Blockchain ID For Mobile Bypasses Phone Operating Systems
Rivetz Corp. is a provider of decentralized mobile security solutions. It is working on a hardware-based cybersecurity method for digital identities in partnership with Agrello, which offers blockchain-based legal technology and digital identity services. That includes cryptographically secure digital identities that users employ to identify themselves anywhere online. The Agrello ID service can be used to sign contracts or complete Know Your Customer (KYC) processes in seconds.
Rivetz provides built-in protection of access credentials both to update and to assert user identities. The Rivetz toolkit provides access to the Trusted Execution Environment (TEE), which is built into most modern mobile devices.
The collaboration will create self-sovereign identities that are protected by hardware, providing a proprietary cybersecurity mechanism to help users navigate and engage with protections and assurances that are delivered by blockchain technology and trusted computing. Using the Rivetz innovation, the Agrello ID application will be able to bypass a user’s phone operating system and thereby the potential malware installed on it, providing protection from identity theft, data breaches, and most cyber-attack vectors.
Rivetz CEO Steven Sprague talked with Block Tribune about the partnership.
BLOCK TRIBUNE: This seems like an obvious flaw. Why didn’t the device manufacturers foresee this type of security feature?
STEVEN SPRAGUE: Theft of phone numbers is a carrier issue, not a manufacturer issue. The SIM has traditionally been the primary way to protect carrier identity, but it has not been effective for providing user authentication to apps. Today we “borrow” the SIM identity to do 2-factor authentication (2FA) and register a device, because apps have no security. Originally, Apple chose to copy the AOL model for apps with usernames and passwords, and not the BlackBerry model of registered device. It has turned out that it was great for mobile adoption for Apple, but a train wreck for security. The embedded security model, launched in PC’s first, is now penetrating all of mobile with over a billion devices enabled to date. It is time to put embedded security to work, and blockchain and IoT will be the technologies that launch that evolution.
BLOCK TRIBUNE: What percentage of people deal in crypto via mobile devices versus other means? Any stats on that?
STEVEN SPRAGUE: There are no hard numbers, but most people who deal in crypto have both mobile and desktop wallets. Based on our customer support models, it is probably 40% mobile.
BLOCK TRIBUNE: Similarly, any idea how much information currently on blockchains might be invalid or somehow compromised?
STEVEN SPRAGUE: Every story you hear of a lost or stolen private key creates invalid data on the blockchain. While a chain holds data immutably, there are no controls that prove the data on the chain was intended. This is a significant weakness for all of the cyber security controls and one that Rivetz is addressing. The ability to encode provable data on a chain will be critical for many of the proposed utility models. Decentralized cybersecurity is required to make crypto work.
BLOCK TRIBUNE: Are there other uses for this tech beyond crypto trading?
STEVEN SPRAGUE: User authentication to mobile service can be based on device registration, not username and password. Think of it like 2FA built in, with no SMS code or authenticator app required. Authentication can be built in. You log into your device your device logs you into the world. Secondly, the IoT needs your phone to hold the access keys. For example, it’s cool that the Marriott enables electronic doors your phone can unlock, but it’s not cool that the keys in your phone can be stolen. It is time to ensure that a mobile device can hold a secret. The operating system is not a safe place. It’s why both Apple Pay and Samsung Pay leverage the Trusted Execution Environment (TEE) to protect your money. They know you can’t protect it with the OS alone.
BLOCK TRIBUNE: Are you planning any outreach to retailers on this?
STEVEN SPRAGUE: Rivetz is part of the National Cybersecurity Center of Excellence supporting multi-factor authentication for retail ecommerce. Every shopping cart should support Trusted Execution-based authentication and provide a safer and simpler shopping experience. It is time to enable the components that will actually reduce and eliminate most online fraud. It worked in mobile in 1994 — enabling a SIM chip in a mobile handset reduced the cloning of mobile phone accounts effectively to 0 for 20 years.
BLOCK TRIBUNE: Is this interoperable with existing blockchain technologies?
STEVEN SPRAGUE: Yes, a mobile wallet can provide hardware-assured protection of the private keys and the formation of secure instructions. The use of advanced features such as trusted display can assure that what you see on the screen is the transaction that got signed. Rivetz is focused on providing the most advanced tools to enhance these capabilities and enable mobile security for all of blockchain.
BLOCK TRIBUNE: Will there come a time when devices that don’t have your protection may not be allowed access to certain things?
STEVEN SPRAGUE: No, I think that users will ultimately think of safety as a competitive feature. To compare it to cars, consumers will hopefully choose to have one with airbags instead of a Pinto.