Thoughts on Block Stars with David Schwartz

Thoughts on Block Stars with David Schwartz | Ep. 4

May 28, 2020

In the fourth episode of Block Stars, David Schwartz interviews Fabian Eberle and Paolo Gasti, co-founders of Keyless, which is a cybersecurity company that wants to enable a seamless authentication experience in the digital world through cryptography and biometrics.

As with previous posts, first follows a summary, then my thoughts on the episode as a whole. There is A LOT of information, much of which was unfamiliar to me, as I listened. So in my thoughts below, I will also attempt to further explain some things that will hopefully bring a little more clarity into the wonderful information given in this episode.

Episode Summary

Keyless is “a deeptech cybersecurity company innovating and shaking up the authentication and digital identity space”. The company strives to preserve the privacy of users even while using their biometrics and identity to verify and access various accounts digitally. To do this, they have spent a decade of research into biometrics and cryptography and believe they have a good solution to the problem of how we manage and authenticate our identities.

There are several problems with the current methods we use to prove and handle our identities in the digital world today. The first problem is that, since digital accounts are accessed through passwords, if users want to be safe with their multiple accounts (PC, email, social media, etc.), they need to create a different password for each of those accounts. This multitude of passwords must then be memorized by users, and tracked by central servers. These central servers are always in an uphill battle against malicious hackers and scammers who want access to their databases.

The second problem is a layer added on top of the first. As companies seek to ease their user's password management experience, they use biometrics (e.g. facial recognition or fingerprint scanning) or multi-factor authentication methods developed in-house that can't be interchanged with those of other companies (e.g. my Apple ID can't be used to log into my Gmail account). But this, in some ways, just compounds the problem, adding more and more things to need to remember in trying to manage our identities in the digital space.

There are also problems from the perspective of businesses and companies that manage these identities. The daily cost of service is really quite high, as they have to deal with problems from customer service to exploitive attacks (e.g. phishing). Furthermore, it's difficult for companies to migrate to another system, because that migration would often break the current one they are dependent on.

But, if the password problem could be solved, then everything else becomes much easier. From asset management and protection to digital signatures, everything which requires securely identifying a person in order to grant access becomes much easier to deal with.

As Eberle points out, historically, there was and evolution to the way that identity management online was handled. First, there was the “siloed identity”, which means having a username and password for each account. Then, as social media developed, we started using our social media accounts to sign into various platforms. But, of course, while this drastically eased user experience, it came at the cost of privacy and security breaches.

Thus, what Keyless brings to the table is a way for privacy to be preserved while giving users easy access to their various digital identities.

There are still a few hurdles to overcome for mass adoption. If you don't have a good user experience, no matter how secure, then the majority of people just won't use it. The system also needs to be flexible and applicable to any (or ideally all) use-cases, so that users don't need to search for another system, which just adds to the problem. It's also important that users have full control over who has access to their identities, in order for privacy to be protected.

Even professionals in the space, as David Schwartz points out (i.e. himself), are prone to privacy risks when creating and managing identities online. He points out that online users basically pay for online services by giving their information to third-parties (rather than with currency). Everyone says that they care about their privacy, but this care doesn't seem to be reflected in their forays online.

There is some push-back against this, especially recently, as various nations around the world are pushing more into regulating corporations' use of their user data. However, most of the time, these regulations simply add another layer of friction. As an example, Eberle points out that banks that require their customers to authenticate are basically just adding 2-factor authentication on top of username and password, where users have to go from app to app to get access to what they want.

Keyless' approach is different than the above methods. By using a decentralized network of nodes to store user information, there is an inherent guarantee the data could be protected. Because this data is so protected, users can then use any device with access to Keyless' network to authenticate their identity on any service that accepts it. This gives Keyless an advantage in user experience as well, as they no longer require users to hop between many different apps or services.

Paolo Gasti, however, disagrees with Schwartz' implied premise that users have a choice in selling their data in order to access the various parts of the Internet. After all, if a user wants to browse and buy something on Amazon, they have literally no choice but to give their information to Amazon and let Amazon sell that data. While there are certain services like Tor that allow users to have some semblance of privacy, the vast majority of people don't have access to or understand these privacy-centric products.

Furthermore, working with others on upgrading their security and privacy seems to draw out different reactions, depending on whether they've been personally exposed to these problems. In their experience, those who have been hacked or scammed are always and immediately willing to upgrade their systems, while those who haven't don't often see the point.

The conversation then shifts to the COVID-19 pandemic and its effects on how business is being conducted today. There has been, in fact, a dramatic increase of phishing and scamming attacks. People are thus becoming more and more aware of a need for paradigm shifts in the way enterprises and business work in the context of identity and access from remote locations (like home). In this way, this global situation has actually accelerated the use of digital technologies in the world. From Microsoft's own earning's call, as paraphrased by Fabian Eberle:

Two years of digital transformations have happened in the past two weeks

In this environment, secure authentication services which grant such access essentially fill this role. An example would be freelancers, and the kind of access their work requires. Usually, freelancers outsource their work to a lot of different companies. All these companies need to be able to authenticate these workers, “as if that person was on the same room with you”. If you could do this without compromising privacy or security, while again providing a great user experience, it seems like it would be the best solution for everyone.

There are some that are skeptical of the whole concept of using biometric data. After all, if my fingerprint gets stolen, that can do almost irreparable damage to my digital identity. Much of this skepticism is user perception, however. And because of that, trust of the solution (or lack thereof) is essential in helping users acclimate to this new technology.

Keyless solves the security problem through real-time cryptographic protection. Nothing private is ever shared with anyone. It uses a cryptographic technique called zero-knowledge proofs, which is the idea that a person or piece of software needs to be able to prove their knowledge of something without revealing it. As Schwartz puts it:

“If you prove you know the password by revealing the password, then you're constantly revealing the password. If you could prove you knew the password without revealing the password, you don't have to make that painful tradeoff between privacy and security.”

Solution providers have historically either relied on a centralized cloud or a local device to store sensitive data. There are strengths to these separate ideas. In the first, the user experience is more seemless and integrated, less dependent on differences between local devices. In the second, security and privacy is much easier to substantiate.

Keyless combines these strengths through secure multiparty computation. It's complicated (I'll give a slight explanation in my thoughts below), but in all practicality, it means that all information being obtained on a local device isn't stored, and all the information in the cloud can't really be accessed illicitly.

This kind of ease of access will help in all kinds of user experiences, even with cryptocurrency. Currently, crypto wallet holders have the same password problem as anyone else. A system like Keyless allows users to securely access those wallets simply with their biometrics without worrying about privacy and data breaches. In Gasti's words:

The barrier to entry is much lower, the ease of use is much higher, the reliability of a system like this is much higher...all this without compromising in terms of privacy or security because no one can still see you keys, no one can still see your biometrics.

What do we do about scammers? While education and awareness is good for everyone, Eberle offers that Keyless can help with scams as well, since the person who is using their service is never revealing their private information (i.e. passwords) in the exchange. They're simply looking into a camera.

It can even help with crypto exchanges. For example, since users of these exchanges often have more than they're trading with (for conveniency sake), a service like Keyless would really help those users regain control over their non-active finances on the exchange. This changes how much that could be stolen from exchanges, as well as whether if stealing is even worth it or not. These cases won't trump having and actual secure exchange, but it would definitely help.

As the podcast winds down, Schwartz asks both where they see the future going.

Paolo Gasti, in looking at the consumer side of things, sees how privacy and security scandals in recent days have fired up users of those platforms to push for more democratized or decentralized platforms and technologies that are more secure and private. There is potential for this kind of technology to change and speed up the way we sign up for driver's licenses, bank accounts, and other similar things, because they secure our information so well. He even sees governments pushing consumers toward this as well.

For Fabian Eberle, he sees a world where security, privacy, and convenience are no longer at odds with each other. Instead, having all of it as high as possible would be the norm. Giving people control over their own data will not only be required, but enable them to do better business with others. This is Keyless' vision, to help the world towards this better future.

**My Thoughts
**Ok, having written all that: wow, that was a lot. And as I was listening and writing, I realized that there were lots of things I had to go look up to try to understand some of the concepts they talked about. So I'm going to try to explain some of it as well as provide some opinions on it.

**Secure Multiparty Computation
**This links with zero-knowledge proofs that David Schwartz was talking about earlier in the episode, but I think this concept is where it all comes together. If you want a more thorough explanation of how Keyless implements this concept, they wrote an article on Medium discussing it. But here's a simple way to think about it:

As Schwartz explained, when something is secured behind a password, the current way to do so is to reveal that password. And so zero-knowledge proofs is this idea of proving that you know the password without actually revealing it. Secure Multiparty Computation (sMPC) is a way to do this.

Let's think of a scenario: there are four of us in a room, each with a different number. One of us wants to find out what the others have, so they put their number down, scramble it with a random number, and pass it along. Each other person adds in their number, and passes it down until it gets back to the original person. The original person then subtracts the random number from the total, and then gets an average of everyone's number. That average is then shared, so that each party knows whether they're below or above average.

What does this accomplish? By doing this, each person knows how they stack up to the average, and then make a decision based on it. In other words, this allows multiple people (or in the case of sMPC, nodes) to make decisions based on combined data. And by doing so, you've enabled multiple parties (hence multiparty) to compute based on the same set of values without revealing their own secrets.

**The Second Step
**A step they mentioned (but weren't explicit as a secondary part of the whole process) is that Keyless distributes a user's information (e.g. biometric data) across a large, decentralized network. While I assume it is similar to a blockchain, the material I've read hasn't made any definite indications as to how they've decentralized it.

More importantly though, each user's data is completely fragmented so that it's unrecognizable to anyone except each node in the network. So, when a user initiates authentication, that user's biometric scan (i.e. facial scan) is also sent to these nodes so that the nodes can then determine if their little tiny piece matches with the one sent from the user. And if the nodes (I assume at least a large majority) say yes, then the system authenticates the user.

In this way, the network is basically comparing a current biometric scan of a user with a previous biometric scan that the user has already stored on Keyless's network. But critically, each node never reveals the piece they are storing. Any attacker that tries to get the original scan through the transfer can't, because the information is never revealed. And if they try to access each node, then all they'll get is really scrambled information.

**Final Thoughts
**Listening to this episode and learning about all this information was extremely fascinating. I love the clear articulation of the problem of passwords and how Keyless (as a company) intended to solve it. While they repeat the mantra of usability and user experience a lot, I think it shows just how key (yup, pun intended) it is to helping the public into a more private and secure future.

Personally, having gone through multiple password resets, dealing with customer service, dealing with transferring information for multi-factor authentication, if Keyless could offer me a solution that is as easy as signing in with a Facebook account without requiring me to sell my own data to advertisers, all the while being more secure than any other competition, I'll definitely sign up, day one.

And since the United States Congress is deciding to continue to violate privacy laws, I feel a little more hopeful knowing that there are people out there building a future where these violations will be continually out of reach of those who wish to harmfully exploit others in the name of public security.