The FYEO Identity password manager (“FYEO ID”) presents a new and groundbreaking technology shift in password management. We are going from remembering passwords to calculating them. The FYEO ID solution is based on private key technology that generates passwords from strong key material that is cryptographically secure with a high information entropy.
Note: Depending on your familiarity with encryption methodologies, to be able to understand the solution and the technology, some base terminology needs to be established which is included at the end of the article.
Difference Between Public and Private Key Technology
If you have used a bitcoin or any other cryptocurrency wallet before you are likely familiar with public versus private keys. The public key being what you share with another individual or entity if you want them to send you a token, while the private key is your most closely guarded secret, something that is shared with no one. For the uninitiated, think of public keys as being like a business address - it is public, searchable and anybody can look it up. In asymmetric encryption, public keys can be shared with everyone without fear of giving up information or assets you would not want anyone to get their hands on (e.g. your passwords). These public keys are used to encrypt messages or transactions.
Every public key has a counterpart, namely the unique private key with which it is paired. Your private key is, as its name implies, private or ‘for your eyes only’, similar to the key to open a bank vault. The private key ensures you and only you have access to the items guarded within the vault.
The public and private keys together ensure the secure exchange of data since a message encrypted with a public key cannot be decrypted without using the corresponding private key. In the case of FYEO ID, the private key is the key to unlocking all your credentials and calculating secure passkeys (i.e. passwords).
FYEO ID: The Role of the Distributed Ledger
FYEO ID uses a distributed ledger to store the metadata for your credentials. This is a distributed database that stores encrypted metadata about your login credentials on any particular site. The data stored is the hash of the site and the username together with a cryptographic nonce that indicates what iteration of the credential to produce from the private key material. This also allows the storage of rights management information such that if you have shared these credentials with another user, basically enabling FYEO ID to be used as a rights management system with authentication and auditing.
FYEO ID: Calculated Passkeys vs. Generated Passwords
In a typical password manager, complex passwords are generated using a random password generator - a software program, hardware device, or online tool that automatically generates a password using parameters set by the API of a website or the individual user. These generated passwords use a mix of letters, numbers, symbols at a certain length and strength. The intended goal is to create truly ‘random’ passwords with a high level of entropy. However, traditional computer systems just are not very good at generating random results - they are deterministic, which means that if you ask the same question you will get the same answer every time. These passwords may be safe depending on what techniques are employed, but it is important to understand that traditional password managers use one of two techniques - passwords generated using pseudo-random number generators (PRNGs) and a cryptographically secure pseudo-random number generator. FYEO ID takes a different approach.
FYEO ID-generated passwords (Passkeys) use a key derivation function (KDF) that takes a source of initial key material, usually containing a high amount of randomness, but not distributed uniformly or for which an attacker has some partial knowledge, and derive from it one or more cryptographically strong secret keys. In FYEO ID, this is used with the hash of the site URL and username together with a nonce to derive a key for each password that is then encoded as a string to be used as a passkey.
Calculating versus generating keys has a strategic purpose in the evolution of the FYEO ID password manager in that it allows us to automatically or, with a single click, update a credential or multiple credentials in the background when a breach for that site is detected by using the nonce function to derive a new password from your key material. This is an evolutionary step in password management since a) it does not rely on the user having to go to a site to change a password, and b) can be applied to the login credentials for IoT- and other hardware devices.
FYEO ID: Identity (Breach) Reporting and Notifications
If you have ever used an application or service like haveibeenpwned, it suffices to uncover sites and applications where your personal email address has been part of a breach, but it provides only more generalized data on what was exposed during the breach instead of the exact details. This makes sense since anyone can search any email address so exposing personal information would be a terrible idea without proper verification. With FYEO ID, our core value of transparency dictates that we show you the plaintext information of what was exposed, so you can evaluate your vulnerability and take the actions needed to protect yourself.
The FYEO Breach Database currently has indexed over 25 billion leaked credentials from historical breaches and plaintext passwords - with every breach we index, this number grows as it is added to our database. Verifying ownership of an email (the only PII we currently request) gives you access to your historical identity report and notifications in the FYEO ID extension when a verified email address has been exposed in a breach. Today, we have a one-click solution from the extension to that site to change the password and in the future we will enable automatic password changes right from the extension or mobile app.
How we collect the data
Our intelligence team acquires the data through extensive research in both public and private assets that we have collected since 2015. After we collect this data, it is analyzed and evaluated for ingestion based upon specific internal criterias. The data that we upload to our database includes: emails, usernames, password hashes, plaintext passwords and source. All PII Is removed.
FYEO will never buy, trade or share information on what leaks we have/want.
How we store the data/Why trust us?
Each employee that has access to this data is rigorously screened before being permitted access and all data is stored and encrypted in a secure physical location with strict access control.
All FYEO employees are trusted veterans in the security community and have worked for many of the Fortune 500 companies.
What you should do if you are notified of a breach
Our advice is to change the affected asset (credential) as soon as you get the notification and use FYEO ID to generate a new credential.
FYEO ID: Glossary of terms
Master key / Seed key
The master key or master seed is a sequence used to create the private keys of the client. In short, this is a 256-bit string generated by a secure and cryptographically proven pseudo -random function. This secret must be protected and may never be stored in its unencrypted form. Master password / Key password
This is the password that is used to encrypt and decrypt the master key. The password is selected by the user to protect the master key. Entropy
A measure of the randomness or diversity of a data-generating function. Data with full entropy is completely random and no meaningful patterns can be found. Low entropy data provides the ability or possibility to predict forthcoming generated values. Elliptic-curve cryptography (ECC)
The cryptography and signing as well as key derivation in the FYEO ID solution relies on ECC which is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security. Elliptic curves are applicable for key agreement, digital signatures, pseudo-random generators and other tasks. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme. Private key
Private key is the private part of a public/private keypair and should never be shared with anyone nor be stored unencrypted on the device. Public key
The public key is a derivative from the private key that can be shared with other users. Signing Keypair
This is the keypair used to sign transactions via message signing. The Signing keypair is derived from the user's Seed key. The keypair consists of a private and a public key. Encryption Keypair
This is the keypair used to sign and encrypt the content of the transactions for the user. The encryption keypair is derived from the user's Seed key. The keypair consists of a private and a public key. Nonce (Cryptographic Nonce)
In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is similar in spirit to a nonce word, hence the name. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. They can also be useful as initialization vectors and in cryptographic hash functions.
In FYEO ID, nonces are used extensively both for message signing, message encryption as well as deriving passwords from the key material. Key derivation function (KDF)
A KDF is a basic and essential component of cryptographic systems. Its goal is to take a source of initial keying material, usually containing some good amount of randomness, but not distributed uniformly or for which an attacker has some partial knowledge, and derive from it one or more cryptographically strong secret keys.
In FYEO ID, this is used with the hash of the site URL and username together with a nonce to derive a key for each password that is then encoded as a password. Distributed Database / Distributed Ledger
A distributed ledger (also called a shared ledger or distributed ledger technology or DLT) is a consensus of replicated, shared, and synchronized digital data, geographically spread across multiple sites, countries, or institutions. Unlike with a distributed database, there is no central administrator.
A peer-to-peer network is required as well as consensus algorithms to ensure replication across nodes is undertaken. One form of distributed ledger design is the blockchain system, which can be either public or private.