How OneID works: The details
Please see How OneID works: The basic concepts before you read this document. That will explain the core concepts of OneID. This page describes how OneID works in much more detail.
OneID was designed to be the ultimate digital identity: a digital identity that you could use anywhere for anything. Desktop, mobile, in-person, over the phone, consumer, and enterprise. Easy, secure, and private. A single permanent identity that you control, that can never be stolen or forgotten, and that would never have to be changed. As easy to sign into as Facebook Connect, as easy to buy as Amazon 1-click, and as secure as the strongest 2-factor authentication techniques. End-to-end security. The best technology to replace the use of username/passwords. Authentication, authorization, information sharing, digital claims, identity proofing, user and RP defined attributes and certificates, and more. One identity to rule them all. The world’s most trusted cloud identity provider. That is the OneID vision.
In order to achieve these goals, we had re-invent identity from the ground up. In particular,
1. We use digital signatures instead of usernames and passwords. Digital signatures are like traditional paper signatures: easy for you to create, easy for anyone to verify, but impossible for anyone else to forge. They are much more secure than usernames and passwords. When you log into a website using OneID, you will be presenting the site with your digital signature, not a username or password. OneID uses cryptographic protocols and parameters approved by the NSA (known as "Suite B").
2. We never share secrets. When you type in a secret, such as a PIN code or password into one of your devices, that secret will never leave your device. Instead, the PIN code or password is combined with a local salt and used to generate digital signatures so that the OneID servers can verify that you know the correct PIN code or password without OneID knowing what your PIN code is.
3. We store part of your identity on your devices and a different part in our servers. In order to log into a website, you must present a digital signature from your device and a digital signature from OneID. This means that your identity can never be used without involving at least one of your devices, so your identity remains secure even if someone breaks into any of the sites you use or the OneID servers.
4. Our servers help you out, but we know almost nothing about you. OneID servers are used to store your encrypted data and to facilitate transactions (such as co-signing your actions). Your personal information (such as your address, phone number, etc.) can only be decrypted by the browsers that you've enabled for use with OneID. We don’t know the sites you visit or what is in your profile. We store your name and email address for administrative purposes, but that's it.
From a user experience point of view, OneID behaves almost identically to Facebook Connect. So it's very easy to use. But there are two big differences between OneID and Facebook Connect that you would notice: 1) you have to pre-authorize a browser before you can use it with OneID and 2) OneID doesn't require the use of a username or password to sign in to OneID (you decide how you want to secure each device you use).
Under the covers, OneID is completely different than any other digital identity available today. Here’s an explanation of nine OneID operations and how they work:
1. Create a new OneID. When you create a OneID account, it generates a 256 bit random number and stores it in your browser’s HTML 5 local storage. This is known as your private signature key. This number allows you to digitally sign your requests. A digital signature is simply a fancy mathematical computation (known as elliptic curve digital signature algorithm or ECDSA for short) that requires your private signature key and results in a 512 bit number. Because only your device knows your private key, your device is the only computer in the world that can sign things for you. Your private key is also used to compute a second 256 bit number which is known as your public signature key. The public key can be freely given out. Your public key enables websites to do a fancy mathematical computation to verify that you know the private key without disclosing to the website what your private key is. At the same time this is happening, the OneID servers are doing the same operation (generating a private signature key and computing a public signature key). This private signature key is held by OneID and never disclosed to you or your devices. It is exclusively used for co-signing things for you and is unique to your account.
2. Create a new account at a website. When you create an account at a website, you give the site both your public signature key, and public signature key from the OneID servers. These two keys are kept on file at the webiste. They allow the website to verify signatures when you sign in in the future. Only you and OneID will be able create those two signatures. For privacy reasons, OneID will generate a unique set of public keys for each website you visit. This is know as "unidirectional" identity.
3. Sign into a website. When you click OneID "Sign In" on a website, the website asks you to digitally sign the "Sign In" request. You sign it (using your private signature key), you ask OneID to co-sign it (using the private signature key that OneID has stored for your account), and you send both signatures back to the website. The website compares the two signatures you presented with the two public signature keys on file and, if both signatures match, it lets you in. This results in an end-to-end secure system because the signatures are generated on your computer (one "endpoint") and verified by the computers of the website (the other "endpoint"). End-to-end security is the holy grail for computer security; it is much more secure than involving a third party in the transaction, e.g., facebook or Google or a third party Certificate Authority (CA). If you log into a site using Google, an attack or programming error at Google or Facebook can compromise your identity because Facebook/Google are asserting your identity on your behalf. OneID is much safer because it is your devices asserting your identity... a programmer at OneID can't log in as you because OneID never gets the secret of creating your signature.
4. Sign into OneID. Before you can use OneID on a browser, you have to sign into OneID using your digital signature and a unique browser ID signature. If that browser is authorized, OneID will then co-sign requests for you on from that browser until you explicitly sign out of the browser (or your timeout expires). Using your OneID control panel, you can set what security level is required to sign into each device you have (which applies to all the browsers on that device) and set how long you want to stay signed in. So your iPhone might have no protection (you just pick your name from a list), your home desktop could require a password to sign in to OneID , and your iPad could require approval of your iPhone using a PIN code.
5. Add OneID to your other devices. To add OneID to a new device, you’ll need access to a browser which already has your identity. You can then copy the secrets from that device to a new device by scanning a QR code on the new device using your OneID Remote app or by clicking on a hyperlink in your email on the new device. Essentially, you are securely copying digital secrets from your old device to your new device in a way that OneID cannot read the data. The device private key is not transferred; the new device will always generate a unique deviceID so that if necessary, it can be disallowed on a per device basis without having to re-issue public keys to the websites. See "Disable a device" below.
6. Share your information. When a site asks you for information, such as filling out a form, your browser will download the encrypted information from the OneID servers, decrypt it locally, give it to the website, and then forget it. OneID never sees your information and it is not accessible on your computer after the transaction. The site must be modified to add a OneID QuickFill button for this to work.
7. Disable a device. If your device is lost, stolen or compromised by malware, you can use any of your existing devices to remove that device from your identity. When you do that, the OneID servers will refuse to co-sign any requests from the removed device so that any attempt to sign in to a web site (or to OneID) will fail because two digital signatures are required. None of the websites ever have to change the signatures on file or be expressly notified of the removed device. It is the absence of the OneID co-signature that causes the website to deny the request. This is one of the main reasons OneID uses two independent digital signatures rather than a single digital signature.
8. Recover your identity if you lose all your devices (or you need to use OneID, but you left all your devices at home). When you created your OneID account, we encrypt the private signature key that resides on your devices using a random 128 bit number (your recovery secret key) and store that in the OneID servers. Because OneID doesn't know your recovery secret key, and because the recovery secret has high entropy (128 random bits), it can never learn your private signature key. Your device sends your recovery secret key to you in the form of a URL for safekeeping (it doesn't touch our servers). You can store that URL in your email or on your computers. If you click on the URL, it will display a QR code. You can print out the QR and store it in your wallet (so you always have it handy) and/or some safe locations. To recover your identity, you just scan the QR code using the OneID app, enter your PIN code, and you're back in business. Even if someone uncovers your account recovery code, they won't be able to steal your identity because they won't be able to guess your PIN code. OneID only allows 5 recovery PIN code guesses a day. So on average you'll have well over a year of warning messages if your recovery code falls into the wrong hands.
9. Customize the security. You or the website can instruct OneID not to sign certain operations unless there is additional confirmation using a password or confirmation from you OneID mobile app. A PIN code on your mobile app can optionally be required. You can configure this extra security using your OneID Control Panel on a per device, per website, or per transaction basis. For example, you can require that a PIN code be entered on your mobile app for every $100 you spend (or wire transfer out of your bank account). So even if all your devices are stolen, and you don't realize it immediately, you are still protected since most thieves are after your money. They won't get very far without knowing your PIN code. OneID philosophy on security is to focus on protecting high value assets (like your money) with two-factor out-of-band security (i.e., a second device), but making other operations (such as login to a news site) very convenient. OneID gives you security exactly where it is needed.
For more information, see OneID documentation