Oh you are 15. I’m glad you are playing in this space! Cybersecurity is a rewarding career.
With due respect to the fact you are making an effort to get into the scene, congratulations for making the effort to share!
Maybe just hold off on saying it’s going to “change the world”. We never say unhackable.
But in all seriousness, you do not have sufficient exposure or time in the field to sufficiently understand the threats your product is trying to defend against.
You are proposing replacing people’s security systems with your new unhackable thing. But it’s missing essential parts.
Schneier’s Law: any person can invent a security system so clever that they can’t think how to break it.
Keep playing, but maybe hold off on the “products” for a few more years while you learn the rest of the field, otherwise you may be doing harm to people, people’s data, etc.
Thanks for pointing that out. To clarify, the text and ideas are entirely mine, though I do use tools to help structure my thoughts sometimes. I’m here to learn from feedback like yours, and I’m genuinely trying to improve my understanding of the field.
I understand that the way I explain things might come off differently compared to more seasoned security professionals, and I’ll work on improving the system that as I continue learning. I’m very hands-on in my approach, from testing to developing, and the feedback I’m receiving is helping me see where I can improve, especially in how I communicate technical concepts.
I appreciate the constructive criticism, and I’ll keep working to make sure I’m approaching things with the depth and accuracy expected in the field. Thanks for the advice!
Thanks for your feedback! I just wanted to clarify that I'm not your average 15-year-old. I've been actively involved in security testing, malware analysis, and have even been in trouble after hacking into my school's system when I was 14—so I understand the weight of security and the challenges involved.
That said, I definitely respect the complexity of the field and the importance of experience. I’m still learning every day and appreciate the insights from more seasoned professionals. While I may have had some early experiences, I realize there’s always more to learn, especially when it comes to ensuring my systems are truly secure and ready for the real world.
I’ll be taking the feedback seriously and continuing to build on my knowledge. Thanks again for sharing your thoughts!
If you've not seen it already, Ross Anderson's book is both excellent and free (second edition at least, third edition has free chapters and doesn't cost much)
I did the same thing at your age, re school, so I understand. I also liked coming up with auth schemes.
One thing I would suggest is dropping the mail component and not involving it at all - you are using this as a weak second factor, exportable; monthly rotation.
Bind it to a hardware key instead and use proper cryptography.
First up, you won’t win over security people with big claims of being the future of auth.
This ain’t it chief.
The future of auth is probably something involving public key cryptography and zero knowledge proofs. This scheme is just complicated and fragile with moving parts, emails, reconstructing codes, etc.
With all due respect, this scheme is flawed. Individual servers should not be storing user password components in the clear for reconstruction. Monthly Magic Links. 9 digit codes. Pink codes?
The state of the art today is a hardware enclave with a private key, and an authentication scheme that is bound to the website using browser APIs.
You might want to reconsider the name because it’s way too close to an actual real security vendor who names things this way.
Thanks for your insights! I just wanted to clarify a few points about how the system works, as I think there may have been some misunderstanding.
Everything in FortLock is decentralized:
Server A and Server B store hashed parts of the password, not the password itself, and they’re tied together via the Levelpoint stored on Server C. No single server has access to enough information to reconstruct the full password.
The Levelpoint is an additional layer of security, ensuring that even if one server is compromised, it’s useless without the other two.
We’ve also implemented several precautionary steps across these servers to ensure security, including encryption and independent infrastructures for each.
The intention behind using this decentralized approach was to reduce the risk of having a single point of failure. I understand that there are other state-of-the-art methods like public key cryptography and hardware enclaves, and I’m exploring those further as I continue developing this system.
I really appreciate your feedback—it helps me refine my approach and stay grounded in what's proven. I’ll definitely take this into account as I work to improve FortLock.
Maybe come back in a few years after some more study and understanding of this world.
reply