Cybercrime has now become a global problem. For example, Dmitry Samartsev, director of BI.ZONE in the field of cybersecurity, cited the following figures at the World Economic Forum. In 2022, the damage to the global economy from cybercrime amounted to $1.5 trillion, he said. In 2022, losses are predicted to reach 8 trillion, and in 2030, damage from cybercrime could exceed 90 trillion dollars. To reduce losses from cybercrime, it is necessary to improve methods for ensuring user security. There are now many authentication and authorization methods available to help implement a strong security strategy. Among them, many experts highlight token-based authorization as the best.
Before the advent of the authorization token, a system of passwords and servers was used everywhere. Now this system still remains relevant due to its simplicity and accessibility. The traditional methods used ensure that users can access their data at any time. This is not always effective.
Let's consider this system. As a rule, the ideology of their use is based on the following principles:
- Accounts are being generated, i.e. people come up with a combination of letters, numbers or any known symbols that will become a username and password.
- To be able to log into the server, the user needs to save this unique combination and always have access to it.
- If you need to reconnect to the server and log in with your account, the user needs to re-enter the password and login.
Password theft is far from a unique event. One of the first documented such cases occurred back in 1962. People have trouble remembering different combinations of characters, so they often write down all their passwords on paper, use the same version in several places, and only slightly modify an old password by adding characters or changing the case to use it in a new place, from - why two passwords become extremely similar. For the same reason, logins are often made the same, identical.
In addition to the risk of data theft and difficulty storing information, passwords also require server authentication, which increases memory load. Every time a user logs on, the computer creates a transaction record.
Token authorization is a system that works completely differently. Using token authorization, the secondary service verifies the server request. When verification is complete, the server issues a token and responds to the request. The user may still have one password to remember, but the token offers another form of access that is much harder to steal or overcome. And recording the session does not take up space on the server. Essentially, an authorization token is a device designed to ensure the user’s information security and is also used to identify its owner. Typically, this is a physical device used to facilitate authentication.
Types of authorization tokens
Authorization tokens vary in type. Let's look at them:
- Devices that need to be physically connected. For example: keys, disks and the like. Anyone who has ever used a USB device or smart card to log in has encountered a connected token.
- Devices that are close enough to the server to establish a connection to it, but are not physically connected. An example of this type of token is the “magic ring” from Microsoft.
- devices that can interact with the server over long distances.
In all three cases, the user must do something to start the process. For example, enter a password or answer a question. But even when these steps are completed without errors, it is impossible to gain access without a token.
Conclusion
The main function of a cryptocurrency is purchasing; a token can have many functions and all of them will depend on the project on the basis of which they were created. Sometimes a token can become a cryptocurrency, but for this the project must become very popular so that the intrinsic value of its internal currency increases so much.
For example, Ethereum appeared as a token in 2014, but it was created on the basis of its own blockchain. The novelty of this project was the emergence of smart contracts, which are extremely popular today. This allowed ETH to develop into a valuable cryptocurrency in its own right.
Authorization token process
Authorization using a token occurs as follows. First, a person requests access to a server or protected resource. The request usually includes entering a username and password. The server then determines whether the user can gain access. After this, the server interacts with the device: dongle, phone, USB or something else. After verification, the server issues a token and sends it to the user. The token resides in the browser while work continues. If the user tries to visit another part of the server, the token is again associated with him. Access is granted or, conversely, denied based on the issued token.
Administrators set restrictions on tokens. It is possible to allow a one-time token that is immediately destroyed when the person logs out. Sometimes a marker is set to self-destruct at the end of a certain period of time.
Blockchain domains
The third-largest seller of NFTs is naming services. Their products are similar to domain names like “.ru”, but are based on the blockchain.
The Ethereum Name Service allows you to create a website ending in “.eth”. The service started operating in May 2022 and has a turnover of 170,000 ETH. Coins paid for rent are blocked by a smart contract for as long as the participant owns the domain name. By purchasing a name for a site, the user receives an ERC-721 NFT, which can subsequently be sold on open markets.
Ethereum Name Service page with description of NFT “vitalik.eth”
The domains “.crypto” from Unstoppable Domains and “.kred” from NFT Kred are structured in a similar way. Thanks to the blockchain domain, the site can become completely censorship-resistant - no one can disable it. In the future, it will be possible to sell other services as NFTs: a subscription to an application, access to an online library, freelance work, or even a consultation with a specialist.
What is token-based authentication?
Token-based authentication is one of many web authentication methods used to ensure the security of the verification process. There is password and biometric authentication. Although each authentication method is unique, all methods can be divided into 3 categories:
- password authentication (usually remembering a combination of characters)
- biometric authentication (fingerprint, retinal scan, FaceID)
- token authentication
Token authentication requires users to receive a computer-generated code (or token) before they are granted access to the network. Token authentication is typically used in combination with password authentication for an additional layer of security (two-factor authentication (2FA)). If an attacker successfully implements a brute force attack to obtain the password, they will have to bypass the token authentication layer as well. Without access to the token, it becomes more difficult to access the network. This additional layer deters attackers and can save networks from potentially catastrophic breaches.
How do tokens work?
In many cases, tokens are created using dongles or key fobs that generate a new authentication token every 60 seconds according to a specified algorithm. Due to the power of these hardware devices, users must keep them secure at all times to prevent them from falling into the wrong hands. Therefore, team members must give up their key or fob if the team splits up.
The most common token systems contain a header, payload, and signature. The header consists of the payload type as well as the signature algorithm used. The payload contains any statements related to the user. The signature is used to prove that the message was not compromised during transmission. These three elements work together to create a highly effective and secure authentication system.
While these traditional token authentication systems are still in effect today, the rise of smartphones has made token-based authentication easier than ever. Smartphones can now be augmented to serve as code generators, providing end users with the security codes needed to gain access to their network at any given time. During the login process, users receive a cryptographically secure one-time passcode that is time-limited to 30 or 60 seconds, depending on server-side settings. These soft tokens are either generated by the authenticator app on the device or sent upon request via SMS.
The advent of smartphone token-based authentication means that most employees already have the equipment to generate codes. As a result, implementation and staff training costs are kept to a minimum, making this form of token-based authentication a convenient and cost-effective option for many companies.
Digital art
If you want to obtain copyright for digital data, you will need to collect documents, submit an application and spend up to 30,000 rubles. Instead, you can create an NFT - a unique digital item in a single copy that cannot be copied and is very difficult to steal. The token will contain a link to the work and the address of the owner, and therefore serve as proof of ownership.
Tokenized digital art has another important advantage. In a smart contract, you can specify a condition under which the creator will receive a royalty - a percentage of the sales of his work. This opportunity is provided by Rarible, a service for buying and selling digital works.
Rarible store page with digital art
Digital art with the lead singer of the group King and the Clown at Open Sea
Collectible NFTs from OG - Dota 2 world champions on Nifty Gateway
Ownership and exclusivity make physical works of art valuable. In the digital world, NFTs allow us to provide value. There have already been artists who have begun experimenting with technology. Projects Open Sea, Nifty Gateway, SuperRare, Known Origin, MakersPlace and Rare Art Labs have developed platforms for publishing and searching for such works.
Is it safe to use tokens?
As cybercrime increases and attack methods become more sophisticated, defense methods and policies must improve. With the increasing use of brute force attacks, dictionary attacks, and phishing to capture user credentials, it is becoming increasingly clear that password authentication is no longer sufficient to counter attackers.
Token-based authentication, when used in tandem with other authentication methods, creates a 2FA barrier designed to stop even the most advanced hacker. Since tokens can only be obtained from the device that produces them - be it a key fob or a smartphone, token authorization systems are considered very secure and efficient.
But despite the many benefits associated with a token platform, there is always a small risk. Of course, smartphone-based tokens are incredibly easy to use, but smartphones also present potential vulnerabilities. Tokens sent as texts are riskier because they can be intercepted during transmission. As with other hardware devices, smartphones can also be lost or stolen and end up in the hands of criminals.
Certification
Certification is probably the main use case for non-fungible tokens. We can use them to confirm the origin of a document, a piece of data, or even a physical object in the real world. Since blockchain tokens cannot be copied or spent twice, this ensures that they cannot be counterfeited.
For example, you can create a non-fungible token for a piece of art in the real world. It then becomes the official certificate of authenticity.
You can imagine a future where land records are stored on a blockchain and ownership is a token that corresponds to the land you own.
Token-based authentication best practices
Implementing a strong authentication strategy is critical when it comes to helping customers protect their networks from security breaches. But for the strategy to be truly effective, several important basic conditions must be met:
- Correct web token. Although there are a number of web tokens, none can provide the same reliability that a JSON web token (JWT) provides. JWT is considered an open standard (RFC 7519) for transferring sensitive information between multiple parties. Information exchange is digitally signed using an algorithm or pairing of public and private keys to ensure optimal security.
- Privacy.
- Using HTTPS connections. HTTPS connections were built using security protocols that included encryption and security certificates designed to protect sensitive data. It is important to use an HTTPS connection rather than HTTP or any other connection protocol when sending tokens, as these otherwise increase the risk of interception by an attacker.
What are JSON web tokens?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way to securely transfer information between parties as a JSON object. This information can be verified using a digital signature. The JWT can be signed with a secret (using the HMAC algorithm) or otherwise, such as RSA or ECDSA.
In their compact form, JSON web tokens consist of three parts separated by dots: header, payload, signature. Therefore, the JWT usually looks like this: “xxxx.yyyy.zzzz”.
The header consists of two parts: the token type, which is the JWT, and the signature algorithm used, such as HMAC SHA256 or RSA.
The second part of the token is a payload containing information about the user and the necessary additional data. Such information can be registered, public or private.
Registered is a set of keys that are not required but are recommended to provide improved security. For example, iss is the unique identifier of the party generating the token, exp is the time in Unix Time format, which determines the moment when the token becomes invalid, and others.
Public information can be defined at will by those using JWT. But they must be defined in the IANA JSON Web Token Registry or defined as a URI that contains a collision-resistant namespace. Private is user information created to be shared between parties who agree to use it. Let's get the second part using Base64Url encoding.
I also didn’t understand what kind of joke was going on there.
The signature is used to verify that the message has not been modified along the way, and in the case of tokens signed with a private key, it can also confirm that the sender of the JWT is who he claims to be.
The output is three dot-separated Base64 URL lines that can be easily transmitted in HTML and HTTP environments while being more compact than XML-based standards such as SAML.
Example:
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NSIsIm5hbWUiOiJKb2huIEdvbGQiLCJhZG1pbiI6dHJ1ZX0K.LIHjWCBORSWMEibq-tnT8ue_deUqZx1K0XxCOXZRrBI
The advantages of using JWT include the size - tokens in this code language are tiny and can be transferred between two users quite quickly; simplicity - tokens can be generated from almost anywhere and do not need to be verified on the server; Control - You can control what the user can access, how long that permission will last, and what they can do while logged in.
The disadvantages include only one key - JWT relies on one key, which is why the entire system will be at risk if it is compromised; complexity - JWT tokens are not so easy to understand, which is why a developer who does not have deep knowledge of cryptographic signature algorithms can unintentionally put the system at risk; limitations - it is not possible to send messages to all clients, and it is impossible to manage clients from the server side.
Why use authorization tokens?
Many people believe that if the current strategy is working well (even with some errors), then there is no point in changing anything. But authorization tokens can bring many benefits.
They are good for system administrators who often grant temporary access, e.g. The user base fluctuates depending on the date, time or special event. Repeatedly granting and revoking access creates a significant burden on people.
Authorization tokens allow granular access, i.e. the server grants access based on specific document properties rather than user properties. The traditional login and password system does not allow for such fine-tuning of details.
Authorization tokens can provide increased security. The server contains confidential documents that could cause serious damage to a company or country if released. A simple password cannot provide sufficient protection.
There are other benefits to using this technology. But even those already listed are enough to implement it on the server.
Virtual worlds
You can tokenize things inside virtual worlds. Unlike games, virtual worlds do not have any obligatory plot. This is an attempt to recreate reality in the digital space and maintain maximum freedom of action. For this purpose, NFTs are an indispensable tool.
The most popular virtual world on the blockchain is Decentraland. Every piece of land in this world represents an NFT called LAND. On it, users can build playgrounds and hold games, exhibitions, and parties. One of the successful user projects is the racing game Battle Racers.
Building in Decentraland
Gameplay of the game Battle Racers
Another example of a virtual world is Cryptovoxels. Its distinctive feature is the ability to display your NFTs within the world. Collectibles enthusiasts are building CryptoKitties museums, meme art galleries, towers of top NFT designs, and even shops. This made the virtual world of Crypovoxels popular among digital artists.
Exterior view of digital artist Synoptic's gallery at Cryptovoxels
Inside view of digital artist Synoptic's gallery at Cryptovoxels
There are other virtual world projects including Somnium Space, Sandbox and Sensorium Galaxy. They are still technically imperfect and are just beginning to attract users. In the future, it will be possible to move between different worlds and use them not only for entertainment, but also for earning money.
