Security is one of the hottest topics in today’s ever-evolving digital world. A steady flow of debate continues to take place at tech forums worldwide on topics like encryption, passwords, two-factor authentication, hardware wallets and the like.
As cryptocurrencies and the tools being used to manage them take shape, questions loom about the most efficacious ways to protect both user assets and privacy. One individual who is at the epicenter of this active space is Paul Puey. He is co-founder and CEO of EdgeSecure, a blockchain-inspired, decentralized, open-source, zero-knowledge, global information security solution platform.
In an interview with Bitcoin Magazine, Puey talks about the tricky balance between new security and privacy measures being introduced and user experience. He also explores an emerging theme called “securing the edges” that forms the basis of his current work
BM: What sort of problems are you attempting to solve these days?
PP: The aspect of cryptocurrency we initially wanted to address revolved around how to effectively use secure keys. That was the impetus behind our decision to build a feature rich, functionally rich wallet at Airbitz over the years. We feel like this has really differentiated us in the whole area of key management.
BM: How does your concept of EdgeSecure fit in here?
PP: Our goal has been to broaden Airbitz by turning our key management standard into a platform for other apps. Even before we rebranded, we were already using the term Edge Security to examine how to come up with a solution that’s different from enterprise security. We view our approach as fundamentally different in the sense that we’re not trying to make a router or server more secure. Rather, our aim is to take data and secure it before it ever hits a device.
In short, we are able to secure data before it goes out onto a network or server. People and their devices are what we are trying to secure. That’s where the term Edge comes from — before a user’s data ends up on their device, goes out to a network, goes onto a server — the encryption of that data happens first, as we say, “on the edges.”
BM: But what about server networks?
PP: We still believe that server security is important. But the visibility and encryption of that data all happens first before the data gets saved, broadcast and sent out on the network or gets onto a server. The concept of making data private and secure to the point where only the user can access it “on the edges” has never been an area of focus for cybersecurity companies.
BM: So, in a nutshell, how does all of this actually work?
PP: It works through a combination of technologies we’ve had for decades but have never been packaged the way we are seeking to. The technology that we’ve developed involves encrypting data on the client side. Most of the software out there doesn’t do this. Rattle off any app that you are running on your computer or your phone, and the data you generate and create is not encrypted, let alone automatically backed up.
BM: Are there other security measures you’ll be employing?
PP: We’ve also added two-factor authentication, although I fundamentally hate it from a user experience point of view. Two-factor is particularly problematic and a poor approach if the second factor for authorizing access is a phone number or email address. It’s better than nothing, but it’s not what one would consider to be “good two-factor.”
BM: Is there a solution to this?
PP: Yes, since 2015, we’ve been employing what we call “one touch, two-factor,” where we take two-factor and make it invisible by baking it in our Airbitz app. This eliminates the need for notification by SMS or email, or via an app like Authy or Google Authenticator.
BM: Can you talk a bit about password recovery? This can be a big issue with crypto users.
PP: It is indeed. Think about this for a moment: If you lose your mobile phone or other type of device, in the Google Authenticator world you have just lost your access completely. So, it’s up to the service you are using to determine a recovery mechanism. What’s interesting is that some services don’t give you one. Others offer recovery via email, SMS, or other similar mechanism which then introduces the same issue. We, therefore, believe in recovery via time lock, where your account is locked for a period of time before you can reset it.
BM: In the meantime, are there ways to prevent users from losing their password in the first place?
PP: There is some psychology involved here. Part of our philosophy at EdgeSecure is to carefully align technology with humanity. This involves a recognition of the fact that we’re all fallible beings, that we do forget passwords. One step we employ to help people not forget passwords is to ask them to voluntarily enter it from time-to-time when they go to access their app. Our intent is to give them the opportunity to change it if they forget it at that moment.
BM: How exactly does this work?
PP: We have an algorithm inside of the app that has what we call a reminder “step off,” based on users actually entering it. This “step off” is how frequently we remind you based on how many times you’ve actually entered the password in the past. Obviously, you can get into the app with a pin, thumbprint and now facial ID. But if you lose that device, the password is the only way to get back on.
BM: This seems like an idea that other tech solution providers will likely want to pick up on.
PP: No doubt. We fashion ourselves as the world’s only password recovery for encrypted data. While that, in and of itself, is a patentable idea, we’ve opted to not patent, in the name of open source, open collaborative effort.
BM: What sort of criticism do you hear from the crypto community?
PP: One of the main ones we get is that we are not as secure as a hardware wallet. These criticisms come from people that often harbor the biggest fears of something that I have yet to see happen, namely, a person losing crypto from a device attack. Sure, you might hear of publications espousing theoretical exploits. But I haven’t seen evidence of a mass exploit with cryptocurrency taken on a device with encrypted data. Yet there are millions, if not billions, of dollars being poured into solutions for that problem.
BM: Aren’t hardware wallets a great resource then for those who have these concerns?
PP: They can be. But it’s important to keep in mind that with hardware wallets, the attack vector isn’t someone getting into it digitally over the internet. Rather, the attack vector is the individual user. I can’t count the number of people who say to me after purchasing a hardware wallet, “Now, I’m secure!” I then ask them, what did you do with the backup information? Often they’ll say, “I put it on Google Drive.” My response: “You did what? That’s the worst thing you could possibly do with the private key.”
BM: Finally, what are your thoughts regarding security vulnerabilities among centralized exchanges?
PP: It’s a big concern, no doubt. Coinbase is obviously the most recognizable example in the crypto world, but I don’t think that their model can survive long term. I’d describe them as a $15 billion piñata for hackers. Yes, they haven’t been hacked and I believe a combination of luck and skill has prevented that from occurring.
BM: So do you believe that it’s just a matter of time before a serious hack occurs?
PP: Let me say this. One of the hardest aspects of centralized security is that it doesn’t scale. In other words, the bigger you get, the harder it is for you to secure. And as the pot becomes bigger, you have to hire and entrust more and more people inside the company. So it takes just one bad apple with access and there goes a lot of user money.
BM: Where do you see this security space headed?
PP: In the next 3–5 years, we should actually see a trend where users will seek out what I call Edge-secured apps, where people can control their own data. These encryption and Edge solutions will be invisible to those using the app, which will go a long way toward enhancing user experience along with security and privacy.