Decentralized Access Rights Control – DARC

Current access rights management systems always depend on a centralized authority that all members must trust. However, for blockchains, this is not a good solution. Blockchains are decentralized and cannot easily use centralized trust systems.

We built DARCs, a group-management on steroids that allows decentralized administration and delegation of identities. It is used in the OmniLedger blockchain and is different from common group administrations in two ways: first, there is no central handling of the links between identities and groups. Second, to delegate, you can use generic AND/OR expressions.

Here are some solutions you can create using DARCs:

Using Multiple Devices

The demonstrator at C4DT allows access to your identity on the blockchain from multiple devices. This is done by delegating signing authority to more than one DARC. Every device has its own private key. If a device is lost, the corresponding DARC can simply be removed from the links, and nobody will be able to use this device to log in anymore. The same thing is possible if a device wants to perform a key-rotation for security reasons.

n-Factor Authentication

Some applications need more than one source of authentication for security reasons. This is often done with an SMS to prove that you also hold a phone. Using DARCs, you can delegate a 2nd, or 3rd factor, to any device you wish. It can be a phone or another desktop computer. It can even be the phone of somebody else!

Account Recovery

It happens to all of us: we lose a password or our phone gets stolen. Using DARCs, you can delegate trust to a group of persons, so that they can recover your account. Some examples:

  • Your best friends can recover your account. But only if 3 out of 5 confirm that you did lose your account.
  • Your boss together with your system administrator can recover your working account.
  • You, as dad or mom, can recover your kids’ accounts.

Possible Extensions

Currently we implemented only simple signing schemes in the AND/OR expressions. But it is also possible to include other sources, like W3C’s DIDs. Or anonymous group signatures, where you only prove that you belong to a group, while staying anonymous.

Including centralized authentication systems like LDAP, OAuth, or others is also possible. But more complicated, because a translator needs to connect the centralized system with the decentralized one.