In 2021, internet users authentication hasn't evolved since the invention of digital password in early 60's. It's inventor, Fernando Corbató (1926 - 2019), will even say that "it's a nightmare" as its flaws are numerous.
As far as users identification is concerned, the observation is the same: nothing has changed since the appearance of the web forms in 1995. Every day, we fill dozens of form fields to repeat tirelessly, again and again, our e-mail, our first name and last name, our postal address, etc.
We are facing two huge problems here, two pain points that we need to solve. In 2021, we are capable of shooting reusable rocket ships in space that come back to land by themselves, or paying our groceries by a simple wrist gesture with a smart watch capable of predicting a heart attack or measure oxygen saturation.
But in the other hand, to authenticate ourselves on a website or an app, it's still the same torture for almost 30 years.
2. The password is pain in the ass
So, for almost 60 years, mankind is dealing the concept of password, originally designed for that MIT researchers can share the same computer while keeping their work private. No one had a clue at this time that this tinkering will serve as a pillar to the security of our hyper-connected world almost half a century later.
But everyone got used to it, we deal with it. Except that it causes a lot of issues: Having to create and remember an always growing number of password gave rise to "Password fatigue". It defines the feeling we have when we need to invent and remember a too large amount of always more complex passwords.
The password fatigue contribute to stress and encourages the users to reduce the strength of their password in order to decrease this fatigue and the stress involved.
So it's obvious that the password isn't working anymore. We tried everything to make it more strong, secured, pleasant: passwords managers, security code sent by e-mail or text, double authentication app, etc.
None of these methods are sufficient. Passwords managers are adding more problems that they're solving:
- No right to mistake: forgetting the master password is the assurance of losing the total control over all our online accounts.
- Complexity: It's impossible to login from an non-owned device apart from installing the good software or to copy by hand a extremely complex password.
- Privacy: the company that publishes the passwords manager has access to the list of all websites and apps where you own an account on. The same happens to the list of all your passwords, since this is the entity that generates them.
- Security: in case of a hacking, it's the entirety of your online presence that is compromised.
- Fatigue: the fact that we need to maintain a master password make the whole concept of passwords managers vulnerable to the passwords fatigue, because the most part of the users didn't choose a strong enough password to secure their generated passwords list, which is facilitating the previous point's hypothesis.
As for the others methods, who loves to login into a website with the correct password and seeing on the screen "Suspicious login, please validate your login attempt by clicking the link we just sent you by e-mail"?
Not to mention all theses services that we're using once a year and for which we completely forget if we have an account on or not:
- Create an account: "An account with this e-mail address already exists, please login"
- Login: "Invalid password"
- Forgotten password: "A link has been sent to you by e-mail",
- Crafting a new password: "The new password must be different from the previous one"
We have all experienced something like this one day or another. We are blocked 60 years behind and it needs to change.
3. Forms are outdated
Google, Facebook, Amazon and others tech giants are capable of knowing our lives in deep details: targeted ads, personalized search results or GPS route suggestions.
Sometimes we almost become paranoid when after talking about such product or brand with friends, the first ad we see on Instagram is precisely that product or brand.
However, at each order on an e-shop, we're asked to fill-in our physical address. At each registration on a new app, we need to fill-in our e-mail, our full name, a new password again.
It bothers the users and they let it be known: 28% of abandoned carts on e-shop are so because of the necessity of account creation to complete the order. Who had never tried to register into a newsletter, an online course or a fidelity program but gave up in front of the length or the complexity of the registration form?
All these repetitive actions should be automated, and forms relegated to relics.
Of course, some alternatives exists. The famous "SSO" or more commonly "Login with...". Those systems which are mainly found in GAFAM make it possible to solve a little part of the problems mentioned above, but this is not the right solution:
- Most of these systems only share your e-mail address et sometimes your full name, but most of the time you still need to fill in your physical address, your phone number or your birth date.
- Our privacy is at stake, because this kind of service allows GAFAM companies to know always more about us and our habits. The trust of the users towards these companies is constantly decreasing, and with it the appeal for these so called alternatives to passwords.
- As for the passwords managers, you still need a "Master password" and there is always a saved list of every website and mobile app to which this unique account gives you access to. If your Facebook or GMail account is corrupted (a scenario highly likable as most internet users define weak passwords for these kind of services), it's all your associated logins that are at risk at the same time.
For all these reasons, "SSO" and "Login with..." kind of alternatives are still not the fitting solution to our problem of forms and passwords, despite the fact that they are easy to use and with a cool user experience.
In order to solve these problems, we need a sovereign, privacy-by-design platform, capable of transmitting these information only with our agreement to the websites or mobile apps which we use on a daily basis.
This solution, it's JustAuthMe and here are the details :
a. The form
JustAuthMe is a complete eco-system that allow identification AND authentication of a user through simple, secured and private protocols.
The app, during its first use, ask the user for their e-mail address and their identity (first name and last-name). These are the only required informations to make the app works (no password !).
Then, each time the user see the "Login with JustAuthMe" button on the internet, they can click on it and use their smartphone to validate the login thanks to a QR-Code scan.
Thanks to the biometrics sensors in smartphones, the user can, in 8 seconds, log themselves (even if they do not own an account yet) to any online service without fill any form or password, ever.
Thanks to JustAuthMe, the pure concept of password has disappeared. This is not a disguised passwords manager but a all new innovative technology that allows registration and login of anyone, anywhere, anytime, in 8 seconds flat, with the same nice and smooth user experience on any device, any operating system, with the user being the owner of the device or not, from a desktop or a mobile device, anywhere in the world.
With JustAuthMe, user experience reached its maximum. But what is it that guarantees the major breakthrough over existing systems?
Compared to existing alternatives to the password problem, JustAuthMe made breakthroughs on multiples points :
- Thanks to the QR-Code and Deep-Linking technology, the JustAuthMe ecosystem works in a totally equal way on any context or system. In less than a second, the JustAuthMe app is capable of knowing the details of the login attempt and present them to the user in order for them validate or not the login.
- Thanks to the advent of biometrics and to the breakthroughs in the cryptographic field, JustAuthMe allows a strong and secure user authentication in less than 2 seconds, without needing anything from the user except holding their phone in their hand.
- In addition to furnish the e-mail address of the user to services they logged to, JustAuthMe offers a true digital identity system that allows its users to share, according to the targeted service, their birth date, birth location, street address, company name (eg. for a professional account) or even their job title.
- As the concept of password has vanished, JustAuthMe does not use any "Master password". Everything is happening thanks to the biometrics sensors of smartphones. If these sensors allow us to pay contactless without any spend limit for many years now, it's because world biggest banks are trusting the manufacturers of said sensors. Our mindset is to believe that if a such amount of trust is granted to them by such companies, it must be possible to use them in order to log ourselves into a website or a mobile app.
JustAuthMe has been designed in such a way that it never invades it's users' privacy. The JustAuthMe teams does not, at any time, have access to the users identities or even at the names of the services they logged themselves to :
- The totality of the informations collected bu the app are only saved on the smartphone of the user and are never stored on the JustAuthMe servers.
- JustAuthMe assigns an unique identifier to every user of the app. This identifier is anonymous and is only shared between the core server of JustAuthMe and the user smartphone. Every service to which the user log into thanks to JustAuthMe receive a derivated version of this identifier, making cross-service checking impossible, and this guarantees the anonymity of the user and not a simple pseudonymity.
- In order to track changes of e-mail addresses and because we need to guarantee the previous point, JustAuthMe stores a hashed version of the e-mail address of the user. This hashed version allows JustAuthMe to recognize an user if they change their phone or uninstall and then reinstall the app, and all that without storing any personal data.
- In order to send the right derived unique identifier to the right service, JustAuthMe stores a deteriorated list of logins to the service that implements its solution. Thanks to a hashing process similar to the one described above, the JustAuthMe systems can, during a login, determine if this user already logged into this service before, all that without knowing either the said service and the said user who's trying to log.
- The e-mail address of the user is verified by JustAuthMe and that guarantees humans and trustable users to the services that uses its platform.
- Because JustAuthMe do not store any personal data about its users, even a massive hack of its servers would not allow any personal data leak.
- Thanks to the derivative form of the unique identifier, the hacking of some services to which the user is registered to would not allow a service cross-check to find this user elsewhere.
- Because there is no password anymore, the "Password fatigue" is not a problem anymore as the user is not tempted to choose a weak password to secure its full online presence.
6. Others application fields
To this point, we only talked about identification and authentication problems on online services that we use on a daily basis.
However, the JustAuthMe eco-system opens a infinite field of possibilities. Currently, the transmission of the login details is done thanks to a QR-Code or a Deep-Link to the app, but we could imagine our smartphone as a NFC badge to access offices for example, or at the airport or anywhere we need to identify ourselves!
We could also think to all these times when we need to declare our identity, street address and everything out loud in public, with misspronunciations and all these awkward things. A little screen displaying a QR-Code at the supermarket and we could apply to this fidelity program without having to spell our name and address 3 times.
The password is an old, dirty system that no longer belongs in the hyper-connected world we live in. Alternatives exists but they doesn't met the expectations of always more demanding needs of the users in terms of security and privacy.
JustAuthMe offers a highly innovative solution, aligned with the imperatives of our world and which uses the latest technologies of the market to creates a completely new way to identify and authenticate on the internet and in everyday life.