We have posted another video that explains how ChainLock compares to popular two-factor authentication (2FA), such as SMS and token one-time-password (OTP) authentication.
http://chaintightsecurity.com/content
The most important point we make in this new video is that ChainLock will cause the adoption of Bitcoin to explode. This is the most important benefit of ChainLock with respect to the Bitcoin ecosystem.
Topic: ChainLock your online accounts using a bitcoin address (Read 2179 times)
We're trying to give you some feedback on what our thoughts are on your concept. If you don't want feedback, you can post in the Announcement subform or contact Bank of America since that seems to be who you want to use it.
I appreciate your passion for the product, but if you're looking for that... "Ah ha! This is genius and going to disrupt the multifactor authentication market!" you still need to listen to the feedback, improve your product/service, and try again. Or, don't listen to us and continue on your own path. You drive your own success.
I appreciate your passion for the product, but if you're looking for that... "Ah ha! This is genius and going to disrupt the multifactor authentication market!" you still need to listen to the feedback, improve your product/service, and try again. Or, don't listen to us and continue on your own path. You drive your own success.
We do appreciate thoughtful, meaningful feedback that might help us improve ChainLock, and that is what we are hoping for from this thread.
We do not understand feedback that is nonsense.
Your suggestion to "improve the product and try again" is also nonsense given that no one has made a coherent comment that would warrant improvement (other than the inadvertent spending out of a ChainLock address which we have already addressed).
Again, we are actually encouraged by the inability of anyone to demonstrate cracks in the ChainLock protocol.
If commenters on this site want to be critical, we simply appreciate a little effort to at least understand ChainLock before posting a comment.
Posting comments like "it will take 2 hours for a ChainLock transaction to post to the blockchain" is simply wrong. These types of critical, technically incorrect comments merely demote ChainLock for no reason.
Everyone interested in the success of bitcoin should be interested in the success of products like ChainLock because they promote the use of bitcoin.
We're trying to give you some feedback on what our thoughts are on your concept. If you don't want feedback, you can post in the Announcement subform or contact Bank of America since that seems to be who you want to use it.
I appreciate your passion for the product, but if you're looking for that... "Ah ha! This is genius and going to disrupt the multifactor authentication market!" you still need to listen to the feedback, improve your product/service, and try again. Or, don't listen to us and continue on your own path. You drive your own success.
I appreciate your passion for the product, but if you're looking for that... "Ah ha! This is genius and going to disrupt the multifactor authentication market!" you still need to listen to the feedback, improve your product/service, and try again. Or, don't listen to us and continue on your own path. You drive your own success.
Its an interesting concept but like the said, security flaw is an issue. Allowing a third party to hold bitcoin is a security flaw it self. We even move our money back from exchanges to our wallets if we don't expect something to happen in the market due to security.
Chainlock can probably lure users if they give interest if users store their btc. But most probably can turn into scam
Chainlock can probably lure users if they give interest if users store their btc. But most probably can turn into scam
Yet another comment that makes absolutely no sense. It's almost like people don't want a product like ChainLock to succeed.
Imagine if ChainLock does succeed. It will rocket bitcoin into the mainstream. It will introduce the actual use of bitcoin to hundreds of millions of people. These new users will learn how to perform bitcoin transactions with a very low monetary value but with a very high significance value.
We have already addressed this nonsense comment in our FAQ video for anyone that wants to take a few minutes to actually learn about how ChainLock works:
http://chaintightsecurity.com/content
Its an interesting concept but like the said, security flaw is an issue. Allowing a third party to hold bitcoin is a security flaw it self. We even move our money back from exchanges to our wallets if we don't expect something to happen in the market due to security.
Chainlock can probably lure users if they give interest if users store their btc. But most probably can turn into scam
Chainlock can probably lure users if they give interest if users store their btc. But most probably can turn into scam
We posted a video addressing the frequently asked questions about ChainLock which can be seen here:
http://chaintightsecurity.com/content
http://chaintightsecurity.com/content
We published a shorter version of the ChainLock demo video which can be seen here:
http://chaintightsecurity.com/content
http://chaintightsecurity.com/content
Concept vs Project vs Business.... Yes, it's an interesting concept, but as a business it's flawed because your concept requires a developer to implement. If the developer is going to implement your concept, they don't really have to use anything you've developed to do it. In essence, you're selling lemonade to lemon farmers. Is OTP foolproof, sms, or email? No... but your system is still dependent on other systems with a wide attack surface as well. The server, database, network, dns, code, ports, etc can be probed for vulnerabilities.
The major problem though (for me to implement this into my own apps) is that most people don't understand the relationship between an account/wallet with a single bitcoin address. Most people would likely use an address that they either A) already know and have used or B) generate a new address from an existing wallet. The majority of bitcoin users don't really understand the concept of inputs and outputs, so they're going to unintentionally "unlock" some account when they buy alpaca socks. It's not something for your casual user, it's something that needs to be used by an experienced and educated bitcoin user.
It's obvious you're passionate about this, so keep going, creating, and plugging holes you find along the way.
The major problem though (for me to implement this into my own apps) is that most people don't understand the relationship between an account/wallet with a single bitcoin address. Most people would likely use an address that they either A) already know and have used or B) generate a new address from an existing wallet. The majority of bitcoin users don't really understand the concept of inputs and outputs, so they're going to unintentionally "unlock" some account when they buy alpaca socks. It's not something for your casual user, it's something that needs to be used by an experienced and educated bitcoin user.
It's obvious you're passionate about this, so keep going, creating, and plugging holes you find along the way.
Concept vs Project vs Business.... Yes, it's an interesting concept, but as a business it's flawed because your concept requires a developer to implement. If the developer is going to implement your concept, they don't really have to use anything you've developed to do it. In essence, you're selling lemonade to lemon farmers.
Of course we have addressed this issue. There are many, many businesses that face this same issue, yet they are profitable.
Is OTP foolproof, sms, or email? No... but your system is still dependent on other systems with a wide attack surface as well. The server, database, network, dns, code, ports, etc can be probed for vulnerabilities.
This is probably the strangest comment yet because it is posted on a site dedicated to bitcoin. The comment claims "our system" is insecure, but the security of our system is not "ours." The security of "our" system is bitcoin. If someone can hack a bitcoin address used to unlock an account, then that same person can hack any bitcoin address. That person could just steal $10 billion. But of course no person has or will.
The major problem though (for me to implement this into my own apps)
ChainLock is not going to be implemented by individuals into their own "apps." ChainLock will be implemented by service provider websites such as banks.
is that most people don't understand the relationship between an account/wallet with a single bitcoin address.
ChainLock does not limit the user in any way as to what bitcoin address they can use to lock an account. We used a "single" bitcoin address in the Mycelium wallet for the demo video so that the bitcoin address remains static. No doubt there is some complexity to bitcoin. Some amount of learning. But again, this is a bitcoin site. Doesn't everyone reading these posts already agree the complexity of bitcoin is about the same as a website browser? Doesn't everyone agree that the complexity of bitcoin will eventually be a non-issue?
Most people would likely use an address that they either A) already know and have used or B) generate a new address from an existing wallet.
Our response to this comment is... what? First this commenter argues ChainLock is so simple the banks will just implement it without our help... then this comment which clearly shows an inability to understand the basic concept. Of course it doesn't matter what bitcoin address is used to lock an account. The user can use any bitcoin address. One they "already know and have used" or "generate a new address from an existing wallet" or whatever. In the demo video, we use a "single address" account generated by the Mycelium app. Generating a "single address" account really is not that difficult, but even if it turns out to be difficult for users, certainly wallet apps like Mycelium can make it easier to generate a "single address" account used to lock an online account. For example, they could change the menu command from "generate single address account" to "generate ChainLock address." Again, the complexity of our system is no more than the complexity of bitcoin. If users cannot figure out our system, then they cannot figure out bitcoin. Like most companies working in this space, we are counting on the ability of users to understand how to use bitcoin.
The majority of bitcoin users don't really understand the concept of inputs and outputs, so they're going to unintentionally "unlock" some account when they buy alpaca socks.
Finally someone has made a comment that is interesting to read. Yes! You are right! There is a possibility that a user might unintentionally spend bitcoin from a ChainLock address, thereby potentially unlock an online account. We have designed ChainLock so that this scenario is not possible. It's one of the enhancement features we talk about in the above comments, as well as in our demo video.
It's not something for your casual user, it's something that needs to be used by an experienced and educated bitcoin user.
If this comment is true, then bitcoin is doomed. If a user cannot understand how to use ChainLock, then they will of course not understand how to use bitcoin in general. Further, if a user cannot understand ChainLock, they probably should not be using bitcoin at all. Similarly, if an old person has dementia, they should not be allowed to carry a paper wallet because they no longer understand how to use paper money. Bitcoin is not that hard to use.
Concept vs Project vs Business.... Yes, it's an interesting concept, but as a business it's flawed because your concept requires a developer to implement. If the developer is going to implement your concept, they don't really have to use anything you've developed to do it. In essence, you're selling lemonade to lemon farmers. Is OTP foolproof, sms, or email? No... but your system is still dependent on other systems with a wide attack surface as well. The server, database, network, dns, code, ports, etc can be probed for vulnerabilities.
The major problem though (for me to implement this into my own apps) is that most people don't understand the relationship between an account/wallet with a single bitcoin address. Most people would likely use an address that they either A) already know and have used or B) generate a new address from an existing wallet. The majority of bitcoin users don't really understand the concept of inputs and outputs, so they're going to unintentionally "unlock" some account when they buy alpaca socks. It's not something for your casual user, it's something that needs to be used by an experienced and educated bitcoin user.
It's obvious you're passionate about this, so keep going, creating, and plugging holes you find along the way.
The major problem though (for me to implement this into my own apps) is that most people don't understand the relationship between an account/wallet with a single bitcoin address. Most people would likely use an address that they either A) already know and have used or B) generate a new address from an existing wallet. The majority of bitcoin users don't really understand the concept of inputs and outputs, so they're going to unintentionally "unlock" some account when they buy alpaca socks. It's not something for your casual user, it's something that needs to be used by an experienced and educated bitcoin user.
It's obvious you're passionate about this, so keep going, creating, and plugging holes you find along the way.
So, right, anyone can implement this pretty easily, it doesn't take that much effort. It's maybe <20 lines of code, minus the user interface, or database code to get the users address and locking amount.
I'm failing to see the reason to use your product
Code:
function getBalance($address) {
return file_get_contents('https://blockchain.info/en/q/addressbalance/'. $address);
}
$balance_address = getBalance('12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX');
$locked_amount = '1000000';
if ($balance_address < $locked_amount) {
// Allow withdrawal
echo 'allow';
}
else {
// Do not allow withdrawal
echo 'deny';
}
return file_get_contents('https://blockchain.info/en/q/addressbalance/'. $address);
}
$balance_address = getBalance('12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX');
$locked_amount = '1000000';
if ($balance_address < $locked_amount) {
// Allow withdrawal
echo 'allow';
}
else {
// Do not allow withdrawal
echo 'deny';
}
I'm failing to see the reason to use your product
Are you saying that because the basic concept is fairly easy to implement... that it's not valuable? Not useful? Or are you saying that because the basic concept is fairly easy to implement, that banks and other service providers will just implement the idea without help from us?
It would be much more interesting to hear people's opinion on whether banks should implement the idea? Do you think it is a good idea? Do you think the idea is better than existing 2FA approaches? If not... why not?
Instead of demonstrating how to implement the idea... can you demonstrate why the idea won't be adopted? Or why it should not be adopted?
Do you like the current state of 2FA? Do you consider SMS texting safe? Do you like token OTP? Do you still have to log into your bank account to verify your balance? Are you worried about losing your phone? Are you worried a lost phone may end up in the hands of a hacker? Do you know how to disable token OTP on a lost or stolen phone?
Are service providers paying companies like Authy for their infrastructure? For their servers? For their programmers and support staff? Are the Authy servers safe? Are you sure? Is the bitcoin blockchain safe?
This thread could be so much more interesting. We get it. The basic concept is fairly easy to implement once you understand it. Most everything is easy once you understand it. Does anyone have anything else to say about the idea? Anything that might be interesting to read?
By the way... we have developed many, many additional enhancements to the basic concept. If the basic concept is adopted, then our multitude of enhancements will also be adopted.
But if the basic concept is not adopted... the multitude of enhancements don't really matter.
So again. Can anyone please tell us why the basic concept won't be adopted? Or should not be adopted?
So, right, anyone can implement this pretty easily, it doesn't take that much effort. It's maybe <20 lines of code, minus the user interface, or database code to get the users address and locking amount.
I'm failing to see the reason to use your product
Code:
function getBalance($address) {
return file_get_contents('https://blockchain.info/en/q/addressbalance/'. $address);
}
$balance_address = getBalance('12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX');
$locked_amount = '1000000';
if ($balance_address < $locked_amount) {
// Allow withdrawal
echo 'allow';
}
else {
// Do not allow withdrawal
echo 'deny';
}
return file_get_contents('https://blockchain.info/en/q/addressbalance/'. $address);
}
$balance_address = getBalance('12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX');
$locked_amount = '1000000';
if ($balance_address < $locked_amount) {
// Allow withdrawal
echo 'allow';
}
else {
// Do not allow withdrawal
echo 'deny';
}
I'm failing to see the reason to use your product
Other reasons ChainLock beats Google Authenticator and Authy token OTP:
Token OTP is safer than SMS OTP... unless you lose your phone.
Google Authenticator provides no way to revoke a lost phone. Same with Authy unless you enable multiple-device with backup to their server... which most people won't do. Authy makes multi-device sound like a great idea... but the reality is most people will single install Authy... on their phone... because everyone is tethered to their phone... there is no need for multi-device access. Only tech geeks will enable Authy on multiple devices, and only tech geeks that want to protect their Twitter and Facebook accounts. Anyone with over $100k in the bank won't want multiple devices lying around capable of draining their life savings.
So with Google Authenticator and single installation Authy, when a user loses their phone, or their phone is stolen, the only way to revoke the phone (disable the token generator) is to reset the token seed for every online account. If the token seed is not reset, the lost or stolen phone can be used to generate valid tokens. The process of resetting the token seed is different for every account (every website), and so the user must grapple with how to reset the seed for each account. For example, an account may require the user to navigate to Account->settings, and then 2FA settings, and then click the pencil icon, yada yada yada. Or, without explanation, the account may presume the user will disable/re-enable the 2FA setting, thereby resetting the token seed. Again, this assumes the user won't do the most obvious... simply rescan their old QR code with their new phone, thereby unknowingly leave their old phone as an active token generator. Tech geeks may scoff... but this is reality... and the type of complexity that scares the average user (rightly so).
In addition, most online accounts (websites) provide backup OTP codes that can be used in case a phone is lost or stolen. So whenever a user enables 2FA for a new account, they must print and save the backup OTP codes for the new account. A prudent person saves their backup codes in a safe place, like a safe deposit box in a bank, so that when their phone is lost or stolen, they go to the bank and retrieve their backup codes. But if new backup codes are generated for each new account, the user must make a trip to their safe deposit box to store the new backup codes whenever a new account is configured with 2FA.
ChainLock overcomes all of the above problems. With ChainLock, a user can configure each new account with the same master bitcoin address as well as a unique working bitcoin address assigned to each new account. The master bitcoin key (for the master bitcoin address) can be printed and stored in a safe deposit box once. When the user creates a new account, they simply specify their master bitcoin address as the backup address... there is no need for different backup codes for each account.
When a user loses their phone, or their phone is stolen, the user retrieves their master bitcoin key from their safe deposit box which is used to access every account. As each account is accessed using their master bitcoin key, the user is prompted to reset their working bitcoin address for the account. That is, each online account (website) can implement a standard interface wherein the user is prompted to reset their working bitcoin address whenever their account is accessed using their master bitcoin key. In this way, the user need not grapple with how to reset a token seed for each account because the process is the same for every account.
Even more convenience is achieved by storing multiple copies of the master bitcoin key (multiple paper copies) in a safe deposit box. This way the user can retrieve a copy of their master bitcoin key, reset all of their accounts, and then dispose of the copy (burn it). So a user need only make one trip to their safe deposit box if their phone is lost or stolen.
Token OTP is safer than SMS OTP... unless you lose your phone.
Google Authenticator provides no way to revoke a lost phone. Same with Authy unless you enable multiple-device with backup to their server... which most people won't do. Authy makes multi-device sound like a great idea... but the reality is most people will single install Authy... on their phone... because everyone is tethered to their phone... there is no need for multi-device access. Only tech geeks will enable Authy on multiple devices, and only tech geeks that want to protect their Twitter and Facebook accounts. Anyone with over $100k in the bank won't want multiple devices lying around capable of draining their life savings.
So with Google Authenticator and single installation Authy, when a user loses their phone, or their phone is stolen, the only way to revoke the phone (disable the token generator) is to reset the token seed for every online account. If the token seed is not reset, the lost or stolen phone can be used to generate valid tokens. The process of resetting the token seed is different for every account (every website), and so the user must grapple with how to reset the seed for each account. For example, an account may require the user to navigate to Account->settings, and then 2FA settings, and then click the pencil icon, yada yada yada. Or, without explanation, the account may presume the user will disable/re-enable the 2FA setting, thereby resetting the token seed. Again, this assumes the user won't do the most obvious... simply rescan their old QR code with their new phone, thereby unknowingly leave their old phone as an active token generator. Tech geeks may scoff... but this is reality... and the type of complexity that scares the average user (rightly so).
In addition, most online accounts (websites) provide backup OTP codes that can be used in case a phone is lost or stolen. So whenever a user enables 2FA for a new account, they must print and save the backup OTP codes for the new account. A prudent person saves their backup codes in a safe place, like a safe deposit box in a bank, so that when their phone is lost or stolen, they go to the bank and retrieve their backup codes. But if new backup codes are generated for each new account, the user must make a trip to their safe deposit box to store the new backup codes whenever a new account is configured with 2FA.
ChainLock overcomes all of the above problems. With ChainLock, a user can configure each new account with the same master bitcoin address as well as a unique working bitcoin address assigned to each new account. The master bitcoin key (for the master bitcoin address) can be printed and stored in a safe deposit box once. When the user creates a new account, they simply specify their master bitcoin address as the backup address... there is no need for different backup codes for each account.
When a user loses their phone, or their phone is stolen, the user retrieves their master bitcoin key from their safe deposit box which is used to access every account. As each account is accessed using their master bitcoin key, the user is prompted to reset their working bitcoin address for the account. That is, each online account (website) can implement a standard interface wherein the user is prompted to reset their working bitcoin address whenever their account is accessed using their master bitcoin key. In this way, the user need not grapple with how to reset a token seed for each account because the process is the same for every account.
Even more convenience is achieved by storing multiple copies of the master bitcoin key (multiple paper copies) in a safe deposit box. This way the user can retrieve a copy of their master bitcoin key, reset all of their accounts, and then dispose of the copy (burn it). So a user need only make one trip to their safe deposit box if their phone is lost or stolen.
Other major reasons why ChainLock is better than phone token or SMS OTP, such as Google Authenticator or Authy:
Most users are very novice about technology. If a user loses their phone, their primary concern is to regain access to their online accounts. The authenticator companies make sure there are a number of ways to regain access so users don't freak out. For example, they provide backup codes, or backup phone numbers, or backup devices. All of these "backups" represent a security risk if compromised. Further, with phone token OTP (e.g., Google Authenticator or Authy SoftToken), the authenticator app remains active on the stolen phone unless the user is technically savvy enough to disable the stolen phone. A tech geek might think this is simple (which it is), but most people are not tech geeks. Most people won't realize their stolen phone is an active token generator... they will just be happy to access their accounts using a different device. Eventually the stolen phone falls into the hands of a hacker who gains a new target.
With ChainLock when a user loses their phone, its exactly like losing their pocket wallet (we assume users don't make backups of their wallet apps... a solid assumption). They therefore must use their master bitcoin key (stored in a safe place, such as on paper in a safe deposit box) in order to regain access to their online account. When accessing an online account using a master bitcoin key, the user is warned to reset their working bitcoin address if their phone was lost or stolen. The entire process is straightforward and easy for the user to understand what is happening and why it's happening.
Compare this to Google Authenticator where the only way to revoke a stolen or lost phone is to disable the 2FA for each account and then re-enable the 2FA so that the seed is changed. Do you think a user understands what a seed is? Let alone the need to change it? Let alone go through the disable/re-enable procedure for every account? What if a user simply saves their old QR codes for each account and then rescans the old QR codes into their new phone? Is there someone telling them not to do this? Do you even understand what this paragraph is saying? Not surprised if you don't... it's not easy.
Authy makes revoking a stolen or lost phone somewhat easier, as long as multiple-device with backups to the server is enabled. Say what? Exactly. Go research it for an hour or two and you might understand it... maybe. And activating multiple devices is of course a security risk. And even if multiple-device with backups to the server is enabled, the user must not only understand how to revoke a stolen or lost phone, but remember and be diligent to do so... which of course is not going to happen 90% of the time. And then when a user's account is hacked, the bank will claim the user was negligent... which is of course true. This is not going to happen with ChainLock.
Most users are very novice about technology. If a user loses their phone, their primary concern is to regain access to their online accounts. The authenticator companies make sure there are a number of ways to regain access so users don't freak out. For example, they provide backup codes, or backup phone numbers, or backup devices. All of these "backups" represent a security risk if compromised. Further, with phone token OTP (e.g., Google Authenticator or Authy SoftToken), the authenticator app remains active on the stolen phone unless the user is technically savvy enough to disable the stolen phone. A tech geek might think this is simple (which it is), but most people are not tech geeks. Most people won't realize their stolen phone is an active token generator... they will just be happy to access their accounts using a different device. Eventually the stolen phone falls into the hands of a hacker who gains a new target.
With ChainLock when a user loses their phone, its exactly like losing their pocket wallet (we assume users don't make backups of their wallet apps... a solid assumption). They therefore must use their master bitcoin key (stored in a safe place, such as on paper in a safe deposit box) in order to regain access to their online account. When accessing an online account using a master bitcoin key, the user is warned to reset their working bitcoin address if their phone was lost or stolen. The entire process is straightforward and easy for the user to understand what is happening and why it's happening.
Compare this to Google Authenticator where the only way to revoke a stolen or lost phone is to disable the 2FA for each account and then re-enable the 2FA so that the seed is changed. Do you think a user understands what a seed is? Let alone the need to change it? Let alone go through the disable/re-enable procedure for every account? What if a user simply saves their old QR codes for each account and then rescans the old QR codes into their new phone? Is there someone telling them not to do this? Do you even understand what this paragraph is saying? Not surprised if you don't... it's not easy.
Authy makes revoking a stolen or lost phone somewhat easier, as long as multiple-device with backups to the server is enabled. Say what? Exactly. Go research it for an hour or two and you might understand it... maybe. And activating multiple devices is of course a security risk. And even if multiple-device with backups to the server is enabled, the user must not only understand how to revoke a stolen or lost phone, but remember and be diligent to do so... which of course is not going to happen 90% of the time. And then when a user's account is hacked, the bank will claim the user was negligent... which is of course true. This is not going to happen with ChainLock.
Quote
Again, we are encouraged by the inability of anyone to make a coherent, persuasive argument against ChainLock.
Dude, just chill out and take a beer. You are developing a product, not a fighting an election campaign.
Of course we are "fighting an election campaign." We have already knocked out the primary candidate BitID.
The general campaign is against the incumbent 2FAs... token one-time-password (OTP) and SMS OTP.
Token OTP has a huge target on its back... the server seed. When the server seed is hacked, all user accounts are comprised. Just ask RSA when their SecureID product was hacked back in 2011 requiring the replacement of millions of hardware tokens at a cost of $66 million. Hardware tokens are also expensive and a pain to carry around, and many times they are defective requiring replacement. Software tokens are susceptible to malware. ChainLock is also susceptible to malware, but ChainLock is implemented using bitcoin wallet apps that are continuously monitored and adapted against attack. Software tokens are dedicated apps susceptible to the server seed being hacked. ChainLock relies on the security of the bitcoin blockchain which has never been hacked. Both hardware and software tokens require user training on the device/program. If a hardware token is lost or damaged, or if a phone is lost, the user is locked out of their account until they receive a new hardware token or until a new phone can be configured. This is also a customer support nightmare. Some banks have ameliorated the issue by allowing the 2FA to be temporarily disabled through a telephone call, but this is a security flaw because a hacker might make the call, or a hacker might attack the account while the 2FA is disabled. With ChainLock, the user can reset their own account using a master address if they lose their phone. There is no down time and the account remains locked. There is no waiting for a hardware token, or fighting to configure a new phone. There is no fighting with customer service during a customer "support" marathon.
SMS OTP is even more susceptible to attack than token OTP because it involves a cellphone service provider. There have been many instances when a hacker has simply called the cellphone service provider to redirect SMS texts to the hacker phone. ChainLock of course does not suffer from this security flaw. SMS OTP also doesn't always work with some cellphone carriers or with some cellphone software. Further, SMS OTP will not work when the user travels out of country, and so the solution has been to temporarily disable the 2FA which is a security flaw because again, a hacker may disable the SMS OTP or a hacker may attack the account while the SMS OTP is disabled. ChainLock always works, even when a user travels out of the country, because ChainLock uses the security of the bitcoin blockchain which is globally accessible using general applications that run on any cellphone. If a user loses their cellphone, they typically disable SMS OTP through a phone call to the service provider until a new phone can be configured. This is again is a security flaw, as well as a customer support nightmare. With ChainLock, the user can reset their own account using a master address if they lose their phone. There is no down time and the account remains locked. There is no fighting to configure a new phone. There is no fighting with customer service during a customer "support" marathon.
Quote
Again, we are encouraged by the inability of anyone to make a coherent, persuasive argument against ChainLock.
Dude, just chill out and take a beer. You are developing a product, not a fighting an election campaign.
I agree with this. Why would we want to wait 2 hours and pay bitcoin for this.
If you want to use bitcoin address as proof of ownership, you can ask the user to sign a message using bitcoin address.
[/quote]
We forgot to address (again) the question of "why would someone pay bitcoin for this?"
Do you think the users of Bitfinex have the same "who cares about this" attitude?
Lose ten thousand or a hundred thousand dollars to a hacker... and then ask "who cares?"
Plenty of people care. Most people care.
Most people will not mind paying 50 cents or even $1 a month to ChainLock their accounts.
Once again... yet again... to explain one more time: a user only pays a miner fee when they lock/unlock an account which will happen at most a couple of times a month.
Instead of asking the same question, why not address the above argument. Tell us we are wrong about the fees a user will pay per month. Tell us why?
Again, we are encouraged by the inability of anyone to make a coherent, persuasive argument against ChainLock.
Thanks for the comments.
It doesn't matter whether a few people have doubts. It's just a matter of time before the entire Internet adopts ChainLock as the standard for locking online accounts.
It doesn't matter whether a few people have doubts. It's just a matter of time before the entire Internet adopts ChainLock as the standard for locking online accounts.
Howard, that is a very bold statement to make.. Why would I have to pay US$ 0.28 or whatever amount with miners fees to access my
accounts? The 0.28 cents... adds a lot of extra cost, on top of all other banking fees for people with much less money, than the $9000 you
have in your account. This type of charging additional fees to access your account are typical of fiat banking systems, not Bitcoin.
... I do not even want to go to scenarios where confirmations takes 2 hours.
I agree with this. Why would we want to wait 2 hours and pay bitcoin for this.
If you want to use bitcoin address as proof of ownership, you can ask the user to sign a message using bitcoin address.
It is encouraging to receive the same comments over and over. It means that so far no one can make a persuasive argument against ChainLock.
To yet once again respond to the same comments:
1. Locking/Unlocking an account takes seconds as shown in our demo video. A service provider (e.g., bank) need not wait for a transaction to confirm on the blockchain. Instead of making erroneous statements like "why would we want to wait 2 hours," why not address our claim? Tell us we are wrong? We are not wrong. The lock/unlock time is exactly as shown in the demo video... a matter of seconds.
2. "Asking a user to sign a message with a bitcoin address" (of course he meant private bitcoin key) is the same as conventional public/private key authentication such as BitID and SQRL. Instead of questioning "why use ChainLock when you can use BitID," this thread would be much more interesting if people address the multiple differences listed on our website:
BitID: Although BitID uses bitcoin keys for authentication, BitID does not leverage the security of the bitcoin blockchain. The bitcoin blockchain protects $10 billion of wealth, and so there are significant resources deployed to ensure the security of the bitcoin blockchain.
ChainLock uses the security of the bitcoin blockchain to secure other online accounts. That is, the security measures currently deployed to protect $10 billion of wealth is leveraged by ChainLock, whereas BitID merely leverages the security of bitcoin keys.
BitID: If a user loses their digital wallet (e.g., loses their phone), they must have made a backup of the wallet and they must restore the wallet which can be difficult and confusing. Very few people make a backup of anything digital. Further, most people will only carry a few hundred dollars in a digital wallet just like a pocket wallet, so backing up a digital wallet to protect a few hundred dollars is basically a waste of time. Even if people backup their digital wallet, they would be calling the banks for help on how to restore the wallet. This is a customer support nightmare.
ChainLock overcomes this by having a master bitcoin address that can be used to reset an account (or multiple accounts). This master address can be stored on paper in a secure location (e.g., a safe). If a user loses their digital wallet, they can easily reset their accounts using the master address without needing to restore their wallet. So a user need not even backup their wallet which typically only has a few hundred dollars anyway just like a pocket wallet.
BitID: A user must download a smartphone app that supports BitID, and the user must learn how to use the smartphone app to deploy BitID authentication. Both could require additional customer support from the service provider.
ChainLock overcomes this by relying on the general public's knowledge about how Bitcoin works in general. If you tell a user "transfer money into a bitcoin address to lock an account" or "transfer money out of the bitcoin address to unlock an account" the user will understand not only what this means, but how it can be done using any kind of general purpose wallet.
BitID: The service provider must incorporate the BitID protocol into their website server. This can be fairly complex and therefore susceptible to mistakes.
ChainLock overcomes this by using the bitcoin blockchain protocol which is easily accessible to the service provider using well known, generic blockchain query tools (e.g., blockchain.info). Multiple tools could be employed to query the blockchain redundantly.
BitID: The BitID protocol is not really "out-of-band" because it involves a dedicated communication channel specifically for user authentication. The BitID communication channel may be separate from a website communication channel, but it is still a dedicated part of the authentication protocol and therefore a target for hackers.
ChainLock overcomes this by using the bitcoin blockchain protocol which is truly out-of-band because it uses a completely independent third party provider (miners) that maintain the blockchain. All communication with the blockchain is generic to the bitcoin protocol with generic communication channels. It's like calling a third party with a telephone and asking whether a user trying to access a bank's website is authentic. The third party can absolutely authenticate the user with a completely independent, unbiased, out-of-band confidence.
BitID: The BitID protocol is unproven because it has not been in use. The vulnerabilities of the BitID protocol are therefore not even fully understood. Service providers will be reluctant (rightly so) to adopt some new, unproven authentication protocol.
ChainLock overcomes this by using the bitcoin blockchain protocol which has been in use since 2009. There is $10 billion entrusted in the bitcoin blockchain. Although bitcoin private keys have been stolen over the years, the bitcoin blockchain itself has never been compromised. There is an obvious and proven trust in the bitcoin blockchain, and so service providers will more likely adopt it as an authentication protocol (or to augment an existing authentication protocol).
BitID: With BitID, if a user's account is hacked, it is difficult to prove how it happened or why it happened. Therefore, it will be difficult for a service provider (e.g., bank) to verify whether a hack was due to a bug in the protocol or a hack of the protocol versus a user's private key being compromised.
ChainLock overcomes this by using the bitcoin blockchain to lock an account. As long as there is never a transfer-out of a bitcoin address associated with a locked account, the user's account should remain locked. If a user's account is hacked, the blockchain can verify that the hack was not due to a compromise of the private bitcoin key by verifying there was never a transfer-out of the bitcoin address. So if there is a hack, it must have been due to a system failure on the service provider side and the user can prove it using the blockchain. If the blockchain does confirm that an account was actually unlocked as part of a hack, it proves the user's private key was compromised (not necessarily due to fault of the user, but at least the source of the hack is known).
Shared Benefits of BitID and ChainLock:
Both BitID and Chainlock can use wallet applications to secure the user's bitcoin private keys. Securing the private keys is extremely important not only if used as part of an authentication protocol, but also to secure the funds stored in the bitcoin blockchain. Accordingly, the security of the wallet programs will be continuously evaluated and improved in order to protect the funds in the bitcoin blockchain, and therefore the security of both the BitID and ChainLock authentication protocols will benefit from this concerted, global effort.
Thanks for the comments.
It doesn't matter whether a few people have doubts. It's just a matter of time before the entire Internet adopts ChainLock as the standard for locking online accounts.
It doesn't matter whether a few people have doubts. It's just a matter of time before the entire Internet adopts ChainLock as the standard for locking online accounts.
Howard, that is a very bold statement to make.. Why would I have to pay US$ 0.28 or whatever amount with miners fees to access my
accounts? The 0.28 cents... adds a lot of extra cost, on top of all other banking fees for people with much less money, than the $9000 you
have in your account. This type of charging additional fees to access your account are typical of fiat banking systems, not Bitcoin.
... I do not even want to go to scenarios where confirmations takes 2 hours.
I agree with this. Why would we want to wait 2 hours and pay bitcoin for this.
If you want to use bitcoin address as proof of ownership, you can ask the user to sign a message using bitcoin address.
if a bank wants a bitcoin based 2FA they will use their own internal blockchain explorer and ask their own customers to add a public key for the bank to watch.
the business plan:
banks/services wont pay a licence fee to a company who requires access to peoples account to control what an account can or cant do.
that alone is already a breach of customers terms of use of all banks and many other services. even if you update your business plan so its just an API request access. this is still a middleman security flaw.
though the concept of using bitcoin funds is more user-friendly compared to bitID's requirement of copy/pasting a message and then copy/pasting a signature. there are flaws in your business plan
trying to patent this form of 2FA to then licence it, is a failure. you are failing the open source ethos of bitcoin by making a barrier of use. especially if you end up trying to sue anyone that uses bitcoin transactions/addresses as a method of authentication to log into services to hold up your 'licence'. is a big no no..
there are other flaws to your business plan.. but i wont digress further
any service wanting a bitcoin based 2FA wont buy into a licence scheme especially for just 10 lines of code they can create and run themselves.
dont get me wrong, good 2FA security concept.. but bad business plan.
using bitcoin for any reason is open licence. sorry
the business plan:
banks/services wont pay a licence fee to a company who requires access to peoples account to control what an account can or cant do.
that alone is already a breach of customers terms of use of all banks and many other services. even if you update your business plan so its just an API request access. this is still a middleman security flaw.
though the concept of using bitcoin funds is more user-friendly compared to bitID's requirement of copy/pasting a message and then copy/pasting a signature. there are flaws in your business plan
trying to patent this form of 2FA to then licence it, is a failure. you are failing the open source ethos of bitcoin by making a barrier of use. especially if you end up trying to sue anyone that uses bitcoin transactions/addresses as a method of authentication to log into services to hold up your 'licence'. is a big no no..
there are other flaws to your business plan.. but i wont digress further
any service wanting a bitcoin based 2FA wont buy into a licence scheme especially for just 10 lines of code they can create and run themselves.
dont get me wrong, good 2FA security concept.. but bad business plan.
using bitcoin for any reason is open licence. sorry
Thank you for your comments... we disagree. People should be encouraged to innovate... and they should be rewarded when they innovate in ways that change the world. Without compensation for innovation... or artistic work... or hard work... society dies. Reward for hard work and innovation is what our country is founded on.
sorry.. but um, nah.
i think bank of america will do their own bitcoin 2fa without "chainlock" as middlemen thus remove a security flaw (middlemen)
The first commenter seems like a person that immediately assumes he understands everything about anything, and why it won't be adopted.
Please believe that ChainLock is...[edit]
It doesn't matter whether a few people have doubts. It's just a matter of time before the entire Internet adopts ChainLock as the standard for locking online accounts.
I agree with what Franky is stating and the response to him just points to why people should be weary of this business. Its bad tact
to insult people that are actually reading this advertisement that is actually in the wrong forum to boot.
You are asking people to "Please believe..." and that is sketchy as hell,when we are talking about you acting as the secure link in transactions. Finally it does matter if people have doubts and you should be working to address the doubts rather than tossing them to the side because you believe the product is superior. You need to work harder on talking to the customer,as you are coming off in a manner that is raising multiple red flags.
The main issue I have is you did not explain why Franky is wrong and I would like to see you address this.
Are we confident in our product? We are. If you take the time to watch the demo video... you will understand the product so you can provide relevant feedback. We honestly do not care about the doubters... this is the most secure way to lock down an online account ever. We are of course interested to hear about perceived cracks in the product... but when you truly understand how it works... you will realize the product is as secure as the blockchain itself. It USES the blockchain protocol which has been protecting $10 billion since 2009. You simply cannot get more secure than a $10 billion safe that has not been and will not be cracked.
Jump to: