Hi HN, I’m the founder of https://b2v.xyz, a service that protects organizations against impersonation attacks.
The problem I’m trying to solve stems from the following observation: while end-user authentication methods are becoming more advanced as cybersecurity evolves, organizations aren't experiencing the same improvements when we reverse the roles, i.e. when organizations authenticate themselves to their users. This imbalance leaves a gap in secure communications that B2V aims to close.
Bad actors have countless ways to pose as trusted entities — through phishing, smishing, vishing, and more. These catchy terms may sound trendy, but the technology to combat them often lags behind. While some larger companies do offer some customised solutions such as in-app notifications, most approaches are still reactive, such as updating email filters after an attack is detected or requesting takedowns of fake domains long after the damage is done. It's surprising that more proactive measures aren't in place, especially considering the serious consequences of these impersonation attacks.
How B2V tackles this problem:
- Mutual authentication: During critical communications, an organization can initiate an authentication session and share it with a user via a unique URL. When the user opens it, the organization provides a one-time password that the user can verify. These single-use ephemeral sessions also protect against man-in-the-middle attacks, ensuring that the person you're communicating with is truly who they claim to be. This could also be described as *conversational authentication*.
- Digital signatures: Prove the authenticity and integrity of information linked to your organization with public-key cryptography. This is especially useful for verifying that text or links posted on platforms/media outside of your control — such as job boards, paper invoices, forums, or messages — truly come from a trusted entity. For example here's the signature of this post's URL: https://b2v.xyz/b2v_/XHEbx8NdqjTF50?s=https://news.ycombinator.com/item?id=40699265
- Verified online identities: Organizations can link their online identities, similarly to the way Keybase does it. For instance, here's the proof of ownership of this HN account: https://b2v.xyz/b2v_/NMiMMr9KWov6oE?s=hn:b2v
- Privacy by design: this system respects your privacy by never tracking or storing plaintext identifying information, only digests and signatures.
- For deeper integrations, an API is also available.
Any feedback would be greatly appreciated, especially about my assumptions! Feel free to check out the docs (https://docs.b2v.xyz) and ask me anything.
Thanks!
Comments URL: https://news.ycombinator.com/item?id=40699265
Points: 4
# Comments: 0
from Hacker News: Newest https://get.b2v.xyz/
via IFTTT
No comments:
Post a Comment