authenticator really makes your money safe so even if it is not convenient I will still support a project or wallet that has this kind of stuff to make my money safe. I will not risks my own money supporting a wallet that has no encryption and authentication. It can make hackers easy to hack your wallet account. But we cannot say that this is not possible, maybe in the future, they can produce a wallet like that but there must be security information that is needed like making other stuff other than authentication.

-------------
In password authentication systems - there are passwords, there are numeric identifiers. 2FA is a way of combining your permanent numeric identifier (e.g. password) and a variable (e.g. code in a text message that is not repeated anymore). The essence has not changed, the response time of the cheater has changed and the complexity of the attack.

But cheaters are surprisingly easy and differently vector to cope with it.

Any 2FA - easy to break, especially if the second factor is your smartphone! SMS - much easier to capture than to find out your master password.

You need the next step, 3FA, 4FA ... - playing cat mouse, not solving the authentication problem.
Only passwordless authentication, real authentification without a password, not a temporary password like 2FA is the solution.

For those who trust 2FA, this is the material:

1. scammers have learned to intercept SMS with security codes sent by banks and withdraw all the money that is on the card. Not so long ago this way in Germany cybercriminals pulled off a major operation to steal money from credit cards of hapless users.
It should be noted that 2FA via SMS has already been officially recognized as an unsafe authentication method due to unrecoverable vulnerabilities in Signaling System 7 (SS7), which is used by cellular networks to communicate with each other.
A few years ago Positive Technologies specialists showed how SMS is intercepted.

2. In fact, the assumption of inconvenience (and insecurity) was confirmed by Grzegorz Milka, the same speaker from Google. The Register journalists asked him why Google will not enable two-factor authentication by default for all accounts? The answer was usability. "It's about how many users will leave if we force them to use additional security."
That's a good, honest answer.

3. Even before I started studying IT security science, I thought 2FA authentication was a guaranteed way to secure my account and no "these hackers of yours" could, say, steal my internal currency to buy... on your account. But over time, it has been proven by experience that a two factor authentication system can have many vulnerabilities. The code authentication system is very common, used everywhere on various sites and can connect for both primary and secondary login.

4. - bypass rate-limit by changing the IP address...
A lot of blockages are based on the restriction of receiving requests from IP, which has reached the threshold of a certain number of attempts to make a request. If you change the IP address, you can bypass this restriction. To test this method, simply change your IP using Proxy Server/VPN and you will see if the blocking depends on the IP.

5. - bypassing 2ph by substituting a part of the request from a session of another account...
If a parameter with a certain value is sent to verify the code in the request, try sending the value from the request of another account. For example, when sending an OTP code, it verifies the form ID, user ID or cookie that is associated with sending the code. If we apply the data from the account settings where we need to bypass the code-verification (Account 1) to a session of a completely different account (Account 2), get the code and enter it on the second account, we can bypass protection on the first account. After rebooting the 2FA page should disappear.
This is like another example.

6. - bypassing 2FA with the "memorization function"...
Many sites that support 2FA authentication have "remember me" functionality. This is useful if the user does not want to enter the 2FA code when logging into the account later. It is important to identify the way that 2FA is "remembered". This can be a cookie, a session/local storage value, or simply attaching 2FA to an IP address.

7. - insufficient censorship of personal data on the 2FA page...
When sending an OTP code on a page, censorship is used to protect personal data such as email, phone number, nickname, etc. But this data can be fully disclosed in endpoint APIs and other requests for which we have sufficient rights during the 2FA phase. If this data was not originally known, for example we entered only the login without knowing the phone number, this is considered an "Information Disclosure" vulnerability. Knowing the phone number/email number can be used for subsequent phishing and brute force attacks.

8. - Impact of one of the reports:
Linking to other vulnerabilities, such as the previously sent OAuth misconfiguration #577468, to fully capture the account, overcoming 2FA.
If an attacker has hijacked a user's email, they can try to regain access to the social network account and log on to the account without further verification.
If the attacker once hacked into the victim's account, the attacker can link the social network to the account and log into the account in the future, completely ignoring 2FA and login/password entry.

9. - Everybody is so confident in the reliability of 2FA that they use it for the most demanding operations - from Google authorization (which is instant access to mail, disk, contacts and all the history stored in the cloud) to client-bank systems.

The ability to bypass such a system has already been demonstrated by the Australian researcher Shubham Shah.

In early 2019, Polish researcher Piotr Duszyński made Modlishka reverse proxy available to the public. According to him, this tool can bypass two-factor authentication...

10. - A security breach was discovered by the leading hacker at KnowBe4, Kevin Mitnick. The new exploit allows you to bypass protection with two-factor authentication (2FA). An attacker can direct a user to a fake authentication page, thus gaining access to the login, password, and cookie session.

11. - The "ethical hacker" Kuba Gretzky developed the evilginx tool to bypass two-factor authentication. The system uses social engineering principles, and can be directed against any site.

12. - Two-factor authentication mechanisms are not reliable enough. Shortcomings in the implementation of such mechanisms are found in 77% of online banks.

13. Nothing new, the issue of hacking into the 2FA mechanism was commented by Pavel Durov himself.  The mechanism is simple, here it is:

1. Interception of SMS by various means.
2. Login to your account on a new device or web version of Telegram.
3. Resets two-factor authentication via tied mail.
4. Mail is "opened" by receiving the same sms through the "Forgot Password" button (you will be lucky if the numbers do not match).
5. We enter the mail and enter the code in Telegram.
6. We open all chats, groups and not remote correspondence, except for secret chat rooms (green chat rooms with a lock).

So what are we doing?
We're waiting for 3FA, 4FA... PFA or looking for technology, options for new password-free authentication methods?

And we're not confused, these methods have nothing to do with biometric...

[Voland.V]

In the world where hackers and such exists, I don't think keyless and passwordless authentication is possible yet. I'm not even satisfied with how fingerprint and face detection work yet especially if it involves a huge amount of money. I can't even think of a good security measure to counter those hackers, honestly. Even if there's a lot of security measures involve they are still able to hack accounts in just a few clicks.

With the world of cryptocurrency, many people have much money on their digital wallets; for the safety of the users, the developers make a hashing of the passwords before the passwords are not encrypted; it was just a verification for the user's authenticity for having good security. They make the passwords harder and not prone to hacking they use the hashing to make a different text, numbers, and symbols combined together, and this is the essential thing today if you want to develop a website and system. But the hackers are ethical too, so the developers make another way of encryption this is the two-way authentication that sends the code to their users and verifies by the computer.

I do not really think that this can happen because when I've started here passwords are really important because it makes your wallet really secured and to avoid also from hacking. Maybe because of technology is keep on innovating this can happen but I can say that password is still important to every wallet, it makes your money secured.

To me, it doesn't make sense. Yet. I just don't understand how you can identify someone without knowing at least one detail about them. 2FA (time based) works on a secret and the current time, changing every 30 seconds.

Encryption, works on a key, whether that's a shared secret key, or a public/private keypair.

Yes, the only problem with that is when they steal your 2fa privkey at the time of creation, or when your device time isn't exactly in sync, or when the user loses the privkey (because GA was in the stolen phone, etc)...

To me 2fa is not an excuse to replace a solid good randomized password made with a decent password manager (not online sites, free open source software) that also uses a very good password running in a secure OS unlikely to have random malware of the week sniffing.

Passwordless solutions have always been defeated at some point, they are way too dangerous. You can do a "one time", and then go asymmetric like with SSH you add public server keys to your client and never input login passwords again, but only if your OS is secured.

And very likely some of the passwordless proposals include fingerprinting you to the point of uniqueness. What happens when THAT info falls into the wrong hands? Same as with KYC/AML.

Indeed, using 2FA authenticator really makes your money safe so even if it is not convenient I will still support a project or wallet that has this kind of stuff to make my money safe. I will not risks my own money supporting a wallet that has no encryption and authentication. It can make hackers easy to hack your wallet account. But we cannot say that this is not possible, maybe in the future, they can produce a wallet like that but there must be security information that is needed like making other stuff other than authentication.

-------------------------
The modern protection system is a modern protocol, a set of instructions on the technologies underlying these protocols.
The main technology underlying the security systems is cryptography.
Cryptography, any system, is built on the methods of using the key, which is used as the instruction needed to configure individual (for this key) encryption algorithms.
Therefore, any protocol based on modern cryptography will always ask you for the key, password, biometric identifiers, which are essentially the same password, password-constant, it cannot be changed.

As soon as you build a system that has a weak link in its foundation - a password or key, so prepare yourself immediately for the fact that scammers will not break you in the forehead, they will look for access to keys and passwords.

Modern cyber crime research, their statistics, reports from companies dealing with this issue, even a Microsoft report - all this clearly shows that keys and passwords are almost always stolen.

Any security system, the most sophisticated and modern, even postquantum ones, if based on passwords or keys, will have a vulnerability in this very weakest link - the key (password).

Only keyless encryption systems will allow to build more reliable security systems.

So, on this subject, today the press writes:
 "Last month, ThreatFabric discovered the first ever malware to steal two factor authentication codes generated by Google Authenticator. The researchers named the malware Cerberus. Cerberus is a hybrid of the banking trojan and remote access trojan (RAT) for Android devices. After infecting the device with the bank trojan functions, the malware steals bank data. If the victim's account is protected with Google Authenticator's two-factor authentication mechanism, Cerberus acts as a RAT and provides its operators with remote access to the device. Attackers open the Google Authenticator, generate a one-time code, take a screenshot, and then access the victim account. According to researchers at Nightwatch Cybersecurity, Google could have fixed the problem back in 2014, after a GitHub user wrote about it, but didn't do so. The problem remained unsolved in 2017, when Nightwatch Cybersecurity reported it to the company, and remains so today.

What's next?

[Voland.V]

I'm really sorry. I can not understand what you're trying to say. This is a completely new way of thinking about encryption.

I had implied that the initial chess board is fixed in it's starting position, and any updates to the pieces could be followed by an eavesdropper using the same keyless encryption scheme you proposed.

I'm not even talking about a man-in-the-middle attack.

-----------------------
A listening device is a 100% effect, no matter how it is encrypted, it is important to always remember that you will be overheard until the encryption is complete, the keys you press on your computer are scanned, the screen and the on-screen keyboard are scanned.
This is all understandable.
And this is not a cryptographic task.
Cryptography is about making your own, closed channel between clients.
What is the main vulnerability of modern cryptography, regardless of the complexity of the encryption system?
It's in the keys.
Nobody works to break into the encryption system itself, always stealing keys. Always exploiting this particular vulnerability.
What do the crime stats show?
The theft is growing. And the worst part about stealing your key is you don't know it.
What's the danger?
Because you keep encrypting your secrets, which are now available to the cheater. Perhaps all your secrets of the past are now available. There are bad consequences for you.

What does keyless encryption technology offer?
It prevents a cheater from stealing and exploiting your keys... due to their complete absence.
Or in other words, there's a huge number of them, one unique key for just one data packet. The next packet of data is a new one. What would it take to know a new one, like Eve, a third party?
Nothing special, the whole history of information exchange between clients (between Alice and Bob) with an accuracy of one bit.
Think, and read carefully - not from the beginning of this communication session or from the beginning of this calendar year, or any other "beginning", but from the first bit in the channel and to the last one that was sent to the channel, its exact (miles, miles second) time, its exact decryption, everything, absolutely all the settings of the encryption system for each bit of information (!!!), but it's not enough - every single error in the history of information exchange between Alice and Bob! It is necessary to know not only all the errors (even errors of noise origin), but also their exact time and their exact sequence in the flow of information - in the history of information exchange!
But this is not all.
Imagine that Alice and Bob are communicating by voice in their closed communication channel. It happens, people say "on the phone".
A scammer needs to know every single pause between the words of the speakers, their exact duration, the exact time of arrival and end!
I can tell you right away that there are no pauses in the communication channel - there are no pauses completely, on the physical level. Attack by a person in the middle of no information about the pauses in the conversation between Alice and Eve - will not give.
Also, the observer Eva will not receive information about who is passing the information to whom.
She won't get any information about who's transmitting the information or how much.
She won't receive information about whether or not the information was transmitted at all.
Wait.
And here we get interesting methods of protection against "man in the middle" attack - we just are silent, Bob and Alice are silent, and in the channel of communication the information exchange continues evenly, the flow of information from Alice to Bob is exactly the same as from Bob to Alice, and absolutely does not change when they stop talking and start talking.
Ironically, it's a fact.
It's a real closed channel, without the possibility of any analysis of the volume, fact, and direction of information transfer in it.
Why is it so complicated?
Because otherwise such an encryption system won't work.
It's a new encryption built on an ever-changing continuum of virtual space and time. The space isn't complex, but it's dynamic, without static states. That's why downtime isn't possible.     

What's the attack in the middle? In this concept, it is meaningless and useless.

[andriyana]

whether TOXIC token is planning to do a token sale in exchange (IEO) I think it's a good idea to maintain investor confidence

[brightemo]

I dont think that we should change all auth to biological. Sometimes just password is enough

[Voland.V]

I dont think that we should change all auth to biological. Sometimes just password is enough

----------------
This does not suggest changing the password authentication to biological.
As practice has shown, biological is even more vulnerable than password authentication.

Most fingerprint sensors can be tricked with a textile adhesive impression.

Cisco Talos has conducted a study on how to circumvent biometric fingerprint-based authentication systems. The researchers achieved success in almost 80% of cases.

In the course of the study, the researchers took the victim's fingerprints from the surface she touched, printed the mold for casting with a 3D printer, filled it with inexpensive fabric adhesive (the researchers specifically took inexpensive materials for the experiment to see what "success" the attacker can achieve even with minimal resources) and cast a cast of the print.

Specialists applied the cast prints to various sensors of fingerprints, including optical, capacitive and ultrasonic, in order to identify the most reliable of them. As it turned out, there was no particular difference between these sensors in terms of security. However, more researchers have managed to hack gadgets with ultrasonic sensors. They are the latest type of transducers and are usually built into the device display.

With the help of casting specialists were able to unlock almost all the smartphones taken for the experiment. As for laptops, they were able to unlock 95% of MacBook Pro.

As for password authentication, this method also proved to be completely untenable. Passwords are being stolen and sold on a massive scale. In one minute the world spends almost $3 million to maintain these outdated security systems.

I am offering passwordless authentication based on keyless encryption, not an old compote on new ideas.

And another feature is silence encryption. It completely closes the communication channel from surveillance and analysis.

[Voland.V]

whether TOXIC token is planning to do a token sale in exchange (IEO) I think it's a good idea to maintain investor confidence

---------------------------------
I know these guys, they think rightly that the time of keys and passwords is a rudiment from the past and whoever cuts it off first will win the total fraud associated with stealing passwords and keys.
I can only help them with the technology itself, I have developed a theoretical basis for keyless encryption and passwordless authentication (not by your biometric waste...), who is interested in sending out publicly understandable material.
But I myself, not involved in this project, cannot answer the question of what and how to do it. I am sure that if the future is not in this project, there will be others like this, which will spare us the fear of stealing our identification data. That just doesn't make any sense.

[Lorence.xD]

If we were to use your proposed way of authentication there will be problems, though I agree the problem with that is how much user can it handle because based on what you said there will be a lot of variable to make an identifier, for example if they were to use 500k variable to make an identifier wouldn't it make it difficult for normal computers to process, imagine that 500 and the combination is unique, and there are 500 thousand users then wouldn't that overload a computer. The best solution right now would be to create an insurance in case there is a stolen fund or marking the funds stolen so they can't be used, that is much better because they discourage people to steal.

[Voland.V]

If we were to use your proposed way of authentication there will be problems, though I agree the problem with that is how much user can it handle because based on what you said there will be a lot of variable to make an identifier, for example if they were to use 500k variable to make an identifier wouldn't it make it difficult for normal computers to process, imagine that 500 and the combination is unique, and there are 500 thousand users then wouldn't that overload a computer. The best solution right now would be to create an insurance in case there is a stolen fund or marking the funds stolen so they can't be used, that is much better because they discourage people to steal.

---------------------------------
Passwordless authentication is a continuous process of verifying each data packet, without exception or compromise, in both directions, over a cryptographically closed communication channel.
If the data packet you are sending is 256 bits (the minimum possible), then Keyless Encryption must identify that data packet by its level "its" - "someone else's".
If the data packet is "its own" then it is sent by the user who installed this communication channel, which in turn means that the authentication of the sender of the packet took place.
How many options are there in the 256-bit code? I think more than 500.
The data packet itself, which will be authenticated, is a variable numeric identifier. Variable - because every next data packet, no matter what information in it is encrypted, the same or no encrypted information (in keyless encryption technology there is an important point - encrypting silence) - must have a completely different, unique code, one of 256, in order to be identified as "your" - "someone else's".
 In addition, this way of transmitting information does not require a digital signature, all information will be verified through a verification of the subsequent packets of data - by default.
The trick is that if the information decrypted in the previous packet was decrypted incorrectly even by 1 bit - all the next packets will be formed incorrectly, which means - will not be recognized, which means - will not be decrypted, everything, or the end of the communication session, if the channel is noisy, or resumption of transmission from the last successfully received, decrypted and identified data packet, this already solves the transmission protocol.

Thus, we get, together with passwordless authentication, an immediate complete verification of all sent information, without a digital signature.

This is the main advantage of keyless encryption technology.
The key is every single event, and the encrypted information, and erroneous packets, and repeated packets and much more that allows:
1. or instantly identify the packet (approximately 25% probability);
2. No matter how a packet is identified instantly or not, unambiguously identify it by taking the following data packets, with accuracy, with verification, to one bit.

So there is no problem with a large number of clients.

[slaman29]

Sorry guys but it got me lost out there after reading through. So keyless encryption is basically what we are all doing on a daily basis when our devices encrypt stuff right? For example I'm sending Telegram messages and it's all getting encrypted, but I'm not using any key.

But passwordless authentication, I still don't get it. My voice or fingerprint is still my password right?

[Voland.V]

Sorry guys but it got me lost out there after reading through. So keyless encryption is basically what we are all doing on a daily basis when our devices encrypt stuff right? For example I'm sending Telegram messages and it's all getting encrypted, but I'm not using any key.

But passwordless authentication, I still don't get it. My voice or fingerprint is still my password right?

------------------------
No, that's not right.
When you send messages through a messenger, or by mail if encryption is enabled, this is normal key encryption.
Which one is a question for the program you are using.
If it's E2E encryption, then 2 cryptographic systems and Meclie Marlinspik's double ratchet (first used in Signal) are used at once.
Yes, you don't make up the keys, you don't even know them, if you're particularly gifted, you don't even know that the channel is encrypted. But it is encrypted with the keys, the keys are stolen remotely from you, and then you are listened to, and you say, write without understanding that your ears are already sitting.
The general type of protocol is very sketchy and very unspecified:
1) An asymmetric cryptographic system (usually RCA or ECC) negotiates the shared session secret key of the communication channel, the given encryption session.
2. This key is then used by some symmetric cryptographic system to encrypt your traffic.
3 If there is an E2E, then each message has its own additional modified key, derived from the shared encryption key and a number of other factors.

That's it. This is a protocol built on key encryption systems.
What does it take to read your channel? A key or keys.
How do crooks get them?
Easily, in a variety of ways, read online.
What are the consequences of using key systems?
Global.
Fraudsters do not break a cryptographic system, except for someone who is waiting to run a quantum computer for public use over a network (there is such a service).
 They collect your encrypted messages.
Then they get the key.
Then, all your secrets stop being secrets.
Or they do it quickly through a 'man in the middle' attack, phishing and other nasty things.
And you don't know anything about that.

What does a keyless encryption system give - no matter how many of the above problems, no matter how many of your encrypted messages a cheater (or special services, which are the same) would accumulate, no matter how many "keys" he steals or searches for with a quantum computer - he will not find them for a simple reason, they simply do not exist.

Let him try, and we'll see.

What a bonus to such an encryption system is passwordless authentication. You don't need to enter a password, this password doesn't remember your or a third-party application and doesn't enter it for you, you don't need to put your finger on the sensor, your eyes, blood, heartbeat, DNA, your saliva and your other biological waste.
You need to access the channel from the program you came in from earlier. This program (encryption program, keyless cipher generator - KCG) has a unique, original state of its internal spatial virtual continuum. So, encrypting your information (or false information if you are silent) always, for every packet of your data that you send, happens by a new rule that only a second program that has all the same up to one bit history of communicating with you, all the up to one bit correctly decrypted previously information that does not accumulate, but is an argument for a derivative that changes the geometry of your internal space.
The analogue. You're welcome.
How many chess games, how many options are there for arranging pieces on the chessboard?
Many, I couldn't calculate.
Now add here a variable number of pieces from 1 to 64 (instead of 2 to 32, as is).
Also add here a game without rules, which means that any piece can turn into any one and have new variants at all.
After that add one more condition - there are no 2 or more identical pieces on the board (for example, in chess there are 16 identical pawns).
And now there is an indefinitely huge number of variants - you do not apply to all possible variants of information, but only six (six) bits, and 6 (six) bits have only 64 variants of encryption, more and more do not. And you have 1000 chessboards, one for every 6 bits of open information.
Is there even one contradiction and limitation, as safe to encrypt without a key (in your logical tunnel of time) and as safe to identify the correct cipher from the false, if each chessboard will have its own chess sketch for its 6 bits, a chess position, which can not be guessed by an outside observer.

These are the basics of vector-geometric encryption, the principles of which are shown in the diagram in this post dated December 7, 2019, in which the key mode can only be an option, not a mandatory rule for encryption and most importantly - for decryption.

A lot of my posts have been removed by the administration and there have been numerous explanations for this technology.
I don't see the point in repeating everything - they'll delete it again.

What's not clear is I'm ready to answer.

[icewitch0612]

I still want to feel that I control something and know the password.

[Voland.V]

I still want to feel that I control something and know the password.

---------------------------------------

- Recently, unknown persons attacked UN units, "as a result, components of key infrastructure in Geneva and Vienna were compromised ..." - quotes Dujaric Reuters (stealing keys);
And that's what it leads to, password, key, the essence of one you break through them even if you have post quantum cryptography or quantum key distribution.
By the way, nobody limits you from a password - in passwordless authentication or from a key - in keyless encryption. This is your own business.

But if this "your personal business" is stolen, then this technology will NOT be able to use it against you.

If you only use a password or just a key, then even if you live in this future with new cryptography, there is phishing and other nasty modern things against you.
No cheater breaks the cryptographic system or password authentication, their mind is not so configured.

That's what they do against us:

- The CIA, together with the German Federal Intelligence Service (Bundesnachrichtendienst, BND), has been reading secret messages from officials in more than 120 countries for the past fifty years (!) through Crypto AG, a company that produces special encryption equipment (via encryption keys);

- security researchers from ESET discovered the dangerous vulnerability Kr00k (CVE-2019-15126) in widely used Wi-Fi chips from Broadcom and Cypress and affects more than a billion devices worldwide (smartphones, tablets, laptops, routers and IoT devices) that use the WPA2-Personal or WPA2-Enterprise protocol with the AES-CCMP encryption algorithm. Now Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi) and access points from Asus and Huawei are under attack. The Kr00k vulnerability is related to Key Reinstallation Attack (KRACK), which allows attackers to crack Wi-Fi passwords protected by the WPA2 protocol (keys again);

- huge problems with device shells that contain embedded vulnerabilities such as embedded passwords and embedded SSH/SSL keys. The appearance of one such device in your home, including an IOT device, connecting it to your home wi-fi, allows you to attack all your other devices connected to the same access point (keys, passwords);

- experts found a database with unencrypted e-mail addresses and passwords of more than 1 billion users on the Web, put up for sale by a cybercriminal under the pseudonym DoubleFlag (passwords);

- of the 175 million RSA certificates analyzed, over 435,000 are vulnerable to attack. At the international conference IEEE TPS (Trust, Privacy and Security) in Los Angeles, California, a group of researchers from Keyfactor presented these results (vulnerability of key infrastructures in general).

So what does the password give? Protection? It's more like the opposite.

[NeuroticFish]

Authentication without a password does not mean that you do not have a password.
I take it it it's not clear, what's the difference and what's new with this technology?

What's new here is that you only use a password once when you register on a site (like a site).
Password, of any complexity - for a site always looks different for you, it looks like a digital code. And the numerical code - by appearance of which it is impossible to find out your password.

I still don't see how is this better than 2FA.
The secret password/seed is needed and one more "derivation" component based on time is necessary.
The problem of 2FA is the way it's usually implemented and used, favoring the secret password/seed being stored on vulnerable devices. But nowadays there are hardware devices handling that too.

[Voland.V]

Authentication without a password does not mean that you do not have a password.
I take it it it's not clear, what's the difference and what's new with this technology?

What's new here is that you only use a password once when you register on a site (like a site).
Password, of any complexity - for a site always looks different for you, it looks like a digital code. And the numerical code - by appearance of which it is impossible to find out your password.

I still don't see how is this better than 2FA.
The secret password/seed is needed and one more "derivation" component based on time is necessary.
The problem of 2FA is the way it's usually implemented and used, favoring the secret password/seed being stored on vulnerable devices. But nowadays there are hardware devices handling that too.

--------------------------------
About 2FA - I described in detail in the post of March 09 = 13 ways to bypass this technology. The more factors, 2FA is more than 1FA, the harder it is to bypass 2 levels of protection when the technology first appears. But with time, when cheaters start to study it, they find ways to hack, and their methods of hacking concern each of the factors. It's all described above.
If it's 3FA, 4FA... it's going to be the top at first! And at the end, as soon as you get used to it, you get even more hacking than with a 1-PhA than with a normal password.
If I were to suggest one more factor, time:
1. I would not offer anything new, this idea is many years old and it was useless;
2. I'd introduce a third factor that would only weaken, in the end, not strengthen the defense.

For now, I'm stopping myself from being so stupid...

The basis for passwordless authentication is that as a client and server, you need to identify every packet of data.
A data packet is a bit sequence of a predetermined length.
You need to recognize your bitmap sequence from an outsider.
In addition, this identification only works simultaneously in 2 directions. And only continuously, for each data packet - the same check.
But how can we do this if we do not know in advance what information is transmitted in the next data packet?
No way. With this data packet you will do nothing, accept, decipher. And put it on hold for inspection...  the user won't get it yet, even though it's decrypted.
But then you need to form your data packet and send it.
And how do you form it if you don't have the key?
That means, you need to use all events in the system - as arguments for irreversible functions (hash functions) to get a result - which will set up a new encryption scheme for a new data packet.
Recall that we are talking about a geometric encryption model (who has not read above - read).
And what new encryption scheme will I get?
If I decrypted every bit of it correctly (and in all rounds, not just in the end) - it will be exactly the same as it was prepared to receive my data packet - my companion. In other words, me and my conversation partner, the new encryption and decryption scheme will match! It's a symmetrical encryption system.
And in the end what?
I "correctly", understandably for my interlocutor, encrypt my data, and he will take it and decipher it correctly.

And if I decrypted the received data packet incorrectly, at least by 1 bit - my encryption scheme will be cardinally, thoroughly, very much different from the scheme prepared by my conversation partner.
And what will happen?
He will decrypt my data incorrectly and prepare another encryption scheme for his new data packet. The situation will become avalanche-like - we will no longer understand each other, which means that the data packet that I decrypted, postponed, and did not give to the user - will be found to be erroneous:
1. or erroneously decrypted due to interference in the communication channel or no matter what else;
2. or it's not our data packet at all, it's an attack, modification, misinformation - no matter what, it's fictitious.

So what do we do? Let's not cry.
Let's ask for a repeat of exactly this data packet and start building a new encryption scheme - exactly the same scheme as the wrong data packet came in and failed to check.
Let's do it again.
Until we get and correctly decrypt the new, repeated data packet, until the data packet is unambiguously authenticated as "its" by the new data packet - we do not use the information encrypted in it, it is recognized by the system as misinformation.

It is clear that the data packet, apart from the information, has a sufficient set of service bits to make a preliminary check of the package - in advance, until its full decryption.
It is clear that the geometrical space has not only elements filled with information, but also a lot of empty cells, and if the information is not true, then the decryption will be built a vector on an empty cell and the system will understand in advance - that somewhere there is an error (see the following). Vector-geometric encryption scheme from December 7, 2019 in this topic), but it's all the nuances of the technology, they are not needed to understand the principle of identification and 100% authentication of the sender of ALL ONE DATA PACKAGE and the same EVERYTHING DATA PACKAGE!

With normal authentication - the server recognized you (you server usually only recognize by the appearance of the site - and this is in our 21st century!!!!), and then works with you without checking each data packet, your he or Eve (attack man in the middle and other nasty things).
That's what all phishing is based on - you've had your passwords, every security factor taken away once, and everyone is using it without fear that the server will notice a spoof.
One theft is a bunch of problems. It's now.
We have nothing to steal because the encryption scheme (like key) for each data packet is different (like key). If this non-existent key, this encryption scheme - the cheater steals it, he will not be able to use it for the following data packet - he can not until he steals your entire device.

This is real security and real authentication, not a password template.

[Voland.V]

I still want to feel that I control something and know the password.

---------------------------
Do you really think you control when you have a password?

And how can you be sure that you're in control and not someone else?

Maybe your password isn't just yours anymore.

Who knows if your information is here:

- The FBI recently seized the domain WeLeakInfo.com for giving users access to data that's gone online. The operation was carried out jointly with the National Crime Agency (NCA), the Netherlands National Police Corps, the German Federal Criminal Police Office (Bundeskriminalamt) and the Police Service of Northern Ireland. The website provided users with access to data from over 12 billion entries (!) containing email addresses, logins, telephone numbers and passwords.  And that's the amount of user data available on just one domain!

The collapse of the password security system has already occurred, but we do not notice it persistently.