Identity on the Internet
2020-07-20
Identity is a difficult subject. I deeply value my privacy and anonymity both in real life and online, in certain situations, but I recognize the necessity of having a unique identifier for individuals. Sometimes we need to be absolutely positive that we are dealing with the right person, and just taking a username/password combination, asking their name, or some other means of verification simply won't cut it.
Keybase ID is a new authentication and identification library that relies on Keybase to verify a user's identity, and then uses Keybase, GitHub, and Twitter APIs (when possible) to score the accuracy of that user's identity on a scale of 0-100. A higher score indicates a higher level of trust in a user's identity, and a lower score indicates a lower level of trust in a user's identity. A user's identity score is calculated by looking at the various proofs associated with their Keybase account and scoring them based on characteristics like age of account, number of followers, total number of proofs, and average age of proofs.
The Problem
Right now, identity on the internet sucks. It seems like every service wants your email or phone number when you sign up, and a lot of those services require an email or phone number from a reputable provider (GMail, Yahoo, Outlook, AOL, etc.). If they don't want your email or phone number, then maybe they want you to sign in using your Google, Twitter, or Facebook account, which you had to sign up with using an email or phone number from a reputable provider. Now, to get an email from most of these reputable email providers, you have to provide and verify a phone number when signing up. Do you see how this all starts to become a problem?
The problem becomes amplified when you combine this fact, that most services are essentially reliant on your email and/or phone number, with the fact that the email and telephone systems are flawed communication protocols not designed with security or identity in mind. SIM swapping is a widely known and abused tactic for essentially stealing phone numbers. SIM swapping can happen to basically anyone with a phone number and there is no real solution in sight, as far as I am aware. Email falls victim to the same username/password vulnerabilities as any other website or application, but we also have to avoid un-Godly amounts of malicious, spam, fraud, and phishing emails like a minefield. DMARC has been a step in the right direction in helping with malicious emails, but email is still subject to the problems mentioned.
If you're not using a phone number or an email address to sign in to a website or service, you're most likely using a username and password combination. That is, if you're not using a username and password, combined with either a phone number and/or email address for backup access to your account, in case you lose your password (because you have to keep up with so many). A username and password combination, unfortunately, does very little to actually verify someone's identity, so they aren't especially useful in situations like banning ToS abusers or limiting a service/product to one per person.
Another simple fact is sometimes people just want to change their email, phone number, or social media accounts, and they should be able to do that anytime they want. That doesn't necessarily mean that person is changing their identity, even though it could, but now they must update these values on related websites if they are used in an important manner, like for logging in or resetting passwords. The idea that I am my phone number or email, is a ridiculous concept, but it truly has been the best thing we've been able to come up with so far.
So, internet identities suck. Which sucks, because the internet has a serious troll and bot problem. Even when using all of the above mentioned methods of identifying someone, combined with additional fingerprinting techniques using things like IP addresses and hardware/network metadata, it's still not enough to stop trolls and bots from creating accounts en masse. There's never going to be a sure fire method of identifying unique users online, while still maintaining a user-friendly and privacy-oriented experience, but maybe there can be a middle ground for certain applications and services.
The Solution?
First we have to establish what an actual online identity could or should look like. Email and phone numbers have mostly been chosen because they're speedy and (somewhat) reliable forms of communications, meaning services can send a message and expect a user to read and provide a response within minutes, "proving" ownership of that device or address. We have established this isn't so much as proving your identity, so much as proving access to that device or address.
An online identity might better be described as the amalgamation of all of a person's public content under a persona; mobile devices, PCs, social media accounts, PGP keys, video game accounts, etc. including email addresses and phone numbers. But, let's pretend that you are a young, 13 year old new to the internet, ready to wreak havoc, and you don't have any of those things. Normally, you would probably start by creating an email address, possibly even having to provide a phone number to do so. But where else could someone go?
Keybase is a cool company that launched in 2014 that aims to make crypto easy and accessible to the masses. What does that mean exactly? Well, it originally started as a sort of key directory service, providing cryptographic proof of ownership of hardware devices and social media accounts. This includes everything from PCs and mobile phones, to Twitter, Github, and Reddit accounts, along with less well-known accounts like custom domains, Bitcoin accounts, and Mastodon accounts. While it still does these things, it also now provides encrypted chat, encrypted file hosting services, and also created the Saltpack crypto message format, which we'll talk more about later. Overall, a neat company, with a cool product and goal (and they were just acquired by Zoom, random fact).
Maybe Keybase could be where people go first to start their journey on the internet. The software is open source and based in cryptography, and, as of right now, Keybase does require an email address when signing up, but does not require verification of this email. Keybase could be the place where identities form, and is then used to sign up for emails, social media accounts, and everything else we do on the internet. The connection between these accounts, physical devices, crypto wallets, and more, all being proven securely and cryptographically using Keybase. Your Keybase account and all its connections would be your identification, and proving ownership of that Keybase account would be your authentication, which could be done doing something like verifying Saltpack signed messages.
In the real world, identity is formed with more concrete documents, such as drivers/state licenses, passports, and birth certificates, and these documents are often required to be picked up and verified in person. In this example, Keybase might be comparable to a birth certificate; crucial in proving that you are alive and an identity, but by itself not entirely useful. But when you start to combine that birth certificate (Keybase) with other forms of verification, such as a driver's license (Twitter), passport (GitHub), library card (Reddit), credit card (Bitcoin wallet), and more, we start to get a pretty complete picture of an identity, and can be pretty certain that we are dealing with someone. If we were to look into more details on these "documents" (accounts), such as age of these accounts, average followers of these accounts, and age of when these were verified on Keybase, these might provide even more confidence that this person is who they claim to be.
Keybase ID
Keybase ID works by first proving ownership of a Keybase account, followed by creating an identity "score", known as their Keybase Score (KB Score), based on various details from that Keybase account and the proofs that are associated to it. If a user fails to prove ownership of their Keybase account, or their KB Score does not meet the minimum score requirement specified by the application using Keybase ID, the user is denied access.
Keybase account ownership is proven using the Saltpack crypto message format. The application using Keybase ID will generate a random string (e.g. a uuid) which a user must then cryptographically sign as a Saltpack signed message using their Keybase client. The user will then copy the Saltpack signed message, and paste it into the application login screen, along with their Keybase username. The application will submit the randomly generated string, the signed message, and the username up to the server for processing using the Keybase ID client. If the Saltpack signed message is verified by Keybase as having been signed by the username sent up, and it matches the random string that was sent up exactly, then the Keybase ID client moves on to the next part, of scoring. Otherwise, the user has failed to prove ownership of that Keybase account, and is denied access right there.
Once a user has proven they own a certain Keybase account, the Keybase ID client must now go through their Keybase profile and grade their identity based on: how many proofs they have, what kind of proofs they are, the age of the proofs, and how many followers they have on the various accounts. These properties are all graded on individual scales and the scores are then combined to get the total KB Score.
Complexities
Some people actually have more than one identity in real life. These other "identities" often take the form of something physical, like a business, with a tax ID, but they could also be something more abstract, like a group of people or a pseudonym used for an author. So when I speak of an online identity, it's my belief that a person can hold many identities online just as they do in real life and that these can be both physical and abstract identities.
Another important point I'd like to make, the goal of Keybase ID is not to attach your online identities to your real life identities, but to attempt to formalize and standardize what a voluntary identity across the internet could look like. Rather than rely on a single email or phone number, Keybase ID relies on several independent sources of verifying your identity and a composite score across all of these sources. Keybase ID will continue to grow and evolve as more sources and platforms are added to Keybase.
Finally, creating the scoring system was by far the most intricate part of this project, and I'm sure there's much room for improvement. The metrics and scales chosen for scoring are all based off my personal opinion and could obviously use some outside perspective for balance.
More Information
I briefly mentioned the idea of signing up for or logging into services using other accounts like Google, Twitter, and Facebook, and I'll expand a little on that now. Typically these 3rd party authentications are done using two services, OpenID for identification and OAuth for authentication. OpenID has been a pretty solid start at solving the identity problem on the internet, and a short write-up about OpenID can be found on their website here. One of the problems with OpenID, as stated in the first line of that link, is that it requires an existing account on another site already, and one of those accounts will have to have been setup using either emails, phone numbers, usernames and passwords, or some combination of those.
This article was recently posted to IEEE Spectrum and is a Q&A with several cryptography legends about some of their work, and their thoughts on where the future of authentication on the internet might be headed. Of particular interest, near the end of the article, the experts start talking about secure enclaves being added to CPUs (like SGX), which they mention could be used to store private keys and other related cryptographic information. These enclaves which can store and execute code and data in a secure manner being available to the masses, could potentially give more options to users when it comes to how they identify and authenticate themselves to services online. Beyond Identity was a new company mentioned in that article, founded by one of the people being interviewed, and they appear to be actively working towards a solution involving these secure enclaves and public key cryptography. A little more information about how Beyond Identity works can be found here.
Last, but not least, Moxie Marlinspike gave a pretty good talk at the 36th CCC about centralized vs decentralized app infrastructure, titled The Ecosystem is Moving. The whole talk is interesting and recommended watching, but not entirely related to authentication or identification specifically. I'd like to particularly point out Marlinspike's response to a question about why Signal still requires a phone number, which can be found at this point. Marlinspike talks about how social apps require a social network, information about where your social network is typically stored, and about "blowing up your social network" when changing things like email provider, versus switching from WhatsApp to Telegram or Signal. Marlinspike briefly mentions the idea of blowing up your social graph in that response, but goes more indepth during the talk around this mark. These are just some additional points to consider, when pondering how centralized and decentralized systems can play into authentication.
Saltpack Verify
As a side note, I also created a page that allows people to verify Saltpack signed messages online, without having to have a Keybase account or client installed. That page can be found here. It seemed a little crazy to me that there wasn't something like this already online, but that may be a testament to how little Saltpack is used in the real world. Maybe that page will help adoption of the message format by allowing new users to read and verify messages easily online. Simply paste the signed message into the page and hit submit. More information can be found on the page, including a link to the source for the AWS Lambda it calls out to.
Conclusion
I doubt we'll find a "perfect" solution for authentication and identification on the internet anytime soon, but it's good that companies like Keybase and Beyond Identity are working to change that, and offering the tools and APIs to allow ideas like Keybase ID to come about. All of these attempts at authentication have their own problems and trade-offs, and there's nothing saying that there has to be one prevailing standard. Apps and services will need to determine their individual needs and expectations from users, and choose the authentication method(s) that suit them. I'd also like to see Keybase look into storing private keys in secure enclaves when possible, falling back to disk storage when not possible, and I'm curious how Beyond Identity is going to share identity information between devices.
I don't claim to be a security or crypto expert, by any means. Sometimes, I just like to try weird, crazy ideas to see how far I can take them. It's very possible that this entire premise is flawed in some extremely obvious way that I was just too blind or inexperienced to see. I would love to hear some outside opinions on this project and see some pull requests or issues in the repos. If you have ideas on how this can be improved, why it is total trash, or other opinions on the state of identity on the internet, I'm all ears. Hit me up on Twitter @rickjerrity, make issues in the repos, or get creative in reaching out, it's all the same to me.
Soundtrack
Got some 🔥 tracks this time around, so let's get to it. Here's what I've been playing: