The Technology Behind UniVault®

UniVaultage developed the world's strongest knowledge-factor authentication and key derivation system in the course of developing our first product, PassWorks®. We embarked on a clean-sheet design for PassWorks, and first surveyed the state of the art in security. There are many suitable cryptographic algorithms today for encryption and hashing, and we chose Advanced Encryption Standard (AES) for encryption, Secure Hash Algorithm (SHA)-256 for hashing, and Password-Based Key Derivation Function 2 (PBKDF2) for key derivation. When it came to authentication, however, we found the state of the art to be woefully inadequate. Why? Passwords.

Passwords are a veritable plague on computer security. They are so weak and flawed, it's as if they were designed for us by hackers to suit their ends, not ours. Passwords have been with us since the early 1960s, with their genesis in a computer lab at the Massachusetts Institute of Technology. Ever since, every system relying on passwords has been compromised. Even the first system at MIT was hacked by enterprising students needing more time on the shared mainframe than their allotment. What makes passwords so inferior for their intended purpose? Quite simply, password-based authentication has been insufficient from its beginning, and instead of evolving with the many advances in computing technology, they have remained largely unchanged over the last fifty years. The result is predictable; attackers have exploited the weaknesses in passwords by taking advantage both of ever faster computers and by amassing vast databases of tens of millions of purloined passwords.

What's wrong with passwords, anyway? First, it is very difficult to satisfy the competing goals of conventional password authentication: a person should use passwords with (1) sufficient entropy (a measure of the password strength, measured in bits) that are (2) unique for each site or account and (3) memorable by the user. Strong passwords are usually hard to remember, so very few of us even try. Most people create an easily memorized password and use it on all their accounts, or make trivial changes to the same base password for different accounts and sites. The result? Hackers have wreaked incalculable damage from our inability to follow best practices on passwords.

The primary flaw of password-based systems today is the relatively small number of permitted characters. From the beginning, passwords have generally been limited to a subset of the ninety-five printable characters in the American Standard Code for Information Interchange (ASCII). Many systems only allow a subset of those printable characters. Computers usually encode each ASCII character in an 8-bit value called a byte, which can store integers from 0 to 255. For each character (byte position) in a password, an attacker need only try the integer values for the allowed characters, significantly weakening the password and increasing the ease and likelihood of compromise.

The breakthrough of UniVault harnesses one of the world's most successful standards–the Unicode® Standard. The most recent version, Unicode 9.0, encodes almost 130,000 characters, used in virtually every writing system, modern and ancient. We recognized the power of Unicode for credential-based security systems and developed a patented technique that provides credentials of unprecedented strength that are much easier to remember than conventional passwords. UniVault not only permits any Unicode character in credentials, it also supports any user-created sequence of Unicode characters to define new symbols not used in any language, and therefore essentially unbreakable. See our first patent, U.S. Patent No. 9,288,204, for a detailed explanation of UniVault.

UniVault leverages the ubiquitous support of Unicode in all major operating systems and programming languages to deliver the world's strongest authentication for any system that requires a password or passphrase. In other words, just about everything.