Facebook has attracted attention through the announcement of their blockchain-based payment network, Libra. This won’t be the first payment system Facebook has launched, but what makes Facebook’s Libra distinctive is that rather than transferring Euros or dollars, the network is designed for a new cryptocurrency, also called Libra. This currency is backed by a reserve of nationally-issued currencies, and so Facebook hopes it will avoid the high volatility of cryptocurrencies like Bitcoin. As a result, Libra won’t be attractive to currency speculators, but Facebook hopes that it will, therefore, be useful for its stated goal – to be a “simple global currency and financial infrastructure that empowers billions of people.”
Reducing currency volatility is only one step towards meeting this goal of scaling cryptocurrencies to billions of users. The Libra blockchain design addresses how the network can maintain the high throughput and low transaction fees needed to compete with existing payment networks like Visa or MasterCard. However, a question that is equally important but as yet unanswered is how Facebook will develop a secure authentication and fraud prevention system that can scale to billions of users while maintaining good usability and low cost.
Facebook designed the Libra network, but in contrast to traditional payment networks, the Libra network is open. Anyone can send transactions through the network, and anyone can write programs (known as “smart contracts”) that control how, and under what conditions, funds can move between Libra accounts. To comply with anti-money-laundering regulations, Know Your Customer (KYC) checks will be performed, but only when Libra enters or leaves the network through exchanges. Transactions moving funds within the network should be accepted if they meet the criteria set out in the applicable smart contract, regardless of who sent them.
The Libra network isn’t even restricted to transactions transferring the Libra currency. Facebook has explicitly designed the Libra blockchain to make it easy for anyone to implement their own currency and benefit from the same technical facilities that Facebook designed for its currency. Other blockchains have tried this. For example, Ethereum has spawned hundreds of special-purpose currencies. But programming a smart contract to implement a new currency is difficult, and errors can be costly. The programming language for smart contracts within the Libra network is designed to help developers avoid some of the most common mistakes.
Facebook’s Libra and Securing the Calibra Wallet
There’s more to setting up an effective currency than just the technology: regulatory compliance, a network of exchanges, and monetary policy are essential. Facebook, through setting up the Libra Association, is focusing its efforts here solely on the Libra currency. The widespread expectation is, therefore, at least initially, the Libra cryptocurrency will be the dominant usage of the network, and most users will send and receive funds through the Calibra wallet smartphone app, developed by a Facebook subsidiary. From the perspective of the vast majority of the world, the Calibra wallet will be synonymous with Facebook’s Libra, and so damage to trust in Calibra will damage the reputation of Libra as a whole.
The Calibra wallet will be where Facebook must focus its attention on authentication and fraud prevention. Its authentication system may draw from the extensive experience of Facebook securing its social network, but the requirements are not the same. Not only will Calibra wallets be more tempting for criminals than Facebook accounts, but Calibra users likely will feel more strongly about losing their money than a Facebook account. Facebook’s approach to protecting its social network has been to prioritise gaining new users and facilitating the collection and sharing of their data, sometimes at the cost of security. For Calibra wallets, Facebook plans to take a different approach.
Password protection for access to a Calibra wallet likely will be the first level of security, but won’t be sufficient because passwords can readily be obtained, for example through breaching other services where the password is re-used. Possible alternatives include:
- Two-factor authentication (2FA) that additionally checks whether the user possesses some device would provide stronger protection.
- SMS-based 2FA is a convenient option but depends on phone networks securing access to replacement SIM cards, and many don’t.
- Specialised authentication hardware, such as the FIDO U2F tokens Facebook already supports, could be another option.
- Biometrics could also play a part, but depends on having an appropriate sensor available and so won’t be an option for every user.
None of these measures will be perfect. Passwords can be forgotten. Devices can be lost. Biometrics change. Facebook will need to ensure that the process for recovering from such failures doesn’t introduce a weak point in their security.
Security Measures Can Help Prevent Fraudulent Transactions for Facebook’s Libra
The following measures could help limit the number of unauthorised Libra transactions:
- Fraud detection can identify suspicious activity that passes authentication checks but merits further scrutiny.
- Transaction signing helps ensure that movements of Libra match the holder’s intent, even if the user-interface has been maliciously modified.
- KYC checks could help block criminal access to the system while strengthening compliance with regulatory requirements such as anti-money-laundering.
- The risk of mobile malware can be mitigated through application shielding.
Together such measures could greatly limit the number of unauthorised transactions, but to deal with what is left, smart contracts could be developed to revoke disputed transfers.
Calibra can do all this because it is a custodial wallet where Facebook looks after the cryptographic keys controlling access to the user’s Libra account. There’s nothing stopping users from generating their own private keys and linking them to their Libra account. However, such users will no longer benefit from Calibra’s promise to reimburse fraud victims, and they risk losing access to their account if the device that stores their keys is damaged or lost. In exchange, they reduce the risk of losing their funds in the event of a compromise of Calibra’s authentication system. However, if Calibra can maintain an excellent reputation for security, I expect relatively few participants would think the risk of self-managed keys is worth the trade-off.
The Validator Network
Regardless of whether Calibra looks after the keys or users do themselves, someone has to check whether a request to transfer funds is digitally signed by the key corresponding to its owner’s account and whether the applicable smart contract permits the transaction. This is the job of the validator network, which is run by operators with the permission of the Libra Association. (This approach is in contrast to unpermissioned networks like Bitcoin, which relies instead on the less centralised but more environmentally damaging “mining”.)
Libra validators work together to decide which transactions should be accepted and how they move funds. This decision doesn’t have to be unanimous – provided at least two-thirds of the network is acting properly, a consensus will be reached as to the results of valid transactions received. These validation checks, however, only deal with whether transactions meet technical requirements, not necessarily whether they truly reflect the intent of the legitimate holder of funds.
Authentication + A Secure Identity Infrastructure
Not only must Calibra have authentication to assess whether someone is authorised to send money from a particular Libra account, but it also needs a secure identity infrastructure to help the sender of the funds specify the recipient.
Libra accounts look something like this:
This isn’t convenient to remember or even type. An individual can also have many Libra accounts for privacy reasons. Calibra will need to incorporate a system for linking Libra accounts to something that senders of money will find convenient, such as a name or phone number. However, if this link can be interfered with, a criminal could intercept transfers intended for someone else. The white paper describing the Libra Association includes a brief but intriguing mention of their plans to develop an open identity standard, which may help here.
Closing Thoughts on Facebook’s Libra Cryptocurrency
If Libra meets its goal of opening access to low-fee payments to the billions of unbanked individuals, the social benefits will be substantial.
Concerns over money laundering and privacy are the focus of regulators’ attention at the moment. If these can be overcome and Libra reaches wide deployment, the risk of fraud will be Facebook’s next challenge. Effective and reliable authentication, fraud prevention, and identity systems are of critical importance here because the precarious situation of the unbanked population puts the very target market of Libra in the weakest position to recover from failures of these systems.