The internet was launched in the 1990s based upon generations of technologies that went before. It was designed for the exchange of information, not value. Now, we live in a networked world of information and value exchange, and are trying to retrofit the mechanisms for commerce to a flawed structure. That is why we are failing, and failing fast.
The core issue is around identification, verification and authentication. The way the internet began is that we just traded words and the exchange of information. Then we began to trade on that network, but it had no structure for trade. The result is that the whole core of how electronic commerce began was with usernames and passwords. Words and text.
Fast forward thirty years, and we have to ask: how come we are using 1960s technology in 2025? In fact, how come we are using 2,000 year old technologies in a 21st century world?
Source: Dashlane
Anyway, going back to reverse engineering, we are now adding layers to the internet to make commerce secure. Twenty years ago it was SSL, a secondary security layer – truth is that it’s a Secure Sockets Layer – but I think it is secondary. We also added things like secure keys and additional security codes to make things better. Then we added logos and name recognition systems to prove you were dealing with the bank and not a fake bank. Then we added biometrics and facial recognition to access the bank. So now we have a username, password, PIN, biometric and more to get into our banking systems … and then we opened them.
That means we now need to open two or even three different security systems, using a username, password, PIN, biometric and more, just to make a simple transaction. Surely this demonstrates that the internet was not built for banking and commerce?
So, what do we do to solve it?
Well, I blogged the other day about zero-knowledge proof (ZKP), a cryptographic technique where you can prove that you are you without revealing any information about yourself. Let’s explore that in a bit more detail.
Zero-knowledge proofs (ZKPs) are a cryptographic method used to prove knowledge about a piece of data, without revealing the data itself.
The way it works is that a provider asks for proof that you are you, and so you reveal a piece of information digitally that shows you are you, without revealing any private data. It is all encrypted and anonymised, but verified and secured.
The example most use is Where’s Wally?
The bank wants to know that you are you. You want to prove to the bank that you are you. So the bank asks where’s Wally, and you show the picture covered but with a small cut-out that shows the bank Wally. The bank now knows you are you, because you showed them where Wally was, but the bank has no idea about the rest of the picture. You have kept everything private, except for the fact that you could prove where Wally was to prove that you are you. This video explains it well, with far more detail:
There is also a great explanation over here at Chain:
A zero-knowledge proof works by having the verifier ask the prover to perform a series of actions that can only be performed accurately if the prover knows the underlying information. If the prover is only guessing as to the result of these actions, then they will eventually be proven wrong by the verifier’s test with a high degree of probability.
They also distinguish between Zero Knowledge and Zero Trust:
“Zero knowledge” refers to the specific cryptographic method of zero-knowledge proofs, while “zero trust” is a general cyber security model used by organizations to protect their data, premises, and other resources.
The zero-trust framework assumes that every person and device, both internal and external to the network, could be a threat due to malicious behaviour or simple incompetence.
The ZKP space is fascinating and, within a few years, I can see this becoming the main way in which we identify ourselves for commerce and value exchange.
What interests me is that, as we are developing a new internet of value exchange based upon zero trust and zero knowledge, will we do it in a good way?
We can build a new value network, but will ZKPs replace usernames and passwords or, more likely as banks are banks, we just add ZKPs to usernames, passwords, PINs and biometrics as an extra layer of defence?
Let’s just keep complicating everything.
Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal's Financial News. To learn more click here...