Why Accountless Authorization Matters
Data breaches are nothing new—so much so that they barely surprise us anymore. When a breach is announced, many simply shrug and wait for the inevitable offer of free credit monitoring. In just the third quarter of 2024, over 400 million records were stolen, according to Statista. The Electronic Frontier Foundation recently published a list of some of the biggest data breaches of 2024 and correctly points out that many data breaches would be far less harmful if service providers only collected and stored what they absolutely needed to provide the services they promise.
Traditional login systems depend on your identity and require you to prove who you are before granting access—whether through a username and password, multi-factor authentication, or biometrics. This model assumes identity = access, meaning control over data is tied to an account. However, it also creates vulnerabilities:
- Passwords can be stolen or leaked.
- Centralized authentication systems (password managers) are prone to breaches.
- Users can be tracked and identified, even if they don’t want to be.
But what if access didn’t have to be tied to an identity at all? From the onset, we introduced PrivateStorage with a feature called Accountless Authorization. Unlike traditional authentication systems that rely on usernames, passwords, or accounts, capability-based systems like PrivateStorage operate on the principle of possession—if you have the right capability, you can perform the associated action. This shifts access control from identity-based authentication (e.g., logging in with credentials) to a more decentralized, privacy-preserving model. To better understand this approach, let’s break down some key technical terms.
What Are Capabilities?
In the context of Accountless Authorization, the term capabilities refers to special cryptographic tokens or unique codes that grant access to stored data. These capabilities function as fine-grained access control mechanisms, ensuring that only users with the correct token can retrieve or modify specific data contained on the servers.
Think of a capability like a keycard for a hotel room.
When you check in, you receive a card programmed with access to your room (and maybe the gym or pool). You don’t need to enter a password every time—you just need to have the card. Similarly, in PrivateStorage, your device holds a cryptographic key that grants access to your data.
When you first use PrivateStorage, a capability is automatically created and stored on your device. This capability acts as your secure access key, eliminating the need for an account or password.
Unlike identity-based authentication, capability-based systems operate on possession—meaning if you have the correct access token (a capability), you can perform actions without proving your identity.
- Capabilities are unique cryptographic tokens that specify what actions you can take (read, write, and verify).
- There is no need to verify "who you are"—just that you know the right capability.
- Possession of a valid capability grants access, similar to how possessing a key unlocks a door.
Compare the two systems with this real-world analogy:
- Traditional system (identity-based): You arrive at work and before entering the office building, a security guard needs to check your identity. They then use their own key to unlock the door.
- Capability-based access (possession-based): You arrive at work with your own key. You unlock the door and enter. No ID check is needed.
Why This Matters for Privacy & Security
Security Benefits:
- No Centralized Identity Verification: Your access isn't stored in a central database, eliminating common attack points (e.g., password breaches).
- No Tracking or Surveillance: Since there’s no account, the system doesn’t track "who" is accessing data, only whether a valid capability exists.
- Decentralized and User-Controlled: Users manage their own access tokens, similar to how they keep track of physical keys.
- Seamless Access Transfer: Users can transfer access between devices.
- Unauthorized Access Protection: The system prevents unauthorized use if the capability is lost or deleted.
Compliance with Data Protection Requirements
Accountless Authorization is our way to ensure compliance with the legal requirement of “Data Protection by Design and Default” (see Art. 25 GDPR or Art. 7 of Switzerland's Federal Act on Data Protections). “Data Protection by Design” requires companies to implement technical and organizational measures into a system at the point of its design, development and production and not as an afterthought. "By default,” companies should process personal data with the highest level of privacy protection, ensuring—for example, that only the minimum necessary data is collected, stored for short periods, and has restricted access. Our implementation of Accountless Authorization into the design of PrivateStorage eliminates the need for users to create and maintain accounts, thereby reducing the amount of personal data collected and processed while automatically avoiding the storage of unnecessary personal data.
An Alternative Approach
Accountless Authorization is a game changer for cloud storage and Web3 applications. By removing passwords and eliminating centralized identity tracking, PrivateStorage ensures your data remains truly private and under your control. Would you like to experience secure, accountless access for yourself? Learn more about our privacy-first features here.