From the Digital Atelier: the Akord Wallet
Our series, From the Digital Atelier, will openly share how we’re building a fundamentally new way to securely share, and collaborate on, confidential documents and data. In this first part of the series we’ll explain our digital wallet that stores the keys used to encrypt data.
The Challenges with Online Security
Before we get into explaining the Akord wallet, let’s first set the scene by briefly overviewing some of the main challenges with online security.
When you signup for a website you’re typically asked to create a username and password, which is then sent from your computer to the website’s servers. On the server it’s processed with a special algorithm that generates a hash, which is essentially a scrambled version of your password.
While this is standard practice, there are several ways that this system is exploited.
Man in the Middle Attacks
While most transmissions between your computer and the website’s servers are encrypted, it’s still possible to intercept your username and password. This can happen without you knowing, resulting in the attacker gaining access to your account.
Man in the middle attacks often aid in high-level wire transfer fraud. For example, an attacker who gains access to a CFO’s email account can maliciously verify a payment to the purchasing department without detection.
Brute Force Attacks
A more direct attack is on the actual web servers themselves. Through weak points in the software, or through a back office breach, attackers can gain access to the database servers. In 2017, 1.4 billion hacked passwords were found circulating on the dark web, revealing that many passwords are not even hashed and stored in plain-text on servers. Taking these large sets of genuine passwords offline, attackers can then leverage sophisticated pattern-matching techniques on hashed data to crack weak, commonly used passwords.
Two-Factor Authentication Attacks
To strengthen the security around online authentication, two-factor authentication (2FA) is used as a second layer of verification on top of your password. This second verification is often made on a different device, or in most cases via SMS.
The more sophisticated attacks involved hackers gaining access to the individual’s SIM chip and email account. In one attack, a hacker gained access to an individual’s cryptocurrency exchange account, cell phone SIM chip and their email account, all in coordination, while the individual was asleep, stealing over a hundred thousand dollars in cryptocurrency.
Understanding the Crypto Wallet
The Akord wallet is built on top of the same cryptographic schemes used to secure cryptocurrencies.
A cryptocurrency wallet stores the keys that digitally sign any transactions. Without them there’s no way to prove ownership of cryptocurrency, and no way to send or receive funds.
In real life your wallet holds various cards that enable you to move money around, make transactions and prove your identity. You can think of a crypto wallet in the same way.
In the cryptocurrency world the phrase “not your keys, not your money”, highlights the reality that if you want complete ownership of your currency you must not entrust the keys to your wallet to any online service.
When you create a crypto wallet, you must store a backup phrase of 12 or 24 words in case you lose the password to your wallet. As you own the keys, there’s no third party storing the password on a server somewhere.
Introducing the Akord Wallet
The Keys to the Safe
On Akord, you store your data in a digital safe, an encrypted space that secures your data, end to end. Our digital wallet stores all the cryptographic keys used on Akord for encrypting documents, giving consent to view them, and digitally signing contacts and other important actions within your safe.
When you create your safe, the wallet containing the keys is created at the same time. Similar to other services you will choose a password, which encrypts your wallet locally on your device. Every time you login, you need to enter your password to decrypt the wallet giving you access to your safe.
At no point does this password get communicated to our servers. You have complete ownership, and full control.
So what happens if you lose the password?
Similarly to a crypto wallet, we use a backup phrase of 12 words. You must store this phrase securely. Ideally, offline somewhere safe, as well as on a password manager like 1password or DashLane.
Verifying your Identity
While we believe privacy is a fundamental human right, we also believe in strong accountability. While we cannot see the data you share, sign any document or make an action on your behalf, we do require that your wallet is properly identified in our system.
In systems that involve strong privacy, identity is still required to have confidence in sharing the right documents with the right people.
To facilitate this process, we require that every user verify their email address with their wallet. To do this, we send you a magic link after signing up. The magic link contains a signature generated from your wallet and a signature from us. By clicking on the magic link, we’re notified that your email address is verified and your wallet is connected with our service.
Own the keys, own your data
To those familiar with cryptocurrencies this process of authentication involving a digital wallet with a backup phrase won’t seem so strange, but to a lot of people it may feel like unnecessary hassle.
If you’re not concerned with the security and privacy of your data, or the idea of truly owning your data, then continuing to use the many current cloud-based services available for storing and managing data may be the option for you.
But for individuals and businesses that are concerned with these issues, the only way to truly own your data and ensure its security is to own the keys to its encryption.
In our next article in the series, the Crypto Ledger, we’ll explain how we’re delivering strong accountability on Akord.