background gif
Rosario Cybernetics
October 20, 2025cybersecurity
Fixing Cybersecurity, For Real: An Argument for Replacing Credentials with Verifiable Capabilities

Introduction: Why “Security” Doesn’t Mean What We Think It Means

Cybersecurity, for all its frameworks and funding, keeps failing at the one thing people expect from it: keeping adversaries out and actions accountable. Ransomware wrecks hospitals; deepfakes compromise executives; credential stuffing strolls past billion-dollar defenses; supply-chain compromises turn updates into trojan horses. The public has noticed. So have regulators. Yet the dominant response is still incremental: another password rule, another factor, another awareness campaign about phishing.

This essay argues that incrementalism is no longer a responsible option. The inflection point is not a new firewall or a next-gen antivirus. It is a universal shift away from reusable credentials toward short-lived, verifiable capabilities, witnessed operations that anyone can check, offline, without asking a third party to vouch for them. In short: stop proving who you are with something cloneable; prove what you’re allowed to do with a proof that expires.

That change, concrete, implementable, and measurable, would be world-changing because it strikes the root of cascading failure across identity, privacy, safety, and trust. The practical blueprint is a capability fabric built on proof-of-knowledge, exemplified here by the ENI6MA approach (the Rosario–Wang proof). The broader claim, however, is agnostic to any single implementation: if we don’t replace credentials with verifiable, time-scoped capabilities, the economics of attack will continue to favor adversaries, and the social compact that depends on digital trust will continue to erode.

Thesis: Privacy Is Impossible Without Security, and Security Fails at the Credential Layer

Privacy is not a “nice to have” attached to apps; it is the living space where autonomy, dignity, and free association survive. But privacy is downstream from security. If an attacker can enter your account, impersonate your agent, or alter your records, then privacy guarantees are theater. And the consistent way attackers enter, impersonate, and alter is via credentials: passwords, long-lived tokens, phishable second factors, seeds stored on endpoints, keys that sit in software wallets or dev repos. We have spent decades treating credentials as the primitive for access. It’s time to treat them as the problem to be removed.

Consider the asymmetry:

  • A credential is copyable. Once exfiltrated, it can be replayed anywhere the verifier will accept it.
  • A human is fallible. Push fatigue, consent confusion, and deepfaked voices exploit us at scale.
  • An organization is heterogeneous. The same user operates across SaaS, cloud, mobile, and on-prem with wildly different identity stacks. The weakest link wins.

As long as the front door is a reusable string (even a very long one), modern adversaries will keep strolling in. A world that keeps credentials but “hardens” them accepts that breach is inevitable and tries to recover faster. A world that abandons credentials for verifiable, time-scoped capability witnesses makes the attacker’s job categorically harder, and it makes incident response deterministic: either a tamper-evident proof exists for the action, or it doesn’t.

The Indivisible Paradigm: Security as the Operating System of Privacy

Why insist on this distinction? Because privacy without security is oxymoronic. Confidentiality needs secrecy; integrity needs immutability; authentication needs proofs that aren’t guessable or phishable; anti-surveillance needs traffic that resists correlation. All of these necessities break when your baseline is “something you know,” “something you have,” or “something you are” that can be cloned, farmed, or coerced.

When security fails, the harms aren’t abstract:

  • Individuals suffer anxiety, insomnia, identity theft, reputational damage, and durable loss of trust.
  • Societies suffer democratic fragility (surveillance chills speech; disinformation floods discourse), economic drag (remediation and litigation), and widening inequality (those with the least protection get hurt first and recover last).

Thus, the moral and civic claim is simple: if we care about privacy, we must fix security; if we care about security, we must fix credentials.

Credentials vs. Capabilities: The Category Error at the Heart of Modern Access

Credential model A verifier accepts a long-lived artifact (password, API key, bearer token, seed) as sufficient proof that “this is X.” The artifact can be copied. Once presented, the verifier grants access determined by policies that sit elsewhere. The same artifact can be replayed until revoked or rotated. Defense becomes an exercise in secrets management, rotation schedules, phishing education, and anomaly detection.

Capability model Each operation carries its own witness, a short-lived, policy-scoped proof that binds the operation (what), the context (where/when), and the principal (who) into a verifiable object. Anyone can check acceptance rules offline; no one needs to trust a third party to vouch for it. The witness expires quickly and is narrowly authorized (least privilege). Replay fails because the context (time window, device attestation, policy hash) no longer matches.

Formally, a minimal acceptance condition looks like:

ACCEPT(O,W,Π)    Verifysound(W ⁣ ⁣O)witness proves operation    PolicyOK(Π,O)scope + permissions    Fresh(W)time/nonce window.\textsf{ACCEPT}(O, \mathcal{W}, \Pi) \iff \underbrace{\textsf{Verify}_{\text{sound}}(\mathcal{W}\!\rightarrow\!O)}_{\text{witness proves operation}} \;\wedge\; \underbrace{\textsf{PolicyOK}(\Pi, O)}_{\text{scope + permissions}} \;\wedge\; \underbrace{\textsf{Fresh}(\mathcal{W})}_{\text{time/nonce window}}.

Here OO is the intended operation, W\mathcal{W} the witness transcript (a proof object), and Π\Pi the applicable policy snapshot. No stored secret is consulted; no static identifier grants blanket powers. The proof is the permission.

This is the conceptual pivot: identity becomes the aggregate of provable powers, not possession of a cloneable token.

Why Incrementalism Has Run Out of Road

“Add a factor.” “Rotate faster.” “Train users.” These are improvements, but they can no longer neutralize three compounding realities:

  1. Industrialized social engineering Attackers don’t need zero-days when they can SMS, robocall, or video-deepfake their way to approval fatigue. Humans are not multi-factor oracles under stress.

  2. Ubiquitous replay surfaces From OAuth bearer tokens to long-running cloud credentials, we’ve created countless artifacts whose best property is convenience and worst property is portability.

  3. Agent explosion Software agents will perform a rising fraction of the world’s actions. If agents act with reusable credentials, your blast radius scales with automation. If agents carry short-lived, witnessed capabilities, automation scales safely.

An argument sometimes heard is, “But we already have signed requests.” True, and if those signatures are driven by stored, long-lived private keys, you still have a credential problem. The shift isn’t from “password” to “key.” It’s from stored secret to witnessed proof whose verification does not depend on recovering or safeguarding a long-term secret on an endpoint.

A Technical Blueprint: Witnessed Operations at Planetary Scale

The technical public rightly asks: can this be made simple, fast, and universal? Yes, if we hold to a few design commitments.

1) Stateless, deterministic verification

  • Determinism: A verifier evaluates W\mathcal{W} against OO and Π\Pi with a fixed algorithm. No external oracle required.
  • Statelessness: Verifiers need not retain per-subject history to validate a single witness, though they can log for audit. This keeps verification cheap and horizontally scalable.

2) Ephemerality as a security primitive

  • Short windows (seconds to minutes) transform replay from “always works” to “almost never.”
  • Windowed policy hashes embed the exact rule set that authorized the operation, making after-the-fact disputes resolvable by inspection.

3) Tight scoping (least privilege by construction)

  • Witnesses are minted for one operation or a tiny class of operations, reducing potential harm if misrouted or intercepted.
  • This aligns with capability-secure design, where “what you hand out” is precisely “what you allow.”

4) Human–agent symmetry

  • People and software agents use the same witness fabric; differences are policy and UX. This avoids parallel identity universes with inconsistent guarantees.

5) Operating system integration

  • The capability layer belongs at the OS boundary: system calls, IPC, network egress. When the OS demands a witness per sensitive operation, applications inherit secure defaults instead of reinventing them.

6) Auditable by anyone

  • Public acceptance logic means disputes don’t require trust in a central referee. If your system says “this write happened,” it can produce the witness; anyone can check.

7) Compatibility with privacy

  • Witnesses can be zero-knowledge about the underlying secrets and still prove policy conformity. The verifier learns “allowed now,” not “identity forever.”

ENI6MA’s proof-of-knowledge approach is one concrete instantiation of these commitments: generate capability witnesses that can be checked quickly, offline, without exposing a reusable key. Other constructions may exist; the argument stands independently: the properties above are the point.

Where the World Changes First

Elections and civic processes (public good, no cost)

Precise eligibility checks with time-scoped voting capabilities harden “one person, one vote” without centralizing identity in a surveillant way. Public acceptance rules turn integrity debates into verifiable claims rather than partisan assertions.

Child safety (public good, no cost)

Early enrollment enables authorized responders to validate “this is the child” or “this action is permitted” via privacy-preserving witnesses. Minutes matter; witnesses remove bottlenecks that rely on fragile human verification.

Banking and finance (premium, because risk is quantifiable)

Every transfer, sign, or ledger update carries its own proof. Fraud falls; compliance improves; liability shrinks. When the cost of impersonation spikes, risk adjusts downward and capital can be allocated more efficiently.

Operating systems (universal substrate)

If OSX/Windows/Linux/Android/iOS/Raspberry Pi require witnessed operations at security boundaries, the weakest link problem recedes. Developers stop hand-rolling fragile auth paths; users stop juggling secrets; adversaries lose their favorite pry bar.

Journalism and provenance

Reporters sign content with per-story capabilities; platforms verify quickly at ingestion; consumers gain a reliable provenance signal. The goal is authenticated speech, not censorship: if content is altered, signatures break.

Autonomous agents (bounded, accountable power)

Agents act with tightly scoped, rapidly expiring witnesses. If an agent misbehaves, you revoke its minting policy, not your identity. “Who did what” becomes answerable without ambiguity.

Economics: Make the Attacker Pay Again

Security that works is economics that works. The credential world made attack cheap:

  • Steal once, replay many.
  • Trick once, reuse forever.
  • Compromise one endpoint, own the tenant.

Witnessed operations make attack expensive:

  • Each operation needs a fresh, policy-valid witness.
  • Deepfakes and push fatigue can’t coerce a proof the verifier will accept without the right context and policy hash.
  • Even if a witness is intercepted, its expiry and scope neuter value.

On the defender side, verification cost must be small, predictable, and hardware-friendly. That’s achievable: deterministic, stateless checks map to constant-time logic, vectorizable equality, and bounded memory. The point isn’t theoretical perfection; it’s practical, global affordability of checking “show me the proof.”

Governance and Law: Security as Duty, Privacy as Right

The legal system already encodes the dependency: GDPR and HIPAA require security controls to make privacy real. A capability regime clarifies accountability:

  • If an entity performed a sensitive operation, there is a witness or there isn’t.
  • If there is, anyone can verify scope, policy, and freshness.
  • If there isn’t, the system failed its own rules.

This reduces breach disclosure from a PR exercise to an evidentiary one, and it improves enforcement because regulators can audit acceptance logic and replay proofs without privileged hooks.

Internationally, the benefits are even larger. Harmonized acceptance rules make cross-border cooperation tractable. Because verification can be offline and open, coordination does not require shared secrets or proprietary APIs.

Objections and Rebuttals

“Isn’t this just another kind of key?” No. Keys are inputs to signatures; they live and die on endpoints. A witness is an output, a proof bound to an operation, a window, and a policy. Verification doesn’t require extracting a long-lived secret from a device. Ephemerality and scoping are not bolt-ons; they are the essence.

“Won’t latency kill UX?” Not if the fabric is designed for local minting and local verification with cheap primitives. The cost of one constant-time acceptance check is dwarfed by TLS handshakes, database round trips, and rendering. The important part: verification is predictable and cache-friendly.

“Complexity migrates to policy; humans still err.” Yes, policy must be human-legible, diff-able, and versioned. That is a feature, not a bug: we want mistakes to be textual and reviewable, not invisible in credential sprawl.

“What about recovery?” Recovery becomes a controlled issuance of new capability minting authority (who can mint which witnesses), not re-seeding a single root secret that unlocks the universe. Finer grain, smaller blast radius.

“Will attackers just pivot to endpoints?” Endpoints always matter. The difference is that an endpoint compromise no longer grants indefinite, system-wide replay power. The window and scope fences turn a catastrophe into a contained incident.

Roadmap: How to Get from Here to There

  1. Define an open acceptance spec A minimal, implementation-agnostic format for witnessed operations: fields, policy hash, freshness data, algorithm identifiers, and an exact acceptance function.

  2. Ship OS-level reference implementations Kernel-mode hooks for capability checks at syscall boundaries and network egress, with user-mode libraries for applications. Default-deny for privileged actions unless a witness is present.

  3. Retrofit critical SaaS and cloud primitives Start with IAM, KMS, CI/CD, and data-plane writes. Make witnessed operations first-class citizens alongside (and quickly in place of) long-lived credentials.

  4. Instrument audits and logs Every accepted operation leaves a verifiable trail: policy used, window, and a commitment to the witness (the witness itself may remain private depending on design).

  5. Migrate agents and service accounts first They’re the biggest blast radius today. Scope them down with capabilities that expire quickly; prove the safety case with hard metrics: fewer successful escalations, shorter dwell times, cheaper IR.

  6. Harden high-stakes domains Elections and banking can demonstrate public benefit and cut systemic risk. Offer public-good deployments where society’s ROI is obvious and immediate.

  7. Education and UX Replace “enter your password” with “approve this action.” Make the mental model tangible: users grant a ticket for a thing that expires soon. Agents request narrowly and disclose scope.

Metrics That Matter

  • Replay success rate before/after: how often does a captured artifact work later? The target is asymptotically zero.
  • Median incident dwell time: witnesses should shorten detection and containment because unauthorized actions lack proofs.
  • Policy drift incidents: measure and reduce privilege creep by anchoring to witnessed scopes.
  • Fraud and chargeback rates: capability significance should be visible in finance risk curves.
  • User friction: time-to-approve and frequency of approvals. Good design keeps cognitive load low while eliminating “password thinking.”

Why This Is a Moonshot Worth Taking

The transformation at stake is not cosmetic. It rewires the contract of digital life:

  • From belief to verification: “We think this user is Alice” becomes “Here is the proof that this action was allowed at this time under this policy.”
  • From secrets to transcripts: incidents become forensic questions with deterministic answers, not debates.
  • From brittle identity to robust capability: the value of stealing your “identity” drops because identity is no longer a skeleton key; it’s a ledger of narrow, expiring powers.

The downstream effects are civilizational: a press environment with reliable provenance; elections where eligibility claims are checkable; financial rails where fraud is exceptional instead of ambient; agent ecosystems where autonomy scales without surrendering control; and a privacy regime grounded in proofs rather than promises.

A Note on ENI6MA as One Path

The ENI6MA (Rosario–Wang) approach operationalizes many of the properties argued here: stateless, offline-verifiable witnesses; ephemeral windows; policy-bound acceptance; human/agent symmetry. It is not the only path, and the argument in this essay does not hinge on exclusive adoption. But it is a concrete proof that the shift from credentials to capabilities can be engineered with performance and auditability at the forefront.

The programmatic plan embedded in that approach makes pragmatic sense:

  • Public goods free (elections, child safety): legitimacy and trust gains justify subsidization.
  • Commercial domains paid (tax, banks): risk-reduction value is quantifiable and financeable.
  • OS integration: push the pattern where it changes defaults, not where it adds optional complexity.
  • Journalism and provenance: move the cost of forgery upstream.
  • Autonomous agents: encode least privilege and short half-lives by default.

These aren’t marketing claims. They are deployment choices aimed at maximum surface-area impact.

Conclusion: Choose Proof

We are living through the end of the credential century. Everything we prize in digital society, self-expression without fear, association without coercion, trade without fraud, governance without gaslighting, depends on trust that can be checked rather than assumed. Credentials got us online; capabilities will keep us human.

To the technical public, engineers, SREs, CISOs, product leaders, architects, the case is not moralizing; it is architectural. Stop shipping cloneable authority. Start shipping witnessed operations with deterministic acceptance. Bind every sensitive action to a proof that expires. Put the acceptance logic where it can be audited by anyone and exploited by no one.

To policymakers and regulators: align law with this operational reality. Treat privacy as a right, and security as the duty that makes it real. Measure what matters: replay rates, incident dwell, provenance coverage, scope drift.

To the rest of us: demand the upgrade. Ask your bank whether transfers carry proofs. Ask your platform whether content can be authenticated. Ask your operating system whether it will run agents that can act only inside narrow, time-scoped permissions. Ask your vendors whether they can show proofs or only logs.

The path is clear. The benefits are extraordinary. The cost of delay is compounding harm. Let’s fix cybersecurity for real, by replacing credentials with verifiable capabilities, and in doing so, restore the trust our digital civilization requires to thrive.

Share: