Welcome to the series towards studying and analysing designs that enable decentralisation, through a user-centric lens, with a focus on those catering to the proliferation of security in digital assets.
Above all, infrastructure to enable decentralization inherently aims to empower users. A Digital Asset ecosystem is a powerful concept when put into actual practice. The field is evolving, thanks to developers, founders, and backing from communities and venture funds alike. As of now, the mass adoption of digital assets needs unprecedented user experience, security, and trust improvements.
We need a scientific approach to conduct qualitative and quantitative evaluations of these designs that govern the transition to decentralization. We attempt to address the most important parameters that need capturing, in this series.
While Decentralization brings unique opportunities, it also highlights a grey area around user empowerment.
Centralized systems, financial ecosystems in particular, are positioned at the end of the spectrum in terms of control and capabilities open to the users. While decentralised systems envision complete control placed in the hand of the users, products, and services in design today vary a lot in terms of what users can and cannot do, leading to a clouded contrast wrt centralised financial institutions. Ultimately, these deter mass adoption and affect user trust.
Targeting user-centricity in the approach to design identity, security, and financial products for digital assets, we propose to add a dimension of ‘User-Empowerment’. A dedicated framework with acceptable universality is needed for course-correcting design decisions, at both protocols and UX levels, based on closed-loop feedback from users.
Figure 1:User-centric studies should analyze the empowerment levels of digital asset products.
While security metrics capture single points of failures, probabilities of theft, phishing, shoulder-surfing, and others (covering loss of private keys, account access, etc.), usability caters to cognition and physical efforts (remembering seed-phrases, master password, recovery keys, carrying hardware tokens/wallets, etc.) expected from the user.
Capturing Empowerment:
In the context of empowerment, the framework tries to capture the following:
- Ownership, and
- Capabilities of the users of the products providing the interfaces to Digital Assets.
At the end of the ideal product spectrum, empowerment would mean that:
- No service provider should be able to block a user from conducting transactions involving their digital assets. These include, but are not limited to:
a. Signature to perform a transaction,
b. Account Recovery in case of loss of the form factor managing the product (phone/PC in case of wallets). - Transparency in operations: Product and service providers should not be able to move/use assets without the user’s engagement or confirmation.
- A user, if the time comes, should be able to switch between service providers at their will, and the enterprise should never be able to block such migration.
Framework Design:
There have already been commendable studies that led to the stabilization of 2FAs/MFAs, and passwordless solutions where frameworks have been used, such as the framework of Bonneau et al [1–3], that considers 25 evaluation parameters, termed as ‘benefits’, derived from the perspective of usability, deployability, and security, that an authentication scheme should ideally provide.
We add the vector of “empowerment” in the framework to conduct a proper study of products catering to digital assets. Each vector’s parameter is rated as either offering or not offering the benefit; if a solution/product almost offers the benefit, but not quite, we indicate this with the somewhat offering.
To begin with, an initial attempt has been made to enumerate the offerings of the two most popular form factors of wallets: Browser Plugin and Phone Application-based wallets.
Figure: A small Sample of the adopted framework when used to study Plugins and Phone wallets. The full paper for the original framework can be found at References [1]
As is evident, since plugin wallets hold the private keys locally in the browser’s storage, self-empowerment is ideal. At the same time, phone wallets which are controlled by exchanges with keys being stored on centralized servers, land themselves on the deep end of zero empowerment.
Continuing context from this article, we will keep attempting to define the nomenclature/definition of products (wallets in particular), as a function of who holds the custody and ownership of the wallet primitives (keys, shards, backup, policy). Please expect the below and more, in the other articles to come.
Our next articles will cover:
- Revisiting the ‘nomenclature’ of wallets: because the ‘custodial/non-custodial nomenclature are being heavily misused. While users do not care about these names, they care more about striking a balance between all parameters under discussion.
- A detailed study of all digital asset products and where they position themselves in the framework.
- How user-centric designs and cryptographic primitives can push products towards the optimum balance across the four vectors under discussion
As always, progress is a collaborative affair and we’re open to discussions, improvements, feedback, and conducting joint studies. Aiming to open-source the framework, methodology, documentation, and results, with all credits given, we welcome you to join the discussion by email at info@silencelaboratories.com, booking a slot to discuss more through Calendly, or writing us on @SilentAuth on Twitter.
ABOUT US:
- J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano, “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,” in 2012 IEEE Symposium on Security and Privacy, 2012, pp. 553–567.
- Countering Concurrent Login Attacks in “Just Tap- Push-based Authentication: A Redesign and Usability Evaluations,” Jay Prakash et.al., 2021 IEEE European Symposium on Security and Privacy (EuroS&P)
- An Empirical Study of a Decentralized Identity Wallet: Usability, Security, and Perspectives on User Control; Maina Korir, University of Bedfordshire; Simon Parkin, TU Delft; Paul Dunphy, OneSpan in 2022 SOUPS USENIX.