PASSCON Authentication security solution for better human life

11 min readSep 25, 2020

The most essential element in all authentication security is knowledge authentication. This is because it is the only means to prove the voluntary behavior of the user. The existing knowledge authentication was password, pattern, or PIN. However, these knowledge authentication methods had serious security problems.

PASSCON’s Pattern and PIN provide the most optimal UI that can replace the existing knowledge authentication method. In the PASSCON Pattern, points can be duplicated, and the number of points can be selected by the user, enhancing convenience and security. — The path cannot be determined by shape alone. In addition, multiple number pads are applied in the PIN method to reinforce the security strength. — The number alone cannot determine the position on the pad

One of the most problematic things in authentication security is the input device, that is, the keyboard. The problem that the value intended by the user and the value exposed on the screen and the actual input value are the same is very fatal in maintaining security.

PASSCON has no functional relationship between image UI such as Pattern or PIN and actual input value. All users set their input values according to their own personalized security code and can freely adjust the length of the input string.

Therefore, it is possible to completely generate the AES256 encryption key with the hash value of the authentication key, and it is applied to encrypt the private key. This solves the problem of general PKI digital signatures or blockchain wallets that encrypt private keys with passwords.

Random numbers are indispensable and important elements in security solutions. Naturally, the security superiority of natural random numbers over pseudo random numbers generated by a program is natural. PASSCON generates a natural random number with a picture selected by the user. Any digital files other than photos can be applied.

The user can delete the photo, and there is no need to remember or keep it. In addition, the user can change the natural random number by selecting a new photo at any time. Therefore, the user’s control over the core authentication factors is fully guaranteed. It means that you can easily manage security.

The generated natural random number is used to generate the authentication factor and finally strengthens the security of the digital signature. It is also applied to the process of verifying whether the device is a legitimate device by combining it with device information.

These days, authentication technologies are putting a lot of effort into validating devices. This is because the dependence is very high on authentication methods that are easy to be hacked and steal, such as passwords and PINs. However, most device verification techniques are simple methods of transmitting device-specific information to a server and comparing them and may be vulnerable in security. Alternatively, a special HW such as a SIM can be used, but this has a high cost problem and a large compatibility problem.

PASSCON completely verifies the device with pure SW. The first step is self-verification, which compares the already stored verification value with the value generated in real time so that the stolen device verification factor cannot be used. In the second step, it is transmitted to the server to compare and verify the values already stored to block attempts by other devices. Since the dashboard in which the authentication key can be entered is loaded only after passing step 2, it is not possible to actually attempt to abuse the account on a third device.

Finally, by comparing and verifying the device value mixed with the natural random number with the value generated locally in real time, it blocks the use of the natural random number in an illegal device.

The digital signature is a digital authentication means that proves that the user’s voluntary will.

The existing PKI digital signature is a structure in which the validity of the digital signature is recognized when it is proved that it has a private key. However, there is a limit to verifying that the holder has created a signature at his or her will. This is because it is merely verifying possessions without the knowledge verification means. In particular, the existing method of encrypting the private key with a password has a very high possibility that the private key can be decrypted by a third party.

When generating a digital signature with a private key, PASSCON requires an authentication factor that uses both an authentication key and a natural random number. Therefore, knowledge authentication and possession authentication are simultaneously verified, and this completely proves that it is an digital signature generated by the voluntary will of the user.

Because of the serious security threat of password authentication, two-factor authentication is widely used. However, most 2FAs actually go through two authentications, and the two factors cannot be fused into one. This makes the user uncomfortable, but the actual security effect is not very high. Because passwords are easily hacked, it’s actually like relying on SMS or OTP for everything.

In PASSCON, a 2Way method of generating and submitting an digital signature after receiving the challenge from the server is applied. 2Way authentication is also a standard of FIDO that can effectively block man-in-the-middle attacks or reuse attacks.

PASSCON combines four factors into one authentication. The digital signature can be transmitted to the server only after verification and authentication factor generation process using four factors of device-specific value, authentication key, natural random number, and private key. If even one factor is not correct, the process of the next step will not proceed, and authentication will fail.

In PASSCON, the server cannot know at all except for the device authentication value among the four factors, so it is a digital signature authentication that satisfies complete zero-knowledge proof. In recent years, since hacking accidents due to fraudulent behavior of server administrators are frequent, proof of zero knowledge is very important.

The key feature of the PASSCON authentication algorithm is that multiple factors are sequentially calculated in the memory of the user device.

Even with multi-factor authentication, this is very important because security performance cannot be maintained unless a consistent operation like PASSCON is performed. The four factors are verified at every step before performing the next operation. If this verification fails, the process is aborted.

In addition, device-specific values and natural random numbers are mixed, private keys can be decrypted only with authentication keys, and natural random numbers cannot be extracted without a private key. An authentication key and a natural random number must both be required to generate an authentication factor. Also, if the device-specific information does not match, the authentication screen is not loaded, and natural random number extraction is impossible.

One of the difficult parts in authentication security is the support of multiple devices, that is, the verification process when a device is changed or added. So, most sensitive services go through a complex identity verification process and approve device changes. Nevertheless, there are many cases where it is impossible to use multiple devices due to the limitation of authentication technology or at all in a PC.

PASSCON can be used equally on a PC as well as a smartphone. This is an important advantage that can greatly increase the marketing efficiency of a company. When adding or changing a device, if a recovery PIN is registered separately, it provides strong security that it is safe to skip the identification process. Because it is difficult to hack only one PASSCON authentication key, but two are completely impossible. If remembering two keys is a burden, you can use the identity verification process. This is subject to the policy judgment of the service provider.

The reason why the recovery PIN or identity verification is omitted at all and is not allowed to be added or changed with only one authentication key is to be prepared in case the authentication key is stolen by a neighbor or family member.

Applying a good authentication solution to the service can expect many benefits. As well as direct gains that can prevent financial loss due to hacking, it can be expected to play a large role in improving reputation and trust in the marketplace.

In fact, most hacking accidents start when passwords are stolen. Therefore, simply replacing the password with PASSCON has a great security effect. It is natural that no attacker attempts to attack PASSCON, which is costly. It is clear that they will find targets applying passwords that can be easily hacked.

If it replaces SMS or OTP, which is widely used for secondary authentication, practical cost reduction is expected. Substituting both password and secondary authentication, or replacing only one of them with PASSCON, is sufficient to achieve the intended purpose. It is obvious that corporate sales will increase if customer trust and satisfaction in use increase together. Therefore, PASSCON is both a security solution and a marketing solution.

Simple authentication is a key competitive issue in mobile banking and fintech services. As a result, experience of using Pattern and PIN in many services has been accumulated. However, the existing pattern and PIN are too simple and are incomplete in security. This is also a concern for users.

The pattern is a nine-point grid that cannot be drawn complicatedly. It’s too difficult to be complicated and secure. Most of the users almost always use the same PIN number and don’t even know if everything has already been hacked.

For this reason, actual services are applied by combining two or more authentication means. Naturally, the user is less satisfied and demands a burden of management. In addition, basic patterns or PIN authentication technologies have difficulty in converging mobile and PC services. If PASSCON is applied, all of these problems can be solved at once. Since sufficient security can be maintained with only one authentication key, customer satisfaction can be maximized with PASSCON.

A company’s internal business system consists of a large number of services. Also, each system is very important for security. Therefore, there are many cases of introducing Single Sign On (SSO) to help employees manage their passwords. However, the inconvenience of periodically changing passwords is still large, and there are still concerns about hacking.

Recently, the use of Bring Your Device (BYOD) is increasing due to the spread of remote work. BYOD can be seen as a higher security threat as the network is open to the outside.

PASSCON is the best alternative for enhancing security of SSO and BYOD. By fundamentally replacing passwords, it is possible to enhance the level of security easily and at the same time improve the convenience of users. It is the best choice to protect the confidentiality of the enterprise and to support the stable working of individual employees.

There are millions of people using cryptocurrency exchanges. Cryptocurrency has a lot of additional security threats than fiat money deposited in financial institutions. Because cryptocurrency can be anonymized, it is a major target of hackers. The fiat currency of a bank is very different from the one in which withdrawal is impossible without a real name account.

Nevertheless, most exchanges apply a security system that does not even reach financial institutions. Passwords are stored on the web, and OTPs are mostly exposed when you open the app. This means that if the device is lost, the customer’s account is exposed to fatal risk.

If PASSCON is applied, the authentication key cannot be saved, so it is safe even if the device is lost. This means that customers will be able to use the exchange conveniently with greater trust.

Blockchain wallets are required not only for remittance of cryptocurrencies, but also when using general blockchain services. The problem is that blockchain wallets are too difficult and inconvenient for the general public. Therefore, recent blockchain service projects are applying a method in which the server holds the wallet’s private key and the user logs in to the server, which is not a decentralized blockchain.

In order to maintain the security concept of the blockchain, it is necessary to store the private key in the user’s terminal and create a signature for the transaction in the terminal device. In order to do that, the password is eventually used again, and the user has to bear the additional management of the private key using the mnemonic.

Therefore, to make it easy for the general public to use, it is necessary to apply PASSCON, not a password, and a custody service that removes the management burden for mnemonics by backing up the private key to the server is also required. PASSCON can completely encrypt the private key with PASSCON’s own authentication key, not a password, so it is optimal for wallet and custodial services.

In the case of a group company that provides multiple services, there is a problem of security and inconvenience that customers use several different IDs and passwords while using one brand. In order to alleviate this inconvenience of customers, an integrated authentication platform can be adopted. Various integrated authentication platforms can be proposed, but blockchain-based DID is the most effective alternative.

This is because the PASSCON-based DID platform can provide fast performance while fully utilizing the open advantages of the blockchain. Customers have a great advantage of using DID-based identification and simple login for all affiliates’ services with one-time identification.

In particular, the cost of developing an integrated authentication server and operating the platform can be greatly reduced by using the public blockchain mainnet or by adopting BaaS. In addition, DID Manager is very suitable for protecting personal information and privacy because it does not need to collect any personal information while supporting customers to use and manage DID easily.