Home Overview Distributed Ledgers Future Potential FAQ Test Contact License
Heilmeier's Catechism:

A set of questions credited to George Heilmeier that anyone proposing a research project or product development effort should be able to answer.
Is the Trust nexus a strong authentication process?
The Trust Nexus meets the criteria for strong authentication as defined by the U.S. government's National Information Assurance Glossary:  "Layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information."
The Trust Nexus also meets all the goals of the Department of Homeland Security's program for Secure Driver's Licenses (formerly the "Real ID Act") with out any of the problems.
Is the technology of the Trust Nexus a "disruptive technology"?
Secure digital credentials on mobile devices represent a Disruptive Technology that will significantly impact every aspect of identity management.
The term Disruptive Technology comes from Clayton Christensen's classic treatise, The Innovator's Dilemma.  Christensen points out that the fatal flaw in corporate strategy is to allocate resources based exclusively on improvements in "sustaining technologies" while ignoring innovation in "disruptive technologies".
"Disruptive technologies typically offer a cheaper solution to a small, often unidentified subgroup.  Once established within this small market the disruptive technology evolves through sustaining technology until it eventually satisfies the performance criteria of more traditional markets.  When this happens, the disruptive technology bursts onto the scene, attacking the soft underbelly of the established corporations, often with fatalistic consequences.  In the parlance of evolutionary biology, disruptive technology is like punctuated evolution; fast with significant changes in the gene pool." [ref]
Heilmeier's Catechism
A set of questions credited to George Heilmeier that anyone proposing a research project or product development effort should be able to answer.[ref]
What are you trying to do? Articulate your objectives using absolutely no jargon.
Our objective is to create a worldwide system for secure digital credentials and secure financial transactions.
A system is truly secure if the plans for the system are public, and the bad actors can still not break in.

We have succeeded in creating a prototype system with the following characteristics:
  • Consumer Friendly ~ Users touch one button on their mobile device to authenticate to both web based and mobile applications.
  • Cryptographically Secure ~ Even if a user's mobile device is lost or stolen his/her credentials are secure (no password based encryption processes; no dependency on "phone lock" OS processes).
  • Simple ~ The source code is crystal clear and easy to implement (Android and Java EE; other platforms coming soon).
  • Effective ~ We completely do away with user names and passwords and all of their weaknesses.
  • Low Cost ~ Our technology and infrastructure services are FREE for every publicly facing website for general user authentication.  There is a nominal licensing fee for corporations and government agencies for internal authentication (e.g., free for banking customers; a small annual fee for banking employees).
  • Also secures three party credentials (passports, driver's licenses, insurance and financial credentials).
  • Eliminates fraudulent financial transactions.
  • Easy Upgrade Path ~ Any web or mobile application that is currently depending on user names and passwords can make an easy upgrade.
How is it done today, and what are the limits of current practice?
Currently, usernames and passwords are the most prevalent form of authentication.
The article, The Future Of Web Authentication, stated, "So far, no one has found an intuitive, affordable way for users to sign in to accounts with the same kind of uniform acceptance as passwords."  This article provides an overview of the current state of the art.
Highlights from the article:
  • The user name-password approach is the lowest common denominator for authentication.
  • Passwords are particularly problematic for Internet security as frequent hacks and breaches show.  Just last month, a breach at LivingSocial, an online coupon company, exposed 50 million user passwords. Such break-ins give hackers the power to masquerade as any number of Internet users online. And when they aren't stealing credentials, cyber thieves use password guessing and cracking tools to compromise authentication systems.
  • Users themselves frequently assist the thieves, falling for phishing scams and reusing passwords across different sites.
  • Security leaders for years have said that passwords must be abolished, but the alternatives have fallen flat because they're built on flawed assumptions... For example, challenge-and-response systems assume that attackers can't find the answers to users' established questions. And hardware token systems assume that attackers couldn't steal the tokens or the algorithmic information that powers them.
  • Hardware tokens and biometrics have worked reasonably well in business environments that require people to sign on to an internal network, hardware device or software system. However, they haven't translated well online, because the cost of providing tens of thousands of people with the hardware is prohibitive.
  • Two-factor systems based on tokens are difficult to use since people must have the PIN-generating device any time they log on. For online authentication to be widely used, people would have to carry numerous fobs to authenticate into multiple websites. It's an unwieldy process and still based on shared secrets - though admittedly more complicated ones.
In addition to the limitations described in the article there are limitations to the other major approaches being proposed for secure authentication: OpenID, OAuth, geo-fencing, and biometrics:
How does the Trust Nexus compare with OpenID?
There is a great deal of controversy surrounding OpenID brought on primarily by those who have over hyped the potential of OpenID.
Stefan Brands (an information technologist specializing in digital identity, security, and privacy) clearly stated, "OpenID was designed as a lightweight solution for 'trivial' use cases in identity management: its primary goal is to enable Internet surfers to replace self-generated usernames and passwords by a single login credential, without needing more than their browser.  Concretely, OpenID aims to enable individuals to post blog comments and log into social networking sites without having to remember multiple passwords.  Beyond this, OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID 'consumer.'"
The original OpenID authentication protocol was developed in May 2005.  While there are many organizations that offer OpenID, very few users have actually created OpenID accounts.  The fact is that most users do not understand the concept of pasting a URL into a sign on field instead of using a user name and pass word.
The primary problem with OpenID from an identity management perspective is that there is no coherent security model for OpenID; because of this, OpenID is relegated to a Level 1 Assurance system ("Little or no confidence in the asserted identity’s validity.") by the federal government.[ref]
In contrast, the Trust Nexus uses “hard” cryptographic tokens within a coherent security model and is a Level 4 Assurance system (the highest level; "Very high confidence in the asserted identity’s validity.").
You can have hours of "Googling Fun!" by searching on the phrase, "problems with OpenID"...
The problem(s) with OpenID
The Troubles With OpenID 2.0
A fundamental problem with OpenID
How does the Trust Nexus compare with OAuth?
No doubt there are many good technical people who have committed long hours to the development of OAuth, unfortunately they have all wasted their time.
While the original OAuth spec had the potential to develop into a sound security model, OAuth 2.0 dumped all cryptographic processes in favor of becoming an "institutional blueprint" for selling services. 
These changes caused one of the lead OAuth contributors to resign from the working group: In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0 project, withdrew from the IETF working group, and removed his name from the specification.  Hammer pointed to a conflict between the web and enterprise cultures, citing the IETF as a community that is "all about enterprise use cases", that is "not capable of simple". What is now offered is a blueprint for an authorization protocol, he says, and "that is the enterprise way", providing a "whole new frontier to sell consulting services and integration solutions". [ref]
In comparing OAuth 2.0 with 1.0, Hammer points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure"... He explains how architectural changes for 2.0 unbound tokens from clients, removed all signatures and cryptography at a protocol level and added expiring tokens because tokens couldn't be revoked while complicating the processing of authorization. Numerous items were left unspecified or unlimited in the specification because "as has been the nature of this working group, no issue is too small to get stuck on or leave open for each implementation to decide". [ref]
The fundamental flaw with OAuth 2.0 is that it is a, "Delegated Authorization protocol, and not an Authentication protocol."  The Trust Nexus focuses exclusively on the authentication piece of the identity management puzzle; we leave the authorization piece of the puzzle to the hundreds of identity management system providers.
You can have hours of "Googling Fun!" by searching on the phrase, "problems with OAuth"...
OAuth - A great way to cripple your API
The problem with OAuth for Authentication.
RFC 6819 - IETF Tools - OAuth 2.0 Threat Model and Security Considerations  If you are a software engineer and you are working for a non-technical executive who is determined to implement OAuth 2.0, print out this seventy-one page document and leave it on the executive's desk with a box of crayons.
How does the Trust Nexus compare with OpenID Connect?
OpenID Connect is an attempt by some to solve the problems of OpenId and OAuth. 
"OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol.  It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner...  OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly." [ref]
Will it be possible to create a simplified and elegant process out of a conglomeration of two bad protocols?  It seems unlikely.
In all the existing federation processes the user experience is similar:  The user goes to an authentication page and selects from a list of identity providers.  The user is then passed to the identity provider's authentication page where he/she enters his/her user name and password.  This process establishes a single point of failure.  If a bad actor can obtain a user's username and password the bad actor can access all the user's accounts ("keys to the kingdom" attack scenario). 
The major problem with OpenID Connect and other single-sign-on protocols is that identity proofing is delegated to a third party.  Will any organization concerned with security delegate its identity proofing process to a third party like Facebook? 
Taking responsibility for identity proofing is a key competitive advantage for most business organizations; and their consumer data represents the "crown jewels" for most business organizations.  That is why no financial institution has ever allowed access to its systems through OpenID Connect or any of the other of the SSO schemes.  That is why Amazon, Facebook, Google, Yahoo and other major providers of Internet goods and services will gladly provide an OpenID Connect service based on their users signing into other services (providing more consumer data points to the SSO service provider) but would never allow their applications to be accessed through another SSO provider.
With increased complexity comes increased costs.  Are the benefits of implementing any single sign on (SSO) protocol worth the costs?  Do most organizations really care about single sign on (SSO)? 
Most of the federation protocols have their roots in the early 2000s when users first started to struggle with multiple usernames and passwords.  The single sign on (SSO) problem is very different from the problem of secure authentication.  Will organizations be willing to implement complex and costly protocols to solve a problem that is not their main concern?  Stated emphatically:  Most organizations do not care about the single sign on (SSO) problem; they care about secure authentication.
All those who are committed to federation technologies and single sign on are like engineers in the 1890s working diligently to perfect the telegraph system; all their work will soon be eclipsed by a much better technology.
How does the Trust Nexus compare with the FIDO Alliance
While the goals of the FIDO Alliance are noble, "simpler, stronger, authentication", they have fallen far short of their goals.
Bruce Schneier once stated, "Complexity is the worst enemy of security."
With over three hundred pages of specifications [ref], FIDO is a vendor's dream and an IT admin's nightmare.
How does the Trust Nexus compare with mobile apps that use "geo-fencing"?
While the idea of restricting sign on based on geographic locals may at first seem interesting, if I can compromise your identity by driving over and parking in front of your house, the system is not that secure.
What are the advantages of biometric factors?
There are severe limitations in using biometric data over a network or in a physical location with no monitoring; one of the most notable failures of biometrics is the "Gummi Bear Hack" used by Australian school children to defeat fingerprint sensors (and verified by Japanese researchers) [refA] [refB].
Most recently, a group of German hackers cracked the iPhone fingerprint scanner just two days after Apple Inc. launched the technology that it promises will better protect devices from criminals and snoopers seeking access [refA] [refB].
A biometric identifier is like a "magic word" that supposedly only the person associated with the identifier can say.  But once the "magic word" is spoken anyone who can access the identifying device (or the resulting digital stream) can speak the "magic word" and steal the user's identity.
When the person is present and the biometric data can be verified in the presence of a security agent, the utility of biometric processes increases significantly; in fact, this is the only valid use case for biometric factors.
Under the Trust Nexus it will be possible to store biometric data within a user's credential (not within a central repository) when the credential is created by the provisioning institution.  When a user presents the credential, verifying the biometric data in the credential against the individual in real time will provide enhanced security.
While there are many types of biometric identifiers, one of the simplest and most usable is a photograph of the human face verified by a human being.  In the Trust Nexus any credential in a user's digital wallet that includes a photograph (driver's license, passport, bank debit card, etc.) will be highly reliable when a user presents the credential in person (and the quality of an identifying photo on a mobile device will be far superior to a photo on an ID card).
Iris scan identification, voice authentication and face recognition algorithms have become increasingly reliable; any one or a combination of these technologies could provide an additional layer of security.
Whatever type of biometric factor is used, the fact that the biometric (and all other) information in the Trust Nexus is stored in a user's digital wallet on his/her mobile device and not stored in a central repository means there cannot be a massive theft of identity information.  Systems that attempt to create vast repositories of biometric information will simply be storing extremely long "magic words" that are available for compromise at a single point of failure.
The "dirty secret" of biometrics is that biometrics are very poor for establishing an identity infrastructure; however, biometrics are great for destroying privacy and establishing a "Surveillance Society".[ref]
What is new about your approach? Why do you think you can be successful at this time?
Think digital certificates on a mobile device with the convenience of One Touch Authentication™.
Think of the convenience of not managing keys. The TNX One Touch mobile app generates a 4,096 bit public/private key pair and secures the private key on the mobile device (truly secure; no password based encryption processes; no dependency on "phone lock" OS processes).
Think of Identity and Authentication Management in terms of managing cryptographically valid digital credentials, not in terms of managing and verifying certificate chains of authority, or even worse, managing and validating vast amounts of personal data.
In the late Seventies and early Eighties computer names were maintained by using handcrafted HOSTS.TXT files. As networks became more interconnected this process became unmanageable.  Everyone knew that something needed to be done.  When the Domain Name System (DNS) was created everyone saw it as the obvious solution.
Similarly, when the solution to cybersecurity authentication emerges, everyone will say, "Of course, this is how it had to be."
The basic question is, how can trust be established in the digital age?  If you and I have never met and I come to your website or place of business, how can you be confident that my credential is valid?  The Trust Nexus answers this basic question regarding the establishment of trust.
Imagine going to your local bank or corporate security desk and having a digital credential provisioned to your smart phone.
Once this or any other credential is provisioned in a valid institutional process, from then on, whenever you sign onto the institution's website (or mobile application) you simply scroll to the credential's icon on your smart phone and engage the "One Touch Sign On"™ process.
The essence of our process is incredibly simple: Through secure mobile identity, we completely do away with user names and passwords (and all of their weaknesses).  If a credential is provisioned to a user's mobile device in a valid institutional process, then when the user presents the credential (either in person or over the network) the receiver can be certain that either the credential and the user are valid or the user gave his/her mobile device and six digit HEX pin (1/16,777,216) to someone else.
Under the Trust Nexus it truly does not matter who you are; what matters are institutional validations and the ability to verify those validations.
Most authentication schemes depend on securing personal data; we focus on the ability to use credential data in a valid institutional process. The concept of verifying institutional validations rather than securing secret data requires a shift in perspective. Once that mental shift occurs everyone is amazed at how simple our system is.
While many of our cryptographic processes are similar to the processes used in Public Key Infrastructure (PKI), we avoid the bureaucratic inconveniences and lax security inherent in PKI. [ref] [ref]  Under PKI, when a digital certificate is issued the user (or a malicious administrator or someone who can access the user's system) can simply "share" the cert with anyone.  Under the Trust Nexus it is far less likely that a user will share his/her mobile device and six digit HEX pin. 
If a practical worldwide system is to be created, it must go beyond the traditional PKI process of having a Certificate Authority issue and manage public/private keys for users; such a system is simply unworkable on a multi-billion user scale.
Removing the need for a Trust Authority to verify billions of individual identities and manage billions of public/private keys makes a world wide system practical.
Also, under the Trust Nexus a catastrophic security breach of the PKI, similar to the Comodo Security Breach, would have no ill effects for users.  Contrary to the proponents of PKI, a Comodo-like security breach is always a possibility, especially if you travel to a hostile foreign country or if you are a citizen under an oppressive regime.
If you succeed, what difference will it make?
An open source platform for secure mobile identity that is simple, effective, low cost, easy to implement and cryptographically secure will change the world.
  • Cybercrime and cyberwar will be greatly diminished.
  • Identity theft will be eliminated.
  • Fraudulent financial transactions will be eliminated.
  • Funds will be easily transferable between mobile device users.
  • Networks will be secure.
  • Single sign on will be easily implemented.
  • Auto Sign Up (no forms to fill out) will be convenient.
  • Identity federation between organizations will be easily implemented.
  • New marketing/advertising models will enhance retail commerce.
  • Medical records will be secure and transportable.
  • m-Commerce and m-Banking will uplift the third world.
  • Online voting will be a reality.
  • Privacy will be protected.
  • Third World growth and development will be enhanced.
We are creating an infrastructure that will support the rapid growth of mobile-Identity and mobile-Commerce.  In order to establish our infrastructure and generate good will, much of our technology will be licensed for a nominal fee or given away for free.  Our technology and infrastructure services will be FREE for every publicly facing website for general user authentication.  There will be licensing fees for corporations and government agencies for internal authentication.
The Trust Nexus will not attempt to compete against the dozens of existing players in the identity management space.  We intend to license our authentication technology to all players for a nominal fee; this will insure a rapid and widespread implementation.
The Trust Nexus will also provide the business model for the success of NFC.  Once NFC can be used to eliminate fraudulent financial transactions there is a true "value add" for the technology (it becomes much more than just a new "high tech" way of doing the same old thing).
One of the most important aspects of our technology is that we secure identity while protecting privacy.  Our technology provides a 100% privacy protection.  We do not store personal data, we simply store associations between public keys and digital credentials.  We change the mind set of authenticating using personal data; instead, we verify institutional validations.
If you are a member of the Secret Moose Lodge of Ottumwa, Iowa, your identity credential can be validated under the Trust Nexus without any detailed information about you or your organization being revealed.  We simply verify the institutional validation that was created when your credential was issued.
Our technology goes beyond secure mobile identity.  It may be difficult to believe, but as a small startup in Austin we have solved the single sign on problem [ref]. Our technology also enables a greatly simplified identity federation process [ref].
The Trust Nexus will greatly influence political events by reintroducing classical Greek democracy to the world.  Unlike current on-line polls that can be "spammed" multiple times by a single user or a group of users, on-line polls conducted under the Trust Nexus will be validated for user uniqueness.
Users could also volunteer to provide their demographic profiles to the on-line pollsters enabling political scientists to extricate meaningful conclusions from their polls.  Ultimately, secure on-line voting will become a reality that will lead to an ever-increasing number of local, national and world plebiscites.  There will come a time in the near future when a consortium of major news organizations will call a worldwide election.
Secure mobile identity will also have a significant impact on Third World Development
Stated as a fundamental principle of economics: Identity is the foundation of financial rights.
"In battling poverty in the developing world with affordable financial services, there is nothing quite as democratizing as the ubiquitous cellphone.  Few proponents of economic growth would quibble with the belief that banking is integral to the foundation that society is built on, but a full one billion of the globe’s five billion cellphone owners have no access to financial services.  That makes mobile banking the perfect way to bring the unbanked and underbanked into society’s fold..."  [Waiting for the Call]
"Embracing the financial services ecosystem gives poor people the ability to leverage their existing wealth, to plan for the future better, to save resources and to interact outside of their neighborhood."  [Waiting for the Call]
The technologies of the Trust Nexus will bring secure financial services to the developing world and make it possible to directly provision resources to user's cellphones.  Corrupt governments will be bypassed.
How long will it take? How much will it cost?
We have a functioning prototype with a server implementation written in Java EE and a mobile application written in Android.  With the source code available and the fact that our infrastructure technology can exist as an insulated microcosm within corporations or government agencies, we expect rapid exponential growth of this technology at a minimal cost.  The most significant cost will be in the creation of a worldwide identity infrastructure that will be managed in cooperation with governments in a fashion similar to the management of the electric power grid.  Given the low initial investment and scalability of cloud based services, we expect these costs to be minimal.
© Copyright 2017 ~ Trust Nexus, Inc.
All technologies described here in are "Patent Pending".