Are thumbprints key for making digital currencies mainstream?

John Callahan, CTO of Veridium, discusses the future of authentication for cryptocurrencies

This is a contributed piece from John Callahan, CTO of Veridium

Over the last few months, Bitcoin has become the belle of the financial ball: with a valuation of around $1,000 at the beginning of 2017, its price steadily – and then exponentially – increased to over $5,000 in October to more than $17,000 in November. According to the New York Times, this latest price spike is likely because Wall Street companies have signaled their interest in the market.

This is a far cry from the early days of Bitcoin, when it was best known for its anonymity, and as the currency of choice for black-market trade. As banks throw their weight in – signaling not just interest, but validation – and more of the financial community invests, digital currencies will become increasingly mainstream. This will undoubtedly impact areas like user experience, security, liquidity – things that didn’t matter as much when it was “off the grid,” but will need to be regulated and organized so people can invest and trade consistently.

One of the biggest hurdles is also, theoretically, one of the easiest to solve: authentication – validating who is the owner of a Bitcoin. Right now, it’s not as easy as it would seem.

Today, if you’re a Bitcoin owner, you prove this through a password, or through possession of a private key. As with other passwords, most people have this key stored on their phone, so they don’t have to type it in every time they want to authenticate and access their funds. What happens if you forget your key, or lose your phone? Then, there’s a recovery key – a long (often around 100 characters) and complex string of characters to type in to once again authenticate yourself. Burdensome, but it works. Given the importance of this recovery key, most Bitcoin owners would store it separately – perhaps printed out and in a file cabinet or safe, which is how most people keep track of important paperwork.

Unless – what if the unthinkable happened? You lose your phone – your house burns down; and suddenly, you have neither the original password nor the recovery key. This is the primary vulnerability in using private keys to access your wallet: if they’re both lost, there is essentially no recourse to recovery – your money is orphaned. Regrettably, this exact scenario happened recently to a British man, who threw away a hard drive, containing the key to over $7.5M in bitcoins; he’s currently searching his local landfill to see if he can find it.

This is sometimes referred to as the “Naked Man Problem” – how do you prove the identity of a person with no documentation, no license, and no paperwork to verify? In the current paradigm, there is a risk – even if it is small – for all investors of becoming “The Naked Man” and losing access to their wallets.

To combat this, identity technologists are well underway at developing new solutions – what they’re calling decentralized key management systems. Critically, these solutions are looking to get away from passwords, which are an inherently insecure method of authenticating – especially in an industry, like finance, where security is so critical. All a password does is validate that someone signed in with a simple shared secret – but there is no way of legally verifying who that was, since a password can be stolen. Moreover, with all five of the largest data breaches of 2016 involving compromised, stolen or reused passwords, it’s clear that we need a better approach.

Two methods are standing out as front runners:  

  • Social recovery: This process leans on your trusted network to prove your identity. A person designates trusted people in their inner circle (friends, family, etc.) to hold pieces of their identity credentials (or associated recovery credentials) on their devices – so, if that person gets locked out, he can assemble his “trusted circle,” each with a piece of his identity, to prove who he is.
  • Biometric recovery: Bitcoin owners can recover their identity credentials directly (via fingerprint, face or another form of biometric authentication), but may also require live evidence to prevent spoofing attacks. Friends may come and go, but biometrics are relatively stable and may be the foundational backstop to identity credential methods when used in combination with other methods including social, token and paper-based approaches.

The rapid rise of Bitcoin shows great promise for the lasting impact of cryptocurrencies – but ultimately, a key to their popularity, adoption and success will rest on their usability and security. Typing in a 100-character code to authenticate is burdensome and not secure; people – and perhaps institutions – will be less inclined to adopt if recovery is not simple and straightforward.

Ultimately, as the cryptocurrency market solidifies and becomes increasingly structured, many outstanding issues will need to be addressed – but top of that list should be the issue of authentication and recovery.