Home Overview Distributed Ledgers Future Potential FAQ Test Contact License
Under the Trust Nexus the concept of identity is fundamentally changed.  Who are you? You are the entity that has been issued a cryptographically valid digital credential.
It is all based on cryptography.
Here is everything you need to know about the magic of public-key cryptography:  There are two keys, a public key which everyone has access to and a private key which you must keep private for the system to be secure.  If a bad actor gets access to your private key it is game over; you lost. 
  • A message that is encrypted with your public key can only be decrypted with your private key.  If you keep your private key private, anyone can send you a secure message by accessing your public key.
  • When you send a message and sign it with your private key, your signature can only be confirmed with your public key.  If you keep your private key private, the validity of your signature is assured. 
That's all you need to know about the magic of public-key cryptography.  Don't ever let some techo-nerd talk down to you again.
In the One Touch Sign On™ process the credential provider encrypts the Firebase message containing the authentication code (sent from the web server to your mobile device) with your public key.  That message can only be decrypted with your private key which is stored securely on your mobile device.
What do you mean, "stored securely on your mobile device"?  Is that a joke?  We all know from the Apple v FBI encounter that anything on your mobile device can be decrypted by anyone with marginal computer skills.  It is incredibly easy to do.
Well... it is not easy to do if the encryption process is done in a sensible manner (send the following architectural overview to your friends at Apple).
When a user downloads and activates the TNX Secure mobile app from the Apple App Store or from the Google Play Store, in the installation process the mobile app generates a 4,096 bit public/private key pair in less than ten seconds (on a "good" phone).  A 4,096 bit key pair is very large and highly secure (double the traditional recommendation by RSA Laboratories [ref]).
The public key is uploaded to the mobile app provider's (e.g., your bank's) data structures.  The private key never leaves your smart phone.
In order to protect the private key and other data within the TNX Secure mobile app, access to the app is protected by a six digit HEX pin (there are 16 HEX digits: 0 - 9 and A - F).  There is a 1 in 16,777,216 chance that a bad actor who steals a user's phone could guess the HEX pin on the first try.
The six digit HEX pin is not used for password based encryption.  In the authentication (sign on) process to the the TNX Secure mobile app, a check is made to the mobile app provider's (e.g., your bank's) web server.  After a configurable number of failed attempts the mobile app locks and the assistance of a personal banker (or a team member from corporate security, etc.) is required to reconfigure the app.  Don't forget your six digit HEX pin unless you want to see your personal banker (or a team member from corporate security, etc.).
Also, to protect the user's private key and other data within the TNX Secure mobile app, in the installation process the TNX Secure mobile app creates a traditional symmetric key (AES-256, used by the U.S. governement for "TOP SECRET" information) and that key is used to encrypt the user's private key and other data in the TNX Secure mobile app.  This symmetric key is then associated with an obfuscated identifier based on the user's HEX pin (and other factors on the mobile device) and then uploaded to the mobile app provider's data structures.
When the user sign's on with a valid six digit HEX pin the symmetric key is downloaded securely to the TNX Secure mobile app and used to decrypt the user's private key and other data.  The only way to secure data on a mobile device is to encrypt the data with a key that is stored off the device, delete the key from the mobile device when it is not needed and load the key in a secure process when it is needed.  Our process is a sub-second process, unnoticeable to the user.
So if your mobile device is lost or stolen, a bad actor cannot sign on to your TNX Secure mobile app; and if a bad actor can programatically gain root access to your mobile device and read the stored data, the important data (i.e., your private key) is securely encrypted.
Associating the user's symmetric key with an obfuscated identifier and not the user's account limit's the possibility that a bad actor within the mobile app provider's organization could gain access to a user's symmetric key, steal the user's smart phone and gain access to the user's accounts.
In the late Seventies and early Eighties computer names were maintained by using handcrafted HOSTS.TXT files. As networks became more interconnected this process became unmanageable.  Everyone knew that something needed to be done.  When the Domain Name System (DNS) was created everyone saw it as the obvious solution.
Similarly, when the solution to cybersecurity authentication emerges, everyone will say, "Of course, this is how it had to be."
The basic question is, how can trust be established in the digital age?  If you and I have never met and I come to your website or place of business, how can you be confident that my digital credential is valid?  The Trust Nexus answers this basic question regarding the establishment of trust.
Within five to ten years all authentication will be done through digital credentials on mobile devices.  Imagine going to your local bank or corporate security desk and having a digital credential provisioned to your smart phone.  Once this or any other credential is provisioned in a valid institutional process, from then on, whenever you sign onto the institution's website (or mobile application) you simply engage the One Touch Sign On™ process on the TNX Secure mobile app.
The essence of our system is incredibly simple:  Through cryptographically valid digital credentials, we completely do away with user names and passwords (and all of their weaknesses).  If a credential is provisioned to a user's mobile device in a valid institutional process, then when the user presents the credential (either in person or over the network) the receiver can be certain that either the credential and the user are valid or the user gave his/her mobile device and six digit HEX pin (1/16,777,216) to someone else.
Because the receiver can cryptographically verify that you are the person to whom the credential was issued, under the Trust Nexus it truly does not matter who you are; what matters are institutional validations and the ability to represent those validations with cryptographically valid digital credentials.
What is a valid institutional process?
It can be anything the institution defines and controls, from the very simple to the highly secure.  In the most basic use case, the credential provider of a web application simply wants to secure the account to the user who created the account. Identity attributes do not need to be verified; valid authentication (from the user who created the account) simply needs to be secure and repeatable.  Under this use case a credential can be issued directly through a web application when the account is created.  Also, a user can establish and secure access to an account without revealing anything about his/her identity.
The process for Creating a Digital Credential can also be applied in a secure setting where identity is verified (e.g., the issuance of corporate identity credentials at a security station or the issuance of financial credentials at a bank, "know your customer").  This secure "identity proofing" represents a high level institutional validation.  Under the Trust Nexus the user's identity is verified in a valid institutional process determined by the institution issuing the credential.  There is no master identity proofing process that one organization or a government controls.  The identity proofing takes place by the institution when a digital credential is issued.
Under the Trust Nexus the concept of identity is fundamentally changed.  Who are you?  You are the entity that has been issued a cryptographically valid digital credential.
Most authentication schemes depend on securing and verifying personal data; we focus on the ability to use credential data in a valid institutional process.  The concept of verifying institutional validations rather than verifying personal data requires a shift in perspective.  Once that mental shift occurs everyone is amazed at how simple our system is.
Think of your smart phone as a security device for securing your private key.
Think of Identity and Authentication Management in terms of referencing cryptographically valid digital credentials, not in terms of managing and verifying certificate chains of authority, or even worse, managing and validating vast amounts of personal or biometric data.  Think of the past when the king's seal represented a stamp of approval; your identity did not matter, all that mattered was the validity of the king's seal and that you were the rightful holder of the credential.  In the age of technology it is possible to create a "valid seal" with a secure private key.
Establishing Security and Good Will
A system is secure if the plans for the system are public, and the bad actors can still not break in.
Our source code is available for download
In order to establish our infrastructure and generate good will, much of our technology will be licensed for a nominal fee or given away for free.  Our technology and infrastructure services will be FREE for every publicly facing website for general user authentication.  There will be licensing fees for corporations and government agencies for internal authentication (e.g., free for banking customers; a small annual fee for banking employees).
An organization can maintain complete control of its authentication process under the Trust Nexus.  Our infrastructure technology can exist as an insulated microcosm within corporations or government agencies when there is no need for third party validation of credentials (e.g., a corporation or government agency simply wants to authenticate its own users).  When third parties must rely on credentials (e.g., drivers licenses, passports, financial credentials, insurance credentials, etc.) there will be a public identity infrastructure that will be managed through The Worldwide Distributed Ledger for Credential Providers
While many of our cryptographic processes are similar to the processes used in Public Key Infrastructure (PKI), we avoid the bureaucratic inconveniences and lax security inherent in PKI. [refA] [refB]  Under PKI, when a digital certificate is issued the user (or a malicious administrator or someone who can access the user's system) can simply "share" the cert with anyone.  Under the Trust Nexus it is far less likely that a user will share his/her mobile device and six digit HEX pin. 
Also, under the Trust Nexus a catastrophic security breach of the PKI, similar to the Comodo Security Breach, would have no ill effects for users.  Contrary to the proponents of PKI, a Comodo-like security breach is always a possibility, especially if you travel to a hostile foreign country or if you are a citizen under an oppressive regime.
The most significant advantage the Trust Nexus has over traditional PKI is that the public/private key pairs are generated in an asynchronous background process when the TNX One Touch mobile app is initialized and the user's private key is NEVER exposed.
Removing the need for a Trust Authority to verify billions of individual identities and manage billions of public/private keys makes a world wide system practical.
Unlike PKI, in authenticating third party credentials we are only attempting to answer a very narrow question:  Has the credential been issued in a valid institutional process by the holder of the credential provider's public key? Unlike Certificate Authorities we are not attempting to validate the legitimacy of the credential provider or establish a "chain of authority" from one trusted entity to another. If a totally bad actor attempted to create a fraudulent financial institution and then issued credentials to users who then went out to present the credentials to third parties, our completely valid assumption is that there would be other factors in the process that would render the credentials invalid.
One of the most important aspects of our technology is that we secure identity while protecting privacy.  Our technology provides a 100% privacy protection.  We do not store personal data, we simply store associations between public keys and digital credentials.  We change the mind set of authenticating using personal data; instead, the only thing that matters is an institutional validation represented by a cryptographically valid digital credentials.
If you are a member of the Secret Moose Lodge of Ottumwa, Iowa, your digital credential can be validated under the Trust Nexus without any detailed information about you or your organization being revealed. 
Under the Trust Nexus it is possible for users to create pseudo-identities and conduct financial transactions in complete anonymity.  Users are always in complete control.  They can create accounts with their "legal identity" or choose from one or more pseudo-identities that they have created for various purposes.
Under the Trust Nexus the user's credentials cannot be accessed if his/her mobile device is lost or stolen.  We have solved this problem without needing access to the secure element of the mobile device.  We do not use password based encryption so a brute force attack would not be successful.  There are no dependencies on "phone lock" OS processes which can be incredibly weak. [refA] [refB]  The dependencies are on independent cryptographic processes.
Aren't biometric factors supposed to "save the day"?
There are severe limitations in using biometric data over a network or in a physical location with no monitoring; one of the most notable failures of biometrics is the "Gummi Bear Hack" used by Australian school children to defeat fingerprint sensors (and verified by Japanese researchers) [refA] [refB].
Most recently, a group of German hackers cracked the iPhone fingerprint scanner just two days after Apple Inc. launched the technology that it promises will better protect devices from criminals and snoopers seeking access [refA] [refB].
A biometric identifier is like a "magic word" that supposedly only the person associated with the identifier can say.  But once the "magic word" is spoken anyone who can access the identifying device (or the resulting digital stream) can speak the "magic word" and steal the user's identity.
When the person is present and the biometric data can be verified in the presence of a security agent, the utility of biometric processes increases significantly; in fact, this is the only valid use case for biometric factors.
Under the Trust Nexus it will be possible to store biometric data within a user's credential (not within a central repository) when the credential is created by the provisioning institution.  When a user presents the credential, verifying the biometric data in the credential against the individual in real time will provide enhanced security.
While there are many types of biometric identifiers, one of the simplest and most usable is a photograph of the human face verified by a human being.  Under the Trust Nexus any credential in a user's digital wallet that includes a photograph (driver's license, passport, bank debit card, etc.) will be highly reliable when a user presents the credential in person (and the quality of an identifying photo on a mobile device will be far superior to a photo on an ID card).
Iris scan identification, voice authentication and face recognition algorithms have become increasingly reliable; any one or a combination of these technologies could provide an additional layer of security.
Whatever type of biometric factor is used, the fact that the biometric (and all other) information in the Trust Nexus is stored in a user's digital wallet on his/her mobile device and not stored in a central repository means there cannot be a massive theft of identity information.  Governments that attempt to create vast repositories of biometric information will simply be storing extremely long "magic words" that are available for compromise at a single point of failure.
The "dirty secret" of biometrics is that biometrics are very poor for establishing an identity infrastructure; however, biometrics are great for destroying privacy and establishing a "Surveillance Society".[ref]
Biometric data could could be the foundation of an efficient and reliable credential restoration process.
It is inevitable that users will loose or compromise their mobile devices and their private keys.  Banks could maintain a biometric record for their users to reestablish not only their banking credentials but all other credentials (the process will take place in person at any bank branch office worldwide).  As an example, in creating your account, Netflix would create a reference to your banking credential.  If your report your digital Netflix credential lost or stolen, Netflix will suspend your account and then reestablish your account when you can prove your identity by presenting your new banking credential.  The process will be simple and fast.  Banks will be at the focal point of identity.
Who are you?  You are the entity that has been issued cryptographically valid digital credentials that can be easily reestablished.
Our technology goes beyond secure mobile identity.  It may be difficult to believe, but as a small startup in Austin we have solved the single sign on problem [ref]. Our technology also enables a greatly simplified identity federation process [ref].
The major limitation of this system is that there is a loss of functionality if your smart phone loses connection. However, even if there is a loss of mobile service, most home environments, most corporate environments and most retail areas have or soon will have a WiFi service that will make the credential management app operational. If both mobile service and WiFi service are down, it probably means there is a complete power failure and any services you wish to access are also down.
This is not theoretical; we have a functioning prototype and everything works.
Once you have downloaded the TNX Secure mobile app go to the Test link in the navigation bar above.
The Trust Nexus system is simple, effective, low cost, easy to implement and cryptographically secure.
While the Trust Nexus may "defy conventional wisdom", we are confident our core ideas are "non-consensus and right".
Our ultimate goal is the creation of a worldwide identity infrastructure that will be managed through
The Worldwide Distributed Ledger for Credential Providers.
The Trust Nexus will not attempt to compete against the dozens of existing players in the identity management space.  We intend to license our authentication technology to all players for a nominal fee; this will insure a rapid and widespread implementation.
How does "One Touch Sign On" work?
The flow chart below provides an overview.
© Copyright 2017 ~ Trust Nexus, Inc.
All technologies described here in are "Patent Pending".