Passwords Suck

by David Cowden
7 min read

The Internet Identity Crisis

The internet is going through a weird phase. Popups are back in style. Page loads are slow and interaction is surprisingly sluggish. ADs are everywhere. Search is less relevant (if you can even be bothered to scroll down far enough to reach the actual results). Reviews on big box sites can’t be trusted and product review “blogs” are SEO-gamed affiliate-link-ridden shills. “Social” “media” is anything but. Streaming services have become so similar to the cable they convinced you to cut that people are torrenting movies and shows again. It feels something like 2003. And, to top it off, you’re probably still using roughly the same email and password as you were back then.

Of course there’s also a lot of valuable content and functionality on the internet—it’s not going anywhere. But in order to interface with the internet people are using the same process and technology they were 20+ years ago. Passwords made sense once upon a time as a simple solution for a young system. But since then we’ve also learned how poorly they solve the problem of keeping people secure online. Humans just aren’t good at remembering the amount of entropy required to constitute a strong password. So people end up with weak and/or reused passwords.

At Uno, we’re on a mission to make it safer and easier for everyday users to access the internet. The biggest threat to account security is a weak password. Users deserve a more secure, password-free, experience that’s as simple and human as possible. So, we’re serious about entirely eradicating passwords. Passwords suck!

An Identity Manager

With the arrival and proliferation of biometric auth and an overall increase in operating system and platform security, the landscape looks very different than it did 20 years ago. While passwords are still everywhere, the technology has arrived to implement better authentication experiences. It is time to introduce users to a better authentication experience.

It would be awesome if we could jump straight into a password free WebAuthn future, but we can’t. Despite being readily available since circa 2016 in major browsers, WebAuthn has struggled to take off. WebAuthn is fighting an uphill battle of changing both the mechanism by which sites authenticate users and the fundamental password-laden experience (UX) that users are accustomed to at the same time. WebAuthn is undoubtably a key part of the solution as a protocol, but the reality is that the type of hardware key or device platform authentication that WebAuthn enables is an entirely foreign concept to people who have been using passwords for years.

Additionally, while the WebAuthn protocol technically can work anywhere, it’s really only beginning to become accessible in the browser web realm. Historically, browsers haven’t exactly excelled at handling anything other than simple password auth. For instance, the browser client cert flow is essentially a product non-starter from a UX standpoint. The WebAuthn flow is an improvement but arguably browsers aren’t really equip to also serve as polished credential managers and authenticators (or if they think they are, they haven’t demonstrated an ability to do so). And, even if browsers nailed the UX, fundamentally, identity transcends individual browsers and platforms.

Uno is building an identity manager. Just as users can’t parse hypertext with their eyeballs and instead depend on a browser to render content, we believe users need an agent working on their behalf to bridge the gap between passwords and the strong PKI-based, biometric integrated, device and platform auth of the future. People are familiar with the experience of using one credential everywhere regardless of the platform or browser they are using, so that is how the agent must present the experience to users. The agent then handles all credential and device management, TPM/HSM and biometric platform integration, account recovery seed management, etc. on behalf of the user.

If passwords suck, why does Uno handle them at all? The reality is that there is a long road in front of us before we achieve 100% WebAuthn style authentication. So a practical identity manager must compromise and meet the industry where it’s at, for now. Plus we want to develop the good habits in users even when just auto-filling passwords and then we’ll handle the transition in stride.

Design Overview

There is a lot to talk about regarding our thought process both technically and ideologically. We will cover all that in upcoming blog posts, documentation, etc. For now I will summarize the key aspects we kept in mind while designing the Uno identity manager:

  • Modern cryptographic algorithms: 256-bit Curve25519 elliptic key cryptographic primitives
  • No bearer token authentication: all interactions with our service are authenticated at the application layer using our PKI
  • Social recovery-seed storage: users are not a single point of failure, no printers and safe deposit boxes needed
  • User friendly and practical, even at the expense of arguably perfect, brutally paranoid, security if necessary
  • Community auditable and safe: security relevant portions (and ideally the entirety) of the application are open source and written in modern memory-safe languages
  • User-agent centric: server is little more than the infrastructure necessary to facilitate end-to-end encrypted application logic
  • Users own their data: core business cannot depend on an implicit exchange of user behavior monitoring for identity management services

When looking at other projects, we took some cues from Signal, one of the most visible and effective PKI-backed consumer applications available today. If the identity manager we have designed can do for the credential storage experience what signal has done for secure messaging, it will be a success.

We hope this overview serves as an initial window into our ethos and philosophy regarding user identity. We have a high bar and are committed to providing a practical and secure identity-agent experience in order to hoist users out of the current password rut.

If you're interested and want to read more, check out some of our more in depth thoughts on engineering and design in the cryptographic identity space:

Summary

Uno has built the world’s first identity manager. An identity manager helps you maintain your digital identity. It protects your digital fingerprint with state of the art biometric validation. It allows the custodial responsibility for your identity to be shared among trusted friends and family so that you are not a single point of failure. Importantly, your identity does not change based on the operating system you happen to be using or the manufacturer of the device at hand. In that way, it plays a similar role to a browser as your user agent. It’s simply a helpful piece of software that allows you to effectively maintain your digital presence across a wide variety of websites, blockchains, devices, and platforms.

Icon Share
Share the article