Frequently Asked Questions.
About Trustees:
What is a Trustee?
A Trustee is a trusted computing agent that automates cryptographic identity, authentication and data security for its owner and assigned users. As a result, Trustees relieve mesh members from the burden of managing the overwhelming number of passwords currently required when authenticating to online services. Each Trustee works exclusively on behalf of the member entrusted to their care ensuring a high degree of security, trust and privacy for everyone on the Mesh.
What is the difference between a virtual and a personal Trustee?
Virtual Trustees are automatically assigned to Mesh members from the moment they create an identity. Virtual Trustees can be cloud-based or hosted anywhere on the Mesh, but are physically remote from the members they serve. A personal Trustee, on the other hand, is an in-home, trusted computing device that acts as your personal service agent. Once your phone and personal Trustee are linked, your Trustee takes over the management of your cryptographic identity and keys, standing by in your home to help you recover should you lose your phone or need to reset your Passcode. Instead of calling a service desk and trying to convince them that "you are who your say your are", you can walk right up to your personal Trustee. Because you do not rely on any other human being, this in-person self-service interaction eliminates social engineering and insider attacks on the Mesh.
Where can I buy my own personal Trustee?
I just want to try it out. Do I need to buy a personal Trustee to see how it works?
No. To experience meshing in, simply download the Mesh In Preview app from either the Google Play store (link) or the Apple store (link). While we strongly encourage everyone to have their own personal Trustee, you can get started without one. You will be assigned a virtual Trustee on the Mesh when you enroll. While you will get many of the same benefits that the Mesh offers, you will not enjoy the ultimate security and convenience that having a personal Trustee can provide.
Why do I need a personal Trustee? Can't something like this be done on my phone?
Any security system is only as strong as its weakest link. And when humans are involved, recovery is ALWAYS that weakest link. So the real question is: how can I recover if I lose my phone? If your phone holds your most secure credentials, then you are toast! You have to argue with some remote stranger trying to convince them that you are the legitimate owner of your own identity! In these critical recovery moments, you appear no different than a hacker attempting to impersonate you. Using social engineering, hackers work to those same strangers that they are you so they can steal your identity. In contrast, on the mesh, your personal Trustee is your agent! You just get a new phone and recover your identity from your Trustee, in person, completely on your own. There is no one to socially engineer, which is how the mesh eliminates identity theft and fraud.
Getting started with your Trustee
Your Trustee is a simple device that works on your behalf to authenticate you and seamlessly assert your identity to all your services. It doesn't require a lot of "care and feeding", but taking a few easy steps now will allow it to continue working for you uninterrupted. 1. Setup your Trustee in your own home. Even if you received your personal Trustee from your employer, it is intended to support you across all your services. 2. Plug in your Trustee as close to your WiFi router as practically possible. It will maximize the strength of its connection, and minimize interferences from other appliances (such as microwave ovens). Place it where you can keep an eye on it. While you won't need to interact with it often, it will let you know when your attention is needed. 3. Once plugged in, you will need to configure your Trustee to connect to WiFi. Download and install the Mesh In Preview app to become a member. At the end of enrollment, select "Link with my Trustee" and follow the instructions to get your Trustee online. If you are already a member, tap the "Link Now" link on the Mesh In Preview app homescreen to connect your Trustee to WiFi and link your phone with it. (watch video here)
Choosing a wifi network to connect your personal Trustee
Your personal Trustee is designed to connect to 2.4 GHz WiFi networks. When prompted, to enter the network name and password in the Mesh In app, make sure to enter the name of a 2.4 GHz network only. Most routers support multiple frequency bands (2.4 and 5 GHz). Be aware that the network name and password may be different for the different bands. Also, make sure your Trustee is plugged in where you know the WiFi signal is strong. For the best experience on the mesh, it is important that your Trustee maintain a strong connection to the Mesh at all times.
About the mesh:
What is the mesh?
The mesh is the "trust network". Much like social networks, the mesh enables digital interactions between people and organizations. But unlike traditional social networks, the mesh does not target a specific application or mode of communication. Rather, it is designed from the ground up as a neutral platform to enable digital trust and privacy as a service to all other applications, websites, services and devices, for everyone and every organization.
How do I join the mesh?
The only thing you need to join the mesh is your personal Trustee.
Does the mesh require a subscription?
No, users do not pay a subscription to be on the mesh. Hushmesh charges organizations a small daily usage fee instead.
About "mesh in":
What does it mean to mesh in?
The "mesh in" experience is an easy, secure and password-free alternative to the antiquated "login" process. When you mesh in, you establish a secure connection between your personal Trustee and the website, app, device or physical location you are meshing in to. It eliminates the need for usernames and passwords, as your Trustee knows who you are and can negotiate secure access on your behalf, securely and automatically.
How do I mesh in?
To mesh in, click the "mesh in" button on a website or app. Instead of being asked for a username and password, you will be prompted to scan a "meshtag", i.e. a QR code. Snap the meshtag with the mesh-in app, and the website or app will let you in automatically.
Where can I mesh in?
You can only mesh in on websites and apps that offer the option to do so. Just like every network, the number of participants starts small before growing bigger. Hushsafe is a first sample application where you can mesh in to experience the convenience and security of the mesh. We will update a list of participating organizations on this website. Please check back often.
Where can I learn more about meshing in?
Please check out mesh.in
About security:
Why are in-home hardware Trustees needed? Couldn't it be done in the Cloud?
Trustees are dedicated trusted computing devices that manage the keys of a single household. This decentralized approach maximizes physical isolation and reduces global vulnerabilities typical of centralized systems. Placing the trusted hardware agent in the home of its users enables in-person enrollment and recovery, which eliminates social engineering and insider attacks that are impossible to eliminate any other way.
Why are in-home hardware Trustees needed? Couldn't it be done in a phone?
Trustees are always on, always connected, stationary, dedicated, trusted computing devices in the private home of their users. While today's phones do have security chips that can protect cryptographic credentials, phones are multi-purpose and have a much greater attack surface than single-purpose Trustees. Trustees also enables 24x7 monitoring, real time detection of disconnection and/or anomalous behaviors, and unencumbered software patches and update cycles. Phones get stolen and lost easily and often, and stationary Trustees enable reliable self-service enrollment and recovery with a new phone. Trustees manage their users' keys from within their homes, thereby grounding the entire mesh into a well-established privacy framework legally protected by the constitutions of most democracies around the world.
Why are Trustees the most secure approach?
Trustees are built on Microsoft's Azure Sphere, which sets the new standard for highly secured, internet-connected devices. Azure Sphere is the only solution that delivers the seven essential security properties for the future of connected devices. Trustees are built on a chip with robust hardware security, a defense-in-depth OS, and a cloud security service that actively monitors them and responds to emerging threats.
Trustees are running a small, hardened Linux kernel, and tiny single-purpose application code. The overall attack surface of the system is extremely small compared to today's domain-centric and disparate authentication systems. And because Trustees back up their own cryptographic keys in other, equally trustworthy Trustees, back-up and fail-over mechanisms are as strong and secure as the primary security mode.
As a globally distributed network of dedicated, homogeneous, trusted-computing devices, the mesh becomes a highly resilient decentralized cryptographic cybersecurity infrastructure that is simply not achievable any other way.
Trustees are running a small, hardened Linux kernel, and tiny single-purpose application code. The overall attack surface of the system is extremely small compared to today's domain-centric and disparate authentication systems. And because Trustees back up their own cryptographic keys in other, equally trustworthy Trustees, back-up and fail-over mechanisms are as strong and secure as the primary security mode.
As a globally distributed network of dedicated, homogeneous, trusted-computing devices, the mesh becomes a highly resilient decentralized cryptographic cybersecurity infrastructure that is simply not achievable any other way.
About partnerships:
How can our organization add the mesh as an Identity Provider?
Please contact us at info@hushmesh.com to join our private pilot trials. Once commercially available, your organization will be able to join the mesh by simply adding the mesh as an OpenID Connect or SAML Identity Provider.
How can we add the mesh in experience to our product/service?
Please contact us at info@hushmesh.com to join our private pilot trials. Once commercially available, your organization will simply be able to get access to our public APIs.
How can we integrate your Trustee into our hardware device?
Please contact us at info@hushmesh.com. Although we do not expect to enter into hardware partnerships in 2020, let us know if you have a proposal that we should seriously consider.
About FIDO:
What is FIDO?
From the FIDO Alliance website: "The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords." Translation: FIDO adds authentication factors to the traditional domain-centric username/password paradigm. FIDO is extra security bolted onto flawed legacy authentication.
Is the mesh a FIDO authentication method?
No, the mesh is a full-fledged Identity Provider and Trust Network, not just an additional authentication method. The mesh provides you with a pre-authenticated assertion of who the user is, which means that your organization no longer needs to authenticate mesh users at all.
On the mesh, strong authentication is built-in, not bolted on. Every access request comes from cryptographically-unique Trustees that are monitored 24x7, and certified daily.
On the mesh, strong authentication is built-in, not bolted on. Every access request comes from cryptographically-unique Trustees that are monitored 24x7, and certified daily.
Does FIDO enable cryptographic security and key management?
FIDO uses public key cryptography to add an extra authentication factor. It only does so upon explicit registration with a service by the user. FIDO does not enable any cryptographic capability beyond that, and requires users to handle registrations with each and every service on their own.
In contrast, each Trustee fully automates the management of keys on behalf of its user. The mesh enables the transition to using native keys, not just as an additional authentication factor but for all other purposes such as personal data encryption and/or signing. This is a critical step for upcoming blockchain-type systems (with tamper-proof and non-repudiation characteristics) that require that users handle their own private keys. None of this is contemplated by FIDO.
In contrast, each Trustee fully automates the management of keys on behalf of its user. The mesh enables the transition to using native keys, not just as an additional authentication factor but for all other purposes such as personal data encryption and/or signing. This is a critical step for upcoming blockchain-type systems (with tamper-proof and non-repudiation characteristics) that require that users handle their own private keys. None of this is contemplated by FIDO.
Will FIDO ever help secure all accounts for all users?
FIDO is an industry initiative focused on standardizing two-factor authentication for domain-centric identity systems, primarily to facilitate adoption by service providers. FIDO does not, however, address any of the increased burden and complexity put on end-users by the multitude of accounts and the patchwork of security point-solutions.
FIDO requires people to explicitly register their authenticator with each and every account they want to protect. Worse, the loss of an authenticator makes it harder for users to recover their accounts. The FIDO "best practices" recommend that services encourage users to register multiple authenticators to facilitate recovery. So users are expected to register multiple authenticators, with each and every service they use... No wonder two-factor authentication never really caught on with mainstream consumers, and never will with or without FIDO.
In contrast, the mesh requires a single self-service enrollment with your Trustee to enable all participating services to secure your accounts with it. You also keep your Trustee at home, which minimizes the risk of loss. And if you lose your phone, you can buy a new one and re-enroll once to recover all your accounts. The mesh also enable the same level of authentication, security and trust across all participating domain, thereby enabling entire digital ecosystems to be transact seamlessly.
FIDO requires people to explicitly register their authenticator with each and every account they want to protect. Worse, the loss of an authenticator makes it harder for users to recover their accounts. The FIDO "best practices" recommend that services encourage users to register multiple authenticators to facilitate recovery. So users are expected to register multiple authenticators, with each and every service they use... No wonder two-factor authentication never really caught on with mainstream consumers, and never will with or without FIDO.
In contrast, the mesh requires a single self-service enrollment with your Trustee to enable all participating services to secure your accounts with it. You also keep your Trustee at home, which minimizes the risk of loss. And if you lose your phone, you can buy a new one and re-enroll once to recover all your accounts. The mesh also enable the same level of authentication, security and trust across all participating domain, thereby enabling entire digital ecosystems to be transact seamlessly.
Other miscellaneous questions:
What is your timeline for commercial availability?
Our Trustee are schedule to be production-ready in Q1 2020. We are planning to run pilot trials in Q1-Q2 2020. We hope to reach commercial availability in the second half of 2020. Early pilot partners will get preferred access to early commercial units.
What are PUPs?
Everybody loves hush-puppies. PUPs are utility tokens for potential, unspecified uses on the mesh. We believe Trustees are particularly well equipped to manage tokens, but the company does not guarantee that PUPs will be used for anything at this point in time.