Sunday’s challenge was to identity and solve the problem with keys. Here’s my 10-minute time-boxed notes:
Problems with keys
* Forget them
* They break
* Losing them
* Once lost they are all suspect
* Wear out over time
* Relatively insecure
* Integrated with doorknob/locks
* They only prove you have the key, not that you should be granted entrance
* Used for locking and unlocking
* Need for one-time/visitor keys
* Physical presence is always needed
* People don’t return them when loaned (risk of copying)
* No tracking of usage
* Keys don’t tie to a person (audit entry)
* Need a separate key for everything
Problems with digital keys/locks
* Hardware/software failure
* Power outage
* Key codes are no more secure than a key
* Button solutions show the pattern over time
* Difficult to reprogram
* Internet connectivity is an attack vector
I believe that good-enough security is validated by one or more of these three things:
- I am a thing
- I can show my ID at a bank and they will validate my identify and give me money
- I have a thing
- I have a key so I can get into my house
- I know a thing
- I know a password so I can access my email
The problem is that we’ve decided that our home, the most valuable thing most of us will ever own – and the place where our physical and mental security is most important, only warrants a single validation. If I have a thing (a key), I can get in.
But that’s not quite enough. So we invest in security systems. Now I have to be able to prove that I know a thing: the security code.
Ok – two out of three. But why did I need to separate systems for that?
But it gets worse. When I leave my house I need to engage both systems separately and then get into my car where I need to use yet another key to get into , and start, my car. From here I drive to my office where I need another key to scan into the building. Or maybe I took my wife’s car – that’s another key. And another. And another.
By the end of it we’re all walking around with keyrings that rivel a 1970’s building supervisor. And we haven’t even talked about phones, computers, our strong boxes or safes, etc … it gets a bit nuts.
I’d like to see a universal standard for proximity-based key systems with optional code-entry. For example my car key fob should be able to open both my car and my house – but perhaps for my house I want to require a thumbprint on a pad on the house whereas with my car it might be enough to just be in the vehicle. Each consumer can decide what their risk threshold is and design a solution that works best for them.
And just for fun … this is probably a blockchain project. You “create” keys and lockable things as a block chain addresses, you can send keys access permissions from address to address (to grant access to others), use smart contracts to create one-time or limited-time access (house-sitters, etc), create limited-access keys (e.g, a key that allows UPS drivers to access your porch but not your home), or utility-based keys (allow USPS access to your mailbox but not anyone else). You can easily revoke keys, usages are tracked on the blockchain (and therefore easy to see who entered where/when), etc. If you want to carry 5 fobs – do that. If you want to carry a single one that works everywhere – do that. If you’re paranoid, add additional layers of security. If you’re not, don’t. Or find a middle-ground. Create a smart-contract that allows one-step access at normal times but requires multi-step access at night or when you’re on vacation.
That could all be done with the blockchain but it’d probably be easier to get funding with it.
Photo courtesy of Skitterphoto via Pexels.