Usernames and Passwords to be Replaced with OneID
OneID is trying to eliminate the use of memorizing usernames and passwords and replacing them with just… 1 I.D, similar to how user can log in to sites with their Facebook. However, users do not feel safe giving away their information that easily (but they’re ok with Facebook holding their information?).
Currently, Steve Kirsch, founder of OneID, is presenting this to U.S. Treasury and top Fortune 500 companies. However, he does have a chance as his idea may be a revolutionary jump to all websites who integrate this new sign-in feature. OneID allows users to forget the thought of having a username and password and instead, sign in with another device which approves authentication based on their security input. Instead of having hundreds of different sign-in names, you will now only have one without having to memorize anything other than a custom pin number to allow access.
It works by allowing a user to use an external device to accept sign-in and collection of information from sites. This is how it knows the difference between you and a violator trying to access your account. Kirsch mentions that there is a possible way confidentially answer the question: “How do I know I am really safe when l sign on to a website?” OneID has no central database service which gives hackers no purpose to access their information.
OneID uses a fully encrypted cloud repository, advanced elliptic curve asymmetric cryptography, digitally signed transactions with tokenized payment sources, dual device classes providing out-of-band authentication, and security guaranteed through the use of three independent public keys. There is no centralized storage of data and no single point of failure or compromise, making OneID impervious to centralized breaches. –OneID.com
Its main feature is not just user security. Any site that uses OneID for sign-in to their users are more secure as they have little connection to their user’s authentication information. The sign-in cycle is as followed:
- The user’s device sends digital signatures to website proving that the user owns the OneID.
- The site confirms through the OneID service that the user’s OneID and associated device are valid
- Sites can customize the security level by choosing to require additional user confirmation for any OneID transaction (sign up, sign in, checkout, or other payments). Users may also customize security for OneID transactions by device, website, and transaction type.
To further security technology, OneID providers must be approved before allowing a site to hold user’s information. The information is useless however because it is encrypted in the system, which if in some way hackers access the information, they might as well delete what they obtained as it gives them nothing of use. Individual users’ devices are the only ones that have the decryption keys. Other than security, this also helps users avoid entering credit card information multiple times for different sites. Their OneID has all the information they need, only accessible and mutable by the users.