A cert, like X.509, binds an identity to a device; whereas a circle tie is linked to a mobile device via the application. The same cert (and, unless exceptional steps are taken, it must be used on every device generating or reading email for that email address) may be used on many devices.
As a result, possession of the cert is sufficient to impersonate that email address since virtually all X.509 certs are password protected in order for this exploit to work.
To use circle-of-trust, you first need to configure your access policies to trigger zero-trust identity verification. This can be done by adding a policy that requires users to perform multi-factor authentication, or by using another mechanism that supports this feature. Once this is done, users will be prompted to verify their identity, when they attempt to access sensitive data or perform sensitive actions.
Circle-of-trust can be used with any type of authentication system, including biometric systems that keeps humans in the loop. It is also compatible with a variety of different applications and services, making it easy to integrate into your existing infrastructure.
"Blockchain" and "Distributed Ledger Technology" (or "DLT") are too very big buzzwords today that are often misunderstood, or misused. Here is where Circle fits.
Blockchain is a decentralized, distributed and often public database type where data is saved in blocks, such that the hashcode present in any block is created using the data of the previous block. These blocks offer a complete set of characteristics like transparency, immutability, and scalability
Blockchain vs DLT – An Explanatory Guide
Blockchain has many compelling applications and use cases, but most of these revolve around some form of enables parties that do not trust each other to verify any transaction without involving any intermediaries.
This is a definition according to the framework of the 'Crypto' world.
DLT is a digital system used for storing the transaction of assets, even when the data is stored at multiple places simultaneously. It might sound like a traditional database, but is different because of the fact that there is no centralized storage place or administration functionality. Meaning, every node of the ledger processes and validates every item, and this way, contributes to generating a record of each item and building a consensus on each item’s veracity.
Blockchain vs DLT – An Explanatory Guide
Some of the advantages of DLT are considered to be the following.
The most important thing to understand is that Blockchain is a form of DLT - one type, a sub-set. DLT is the broader concept.
Circle's internal, immutable DLT meets - and exceeds - all of these advantages, and was architected for similar objectives.
The way it works in Circle is that each device generates a ledger - and append only file - of its actions. That's all it can do. Every device gets a copy of all the other devices files, and the complete ledger of all the actions between that group of devices is assembled in "run time". When the user is viewing/working. If there is an "edit" or "deletion" of something, an entry is made in the ledger on the device that does it. Then when displaying the edit or deletion is applied, but the original entry is unchanged. No device can change the entries of another, and if any change was made nefariously it can be detected.
In the wider world of DLT, the presence of 'adversarial nodes' is a potential issue because the ledger is spread out across thousand or millions of users and all kind of servers owned by different parties participating in a shared ledger. With Circle that is not an issue because the DLT is internal to an AES 256 encrypted "Circle" between a small number of users.
Most people don't differentiate, and of course Blockchain is the sexy term to use. But there are several differences that are critical to the kinds of use cases that Circle is focused on solving.
When your want to have a digital currency, for example, this overhead that comes with Blockchain is worthwhile. But when you just want to have immutable, auditable data trails that can be trusted, it's preposterous.
Circle has an internal immutable DLT, not Blockchain. We have all the benefits of Blockchain - Immutable, Encrypted, Private but Trusted, Verifiable, Auditable - with none of the overhead.
When we have use cases that require blockchain, then Circle will integrate with it. Especially Calendar Hashchain, which has a proof of participation architecture that is orders of magnitude faster & planetary Internet scalable. The "Block" of blockchain - the protected data of the whole transaction or whatever it is - in our case is inside of Circles. But with speed and scalability.
But that's the topic for another day!
Yes. "MFA Bombing" is a new type of exploit that defeats traditional MFA that many organizations believe to be quite strong. This recent article in Ars Technica provides a good summary.
As Ars Technica points out, any MFA is better than no MFA. But there are important differences between different types of MFA, and common vulnerabilities to those in the widest use today.
Circle Access, on the other hand, uses 3 very strong factors that are immune to cloud-based attacks of all kinds - phishing, pharming, spoofing, MFA prompt bombing, etc.
With Circle, authentication is device specific. The only opportunity is for a hacker to get onto the device.
Circle leverages the OS-native biometric scanning capabilities the device to ensure that the authorized user is in fact using the device.
With traditional MFA, this is weak and spoofable - using channels like SMS and email and authentication codes. Circle Access has you do something which uniquely proves your authenticity: sign a cryptographic challenge.
The only way to break this once again is get possession of the device. Then, for the highest value use cases, Circle adds one entirely new method of authentication.
Circle-of-Trust human-in-the-loop identity verification. Even if the device is physically stolen or remotely hacked, escalation to Circle-of-Trust can force the attacker to 'lift the veil' and be identified directly, in person. This happens completely out-of-band and directly between the parties - no CoT bombing possible.
And of course the other vital role for Circle-of-Trust: protecting your super-powers!
Even when companies use FIDO2-based MFA everywhere, Nobelium has been able to defeat the protection. That bypass, however, was possible only after the hackers completely compromised a target's Active Directory, the heavily fortified database tool that network admins use to create, delete, or modify user accounts and assign them privileges to access authorized resources. That bypass is beyond the scope of this post because once an AD is hacked, it's pretty much game over.
Ars Technica: Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA
How Circle Access Mobile and Circle-of-Trust works, including API details, related forum topics, and relevant FAQs for developers