Online Identity Innovation | OneID Reinvents Digital Identity

Trusted identity explained.

OneID has reinvented identity from the ground up.

OneID was designed to be the ultimate digital identity: one that you could use anywhere. Marrying security, control and convenience, OneID offers authentication, authorization, information sharing, digital claims, user and RP defined attributes and certificates, and more. OneID is one identity from the world’s most trusted cloud identity provider.

That is the OneID vision.

What makes our approach unique?

1. Use of digital signatures instead of usernames and passwords. Digital signatures are like traditional paper signatures: easy for you to create, easy for anyone to verify, but impossible for anyone else to forge. They are much more secure than usernames and passwords. When you log into a website using OneID, you will be presenting the site with your digital signature, not a username or password. OneID uses cryptographic protocols and parameters approved by the NSA (known as “Suite B”).

2. Never share secrets. When you type in a secret, such as a PIN code into one of your devices, that secret will never leave your device. Instead, the PIN code is used to generate digital signatures so that the OneID servers can verify that you know the correct PIN code without OneID knowing what your PIN code is.

3. Storage of part of your identity on your devices and a different part in our servers. In order to log into a website, you must present a digital signature from your device and a digital signature from OneID. This means that your identity can never be used without involving at least one of your devices, so your identity remains secure even if someone breaks into any of the sites you use or the OneID servers.

4. OneID’s servers help you out, but we know almost nothing about you. OneID servers are used to store your encrypted data and to facilitate transactions (such as co-signing your actions). Your personal information (such as your address, phone number, etc.) can only be decrypted by the browsers that you’ve enabled for use with OneID. We don’t know the sites you visit or what is in your profile. We store your name and email address for administrative purposes, but that’s it.

Ready to dive deeper?

Here’s an explanation of nine OneID operations and how they work:

1. Create a new OneID.

When you create a OneID account, it generates a 256 bit random number and stores it in your browser’s HTML 5 local storage. This is known as your private signature key. This number allows you to digitally sign your requests. A digital signature is simply a fancy mathematical computation (known as elliptic curve digital signature algorithm or ECDSA for short) that requires your private signature key and results in a 512-bit number. Because only your device knows your private key, your device is the only computer in the world that can sign things for you. Your private key is also used to compute a second 256-bit number that is known as your public signature key. The public key can be freely given out. Your public key enables websites to do a fancy mathematical computation to verify that you know the private key without disclosing to the website what your private key is. At the same time this is happening, the OneID servers are doing the same operation (generating a private signature key and computing a public signature key). This private signature key is held by OneID and never disclosed to you or your devices. It is exclusively used for co-signing things for you and is unique to your account.

2. Create a new account at a website.

When you create an account at a website, you give the site both your public signature key, and public signature key from the OneID servers. These two keys are kept on file at the website. They allow the website to verify signatures when you sign in in the future. Only you and OneID will be able create those two signatures. For privacy reasons, OneID will generate a unique set of public keys for each website you visit. This is known as “unidirectional” identity.

3. Sign into a website.

When you click OneID “Sign In” on a website, the website asks you to digitally sign the “Sign In” request. You sign it (using your private signature key), you ask OneID to co-sign it (using the private signature key that OneID has stored for your account), and you send both signatures back to the website. The website compares the two signatures you presented with the two public signature keys on file and, if both signatures match, it lets you in. This results in an end-to-end secure system because the signatures are generated on your computer (one “endpoint”) and verified by the computers of the website (the other “endpoint”). End-to-end security is the Holy Grail for computer security; it is much more secure than involving a third party in the transaction. For example if you log into a site using a third-part Certification Authority (like Facebook Login or Google, for example) an attack or programming error at one of these providers can compromise your identity because they are asserting your identity on your behalf. OneID is much safer because it is your devices asserting your identity… a programmer at OneID can’t log in as you because OneID never gets the secret of creating your signature.

4. Sign into OneID.

Before you can use OneID on a browser, you have to sign into OneID using your digital signature and a unique browser ID signature. If that browser is authorized, OneID will then co-sign requests for you on from that browser until you explicitly sign out of the browser (or your timeout expires). Using your OneID Control Panel, you can set what security level is required to sign into each browser or device you have and set how long you want to stay signed in. So your iPhone might have no protection (you just pick your name from a list), your home desktop could require a password to sign in to OneID, and your iPad could require approval of your iPhone using a PIN code.

5. Add OneID to your other devices.

To add OneID to a new device, you’ll need access to a browser that already has your identity. You can then copy the secrets from that device to a new device by scanning a QR code on the new device using your OneID Remote app or by clicking on a hyperlink in your email on the new device. Essentially, you are securely copying digital secrets from your old device to your new device in a way that OneID cannot read the data. The device private key is not transferred; the new device will always generate a unique deviceID so that if necessary, it can be disallowed on a per device basis without having to re-issue public keys to the websites. See “Disable a device” below.

6. Share your information.

When a site asks you for information, such as filling out a form, your browser will download the encrypted information from the OneID servers, decrypt it locally, give it to the website, and then forget it. OneID never sees your information and it is not accessible on your computer after the transaction. The site must have either integrated OneID QuickFill or OneID Checkout, or you can use the OneID QuickFill browser extension for the same functionality.

7. Disable a device.

If your device is lost, stolen or compromised by malware, you can use any of your existing devices to remove that device from your identity. When you do that, the OneID servers will refuse to co-sign any requests from the removed device so that any attempt to sign in to a web site (or to OneID) will fail because two digital signatures are required. None of the websites ever have to change the signatures on file or be expressly notified of the removed device. It is the absence of the OneID co-signature that causes the website to deny the request. This is one of the main reasons OneID uses two independent digital signatures rather than a single digital signature.

8. Recover your identity.

Recover your identity if you lose all your devices (or you need to use OneID, but you left all your devices at home). When you create your OneID account, we encrypt the private signature key that resides on your devices using a random 128 bit number (your recovery secret key) and store that in the OneID servers. Because OneID doesn’t know your recovery secret key, and because the recovery secret has high entropy (128 random bits), it can never learn your private signature key. Your device sends your recovery secret key to you in the form of a URL for safekeeping (it doesn’t touch our servers). You can store that URL in your email or on your computers. If you click on the URL, it will display a QR code. You can print out the QR and store it in your wallet (so you always have it handy) and/or some safe locations. To recover your identity, you just scan the QR code using the OneID Remote mobile app, enter your PIN code, and you’re back in business. Even if someone uncovers your account recovery code, they won’t be able to steal your identity because they won’t be able to guess your PIN code. And should someone enter your PIN code incorrectly too many times, your device is locked for an amount of time that you choose - 1 hour, 8 hours, 1 day, or 2 days. Another way OneID puts your information under your control.

9. Customize the security.

You or the website can instruct OneID not to sign certain operations unless there is additional confirmation using a password or confirmation from your OneID Remote mobile app. A PIN code on your mobile app can optionally be required. You can configure this extra security using your OneID Control Panel on a per-device, per-website, or per-transaction basis. For example, you can require that a PIN code be entered on your mobile app for every $100 you spend (or wire transfer out of your bank account). So even if all your devices are stolen, and you don’t realize it immediately, you are still protected since most thieves are after your money. They won’t get very far without knowing your PIN code. OneID’s philosophy on security is to focus on protecting high value assets (like your money) with two-factor out-of-band security (i.e., a second device), but making other operations (such as login to a news site) very convenient. OneID gives you security exactly where it is needed.

Get OneID for your business.

Fill out the form below and one of our representatives will contact you immediately to help you get started.