FortiLock: The Future of Unhackable Authentication

[ahilanv]

Hey there, tech enthusiasts and security pros! Ready to explore the future of secure logins? We’re proud to introduce FortiLock, an innovative, next-level authentication system designed to keep your credentials safe even in a world full of threats.

Imagine this: Even if a hacker knows your password, they still can’t get in. Sounds impossible, right? Well, that’s the magic of FortiLock. Let’s dive in and show you how this works!

What Makes FortiLock So Unhackable? FortiLock is built on a multi-server system, using Servers A, B, and C to split and secure your password in a way that hackers can’t beat. Here’s how it works:

Server A stores the first 5 characters of your password. Server B stores the rest of your password. Server C stores your email and a special code called the Levelpoint. When you log in, all these pieces come together, but here’s the kicker: No single server has enough information to steal your password!

How the FortiLock Login Process Works: Step 1: You Enter Your Email and Password

The system sends a request to Server C to verify your email and levelpoint (a unique code that connects your password parts). Step 2: Password Split Verification

Server C gives the go-ahead to access Servers A and B, which check your hashed password in two parts. Only if both match, you move forward. Step 3: The PinK System

You’ll get an encrypted 9-digit code via email (this code changes every month!). Enter it after your password to complete the login. Why Phishing Doesn’t Stand a Chance: Worried about phishing attacks? We’ve got you covered. Check out how FortiLock makes phishing attacks almost impossible:

Phishing-Resistant URLs: You’ll always access FortiLock via a secure, verified URL. No fake login pages here! Custom Security Phrase: Choose your own security image/phrase that appears on your login page. If it’s missing, you know it’s a phishing attempt. Short-Lived Tokens: FortiLock uses short-lived tokens in each login session, making it impossible for attackers to hijack your session even if they tried. Example: You log in with your email and password. You see your chosen security phrase: "My Secure World." If the phrase isn’t there, you know it’s a scam! Simple and powerful.

FortiLock’s Secret Weapon: The PinK System Even if hackers somehow guess your password, they’re still out of luck. Why? Because of our PinK System, which sends you a fresh 9-digit code every month! That means they’ll need to steal your code too, but it changes before they even get a chance.

FortiLock is Launching SOON! We’re excited to announce that the test version of FortiLock will be publicly available on November 4th. You’ll get to experience how unhackable login truly feels, with all the layers of security FortiLock has to offer!

FortiLock Makes Login Hacking a Thing of the Past No matter how sophisticated cyber threats become, FortiLock is one step ahead. From split password storage to monthly PinK codes, and phishing protection, you’ll always be safe with FortiLock.

Mark your calendars for November 4th and get ready to test the future of login security!

Stay safe. Stay secure. Stay FortiLocked.

[proxynoproxy]

First up, you won’t win over security people with big claims of being the future of auth. This ain’t it chief.

The future of auth is probably something involving public key cryptography and zero knowledge proofs. This scheme is just complicated and fragile with moving parts, emails, reconstructing codes, etc.

With all due respect, this scheme is flawed. Individual servers should not be storing user password components in the clear for reconstruction. Monthly Magic Links. 9 digit codes. Pink codes? The state of the art today is a hardware enclave with a private key, and an authentication scheme that is bound to the website using browser APIs.

You might want to reconsider the name because it’s way too close to an actual real security vendor who names things this way.

[ahilanv]

Thanks for your insights! I just wanted to clarify a few points about how the system works, as I think there may have been some misunderstanding.

Everything in FortLock is decentralized:

Server A and Server B store hashed parts of the password, not the password itself, and they’re tied together via the Levelpoint stored on Server C. No single server has access to enough information to reconstruct the full password. The Levelpoint is an additional layer of security, ensuring that even if one server is compromised, it’s useless without the other two. We’ve also implemented several precautionary steps across these servers to ensure security, including encryption and independent infrastructures for each. The intention behind using this decentralized approach was to reduce the risk of having a single point of failure. I understand that there are other state-of-the-art methods like public key cryptography and hardware enclaves, and I’m exploring those further as I continue developing this system.

I really appreciate your feedback—it helps me refine my approach and stay grounded in what's proven. I’ll definitely take this into account as I work to improve FortLock.

Thanks again for taking the time to comment!

Best,

[bsbsjsusj]

Firstly "unhackable" in the marketing makes me trust it less. Everything is hackable.

I am not sure what the threat vector is that makes this more secure than hashing a password in a single database.

With hashing the server doesn't know your password. If you picked a poor password a hacker with the hash could guess it I suppose but you can mitigate against that.

Also if someone can hack into server A, however they did that is likely to work for B unless they are managed on different clouds by different teams and share no common code or prod access.

[ahilanv]

Thank you for your feedback, and I completely understand your concerns. The term "unhackable" can definitely raise skepticism, and I agree—nothing is completely immune to threats in cybersecurity. However, let me clarify what we mean by FortiLock's approach and how it differs from traditional single-database systems with hashed passwords.

Why FortiLock Is Different: Password Splitting:

The major difference with FortiLock is that instead of hashing and storing the entire password in one place, we split the password across two independent servers (Server A and Server B). Each server holds only a part of the password, which is hashed separately, so even if one server is compromised, the data is useless without access to the other. Decentralization:

You’re absolutely right that if the same vulnerability exists across both servers, the attacker could potentially compromise both. However, FortiLock mitigates this by splitting the infrastructure, often across different environments (or clouds), making it significantly harder for an attacker to breach both. Additionally, Server C handles email and levelpoints, further decentralizing the critical elements needed for a complete attack. So even if someone gets into Server A, without Server B and Server C, they still can’t reconstruct the full credentials. Threat Vectors:

The common attack vector with traditional hashed password systems is that once the server is breached, the attacker may gain access to the full hashed password. With enough resources, they can try brute-force or rainbow table attacks. By splitting the hashed password into two pieces, FortiLock makes it much harder for an attacker to do this, as they'd need to compromise multiple systems and reconstruct the password from two independently hashed pieces. Beyond Poor Passwords:

You're right that even with hashing, weak passwords are still vulnerable. FortiLock reduces this risk with its additional layer, the PinK System, which introduces a dynamic, monthly code that even a stolen password can’t bypass. It’s not just about having the password; it’s about passing several independent checks. Why Not Just a Single Server with Hashing? You're correct that in traditional systems, a hashed password on a single server offers decent security, especially with salting. But FortiLock isn't trying to replace hashing—we still hash the password. The key here is mitigating risk by:

Splitting the attack surface: No one server holds enough data to crack the password. Adding multi-step verification: With the PinK System, an additional layer of dynamic security ensures that even if a password is compromised, it’s not enough to access the account. Can FortiLock Be Hacked? No system is 100% immune, and I totally agree with you—everything is hackable to some extent. What FortiLock aims to do is make the attack surface so complex and decentralized that it becomes far harder and costlier for an attacker to succeed.

[purple-leafy]

Reading your answers is very frustrating, because you keep referencing a “we / we’ve” when it’s clearly a hobby project by a complete beginner.

It sounds like you’ve come up with this idea via ChatGPT or other LLM, and you won’t take any legitimate criticisms. All your responses sound like taking to ChatGPT.

I’d advise not to lean on ChatGPT. It’s cutting corners. Learn deep, read material online

[evs91]

I would personally rebrand it or risk the wrath of Ken Xie and the Fortinet line of "Forti{insert solution type here}: https://www.fortinet.com/products

[processunknown]

and the tarnished security of those products

[ahilanv]

Thank you for your info

[purple-leafy]

I’m not a security person. But this sounds similar to MFA (except for the 3 servers)

So it’s still hackable if you can get the email code?

I don’t see how splitting the password between 3 servers helps, but like I said, I’m not a security person.

Can you dumb it down for me?

[ahilanv]

What Makes FortiLock Different from MFA? You’re right that FortiLock has some similarities to MFA (Multi-Factor Authentication), especially with the PinK system, where a code is sent to your email. However, the big difference with FortiLock is the way your password is stored and verified.

In a traditional system, your entire password (hashed) is stored on one server. If that server gets hacked, the attacker can get the entire hashed password and might eventually crack it, especially if the password is weak.

FortiLock takes a different approach by splitting the password across multiple servers:

Server A stores the first part of your password (say, the first 5 characters). Server B stores the second part of your password (the rest of it). Server C handles your email and something called a levelpoint, which links everything together. Why Splitting the Password Matters: Think of it like this: Imagine you wrote half of your password on a piece of paper and locked it in one safe (Server A), and the other half in a different safe (Server B). To get the full password, someone would need to break into both safes. Even if they get into one safe, the half password is useless without the other part.

In traditional systems, there’s only one safe to protect, but in FortiLock, there are two separate safes (servers) to crack, making it much harder.

Can It Be Hacked if Someone Gets the Email Code? The short answer is: It’s very difficult, because they wouldn’t just need your email code (the PinK code). Even if a hacker somehow got that code, they would still need:

Access to both servers that store your split password parts. The correct levelpoint from Server C to tie it all together. So even with the email code, without those other parts, the hacker is stuck.

Why Splitting Helps (In Simple Terms): Think of your password like a puzzle. If you only have half the pieces, the puzzle is useless. In traditional systems, the hacker can break into one server and steal the whole puzzle. In FortiLock, the puzzle is split into two separate places. So even if the hacker breaks into one place, they don’t have enough pieces to do anything with it. To Sum It Up: FortiLock isn’t just like MFA—it’s about making it much harder for hackers to get to your password in the first place, by splitting it and spreading it out across multiple places. Even if someone gets your email code, they still don’t have enough pieces of the puzzle to break in.

[purple-leafy]

Cut the ChatGPT responses.

[runjake]

I thought Fortinet, a company I deal with every day, was spamming HN for a second.

There are already a number of products, including in the cybersecurity space, with this name trademarked.

If any of them don’t take legal action against you, Fortinet will cease and desist you, and then sue you if you do not comply.

I’m not sure if you didn’t Google the name at all or just ignored the results but next time I’d recommend you paying attention to them.

Good luck.

[ahilanv]

Thank you i never thought about it

[proxynoproxy]

Which is why you have no business writing security sensitive software.

Maybe come back in a few years after some more study and understanding of this world.

[proxynoproxy]

Oh you are 15. I’m glad you are playing in this space! Cybersecurity is a rewarding career.

With due respect to the fact you are making an effort to get into the scene, congratulations for making the effort to share! Maybe just hold off on saying it’s going to “change the world”. We never say unhackable.

But in all seriousness, you do not have sufficient exposure or time in the field to sufficiently understand the threats your product is trying to defend against.

You are proposing replacing people’s security systems with your new unhackable thing. But it’s missing essential parts.

Schneier’s Law: any person can invent a security system so clever that they can’t think how to break it.

Keep playing, but maybe hold off on the “products” for a few more years while you learn the rest of the field, otherwise you may be doing harm to people, people’s data, etc.

[ahilanv]

Thanks for your feedback! I just wanted to clarify that I'm not your average 15-year-old. I've been actively involved in security testing, malware analysis, and have even been in trouble after hacking into my school's system when I was 14—so I understand the weight of security and the challenges involved.

That said, I definitely respect the complexity of the field and the importance of experience. I’m still learning every day and appreciate the insights from more seasoned professionals. While I may have had some early experiences, I realize there’s always more to learn, especially when it comes to ensuring my systems are truly secure and ready for the real world.

I’ll be taking the feedback seriously and continuing to build on my knowledge. Thanks again for sharing your thoughts!

[defrost]

If you've not seen it already, Ross Anderson's book is both excellent and free (second edition at least, third edition has free chapters and doesn't cost much)

Security Engineering: https://www.cl.cam.ac.uk/~rja14/book.html

His student network social's are filled with examples of defeating various commercial security systems.

[proxynoproxy]

Also it’s super obvious this text is AI “enhanced” (if not entirely synthetic from your notes?).

That’s why folks all said the same thing. Real security people don’t talk like this.

Be really careful. You are at an age at a point in history where most written text you are going read is AI slop. Don’t be part of the problem here.

Written entirely by a human with no AI assistance.

[proxynoproxy]

I did the same thing at your age, re school, so I understand. I also liked coming up with auth schemes.

One thing I would suggest is dropping the mail component and not involving it at all - you are using this as a weak second factor, exportable; monthly rotation. Bind it to a hardware key instead and use proper cryptography.

[ahilanv]

Thanks for pointing that out. To clarify, the text and ideas are entirely mine, though I do use tools to help structure my thoughts sometimes. I’m here to learn from feedback like yours, and I’m genuinely trying to improve my understanding of the field.

I understand that the way I explain things might come off differently compared to more seasoned security professionals, and I’ll work on improving the system that as I continue learning. I’m very hands-on in my approach, from testing to developing, and the feedback I’m receiving is helping me see where I can improve, especially in how I communicate technical concepts.

I appreciate the constructive criticism, and I’ll keep working to make sure I’m approaching things with the depth and accuracy expected in the field. Thanks for the advice!

Best,

[ahilanv]

Thank you for your feedback we will redefine someparts soon

[runjake]

To counter the other commenter’s harshness (I can be harsh myself): keep at it. I wish I had started as early as you. Eagerly take advice from proven competent people and experiment with wild abandon and don’t fear mistakes.

[theendisney4]

Sounds like an attack vector

[ahilanv]

Hope you guys like my idea if you have any suggestion please let me know