Blockchain for Identity?
“Your identity is like your shadow: not always visible and yet always present.” — Fausto Cercignani
What Is Identity Management?
Identity management is the framework of processes, policies, and technologies to ensure that only authorized people have access to technology resources, information, or services. Identity and access management systems are continuously evolving to improve security and the user experience.
Problems With Current Digital Identity Management Systems
One of the key enablers for today’s digital economy is identity. Both businesses and users are becoming increasingly frustrated by the convoluted methods they are forced to use to interact with each other. Let us review some of the major issues.
Issue 1: Identity Sprawl and Privacy There isn’t currently a universally accepted digital equivalent of the user’s offline identity such as a passport or a driver’s license. Users are issued a unique digital identity for each application they use on the Internet. This is difficult and counterproductive for users because they now have to remember all their usernames and passwords. Multiple credentials expose the user to a variety of security issues.
Federation has solved this problem to an extent by allowing the transfer of a user identity from one domain to another transparently. For the end user, it typically means that they can access online services seamlessly using an existing or valid session with an Identity Provider (IdP).
More recently, large social media companies such as Facebook have helped establish the concept of a social identity for users that can be leveraged as an alternative for some use cases. Some countries such as Estonia and Singapore are issuing digital identities so that citizens can safely identity themselves when they want to avail e-services.
Issue 2: Attribute Drift and Sync A digital identity is a set of claims made by one digital subject about itself or other digital subjects. For example, John Smith, an individual with an identity may have attributes such as gender, height, weight, mailing address, email address, date of birth, place of birth, citizenship, driver’s license number, etc. Some of these attributes will be unique identifiers (e.g. email address, SSN, passport number, etc.) because they are uniquely associated with John’s identity.
It is worth pointing out that some identifiers can be permanent for life (e.g. SSN). Some are long lived (e.g. driver’s license number, passport number). But, many identifiers can be reassigned (e.g. cell phone numbers) and therefore it is possible that the same identifier is associated with another identity at different times. With the duplication of identities for every entity, both users and businesses are burdened with having to keep the attributes and identifiers in sync across the silos every time there is a change.
Issue 3: Inconsistent Security Posture Users have no guarantees that the identities issued are adequately secured by the institutions issuing them. Since these have tangible value, they are a juicy target for hackers and can result in identity theft (see below).
Issue 4: Identity Theft In the offline world, identity documents are issued by trusted entities that design and keep updating them in a manner to deter forgery and counterfeiting. For example, your driver license is strongly linked only to you (e.g. with a picture, a fingerprint and a number of anti-forgery mechanisms visibly embedded in it). Therefore, if it is stolen, it is of limited value. In contrast, in the digital world, identity theft is a major concern for users. In most cases, the user or the entity have no idea that the user’s digital identity has been stolen and being actively used by the fraudster.
Issue 5: Regulations The government holds financial institutions to high standards when it comes to “Know Your Customer” (KYC) laws. These were introduced in 2001 as part of the Patriot Act. The core idea here is that they need to know their customer (i.e. verify their identity, make sure they are real, ensure they are not on a prohibited lists and keep money laundering, terrorism financing and fraud schemes at bay).
These help establish and verify the identity of the customer by using reliable and independent data or sources of information. On the flip side, these processes can be extremely manual, cumbersome and expensive for the entities involved. It is reported that the average institution spends in the region of $60M every year ensuring adherence to these checks.
Key Features of a Blockchain
A blockchain is a system of recording information on a shared database where every computer in the blockchain network has a copy of the digital ledger of transactions. A ledger is a digital record of bookkeeping entries. Blockchain makes it very difficult for someone to change, hack, or cheat the system because records can’t be changed retroactively without changing the subsequent blocks of information.
These are the key advantages of blockchain technology:
Decentralized, shared database (distributed ledger) Unlike a centralized system where only one or a limited group of people can see, alter, and access records of information, with blockchain technology, every computer in the network has a copy of the ledger.
To add a transaction, every computer needs to check its validity. When there’s a majority that thinks the transaction is valid, it is added to the ledger which creates more transparency and makes this record-keeping system corruption-free. Without the consent from the majority of computers, no one can add any transaction blocks to the ledger. Decentralized data storage also means there will be no single point of failure.
Tamper-resistant Once the transaction blocks get added on the ledger, information on the blockchain can’t be changed, backdated, or altered by anyone which creates a permanent, unalterable network. This maintains the integrity and accuracy of the data while establishing and sustaining trust between stakeholders.
Highly secure The blockchain system processes and stores transactions with the use of cryptography, an area of computer science that focuses on transforming data so that it can’t be accessed by unauthorized users. Personally identifiable information and credential details are not stored on the blockchain itself. Rather, the issuer’s public cryptographic key is stored on the blockchain so that anyone can verify if a Verifiable Credential was really issued by them.
Transparent and auditable data Everyone in the blockchain network can trace the recorded transactions and the data is verified. There is an auditable trail of data.
Enables privacy and consent There is growing regulation around the world to provide more privacy protection for citizens, including the rule that data can’t be shared without a user’s explicit consent. Using an identity management system that leverages blockchain tech, only the users store their data and only they can decide whether to share it or not. Also, blockchain technology can enable data to be verified without necessarily revealing personally identifiable details or more information than is necessary for a purpose. For example, someone could confirm they are over 19 years old without revealing their birth date.
Consensus maintains identity data integrity A blockchain uses consensus mechanisms to help keep inaccurate or potentially fraudulent information transactions off the blockchain. Consensus mechanisms are the systems of agreement that determine the validity of transactions and governance of the blockchain.
Decentralized Identifiers (DIDs)
Currently we dominantly use emails, passwords, usernames and other information to authenticate our identity online. But these are the downsides of logging in with these kinds of digital identifiers:
They can be taken away anytime by the provider and remove your access to their services, site, or app.
You don’t own and control these identifiers. Your information associated with them can be shared to other parties without your knowledge and track you online to show you ads.
They are often stored on centralized systems that can be vulnerable to data breaches and cyber attacks.
A solution to these problems is the use of decentralized identifiers (DIDs) to log in and access websites, apps, and services. A decentralized identifier is a globally unique identifier made up of a string of letters and numbers that is stored and managed in a digital wallet. DIDs can be assigned to a person, company, or object.
Benefits of Decentralized Identifiers
Organizations and individuals have full control and ownership over their DIDs and no party can take them away
Enable the owner to prove cryptographic control of them
Don’t contain personal data or wallet information
Enables private and secure connections between two parties and can be verified anywhere at any time
Someone can create as many DIDs as they want for different relationships and interactions.
Examples:
DID 1: For a gaming platform
DID 2: Online banking
DID 3: Identity cards
DID 4: Ordering on online stores
Verifiable Credentials (VCs)
Verifiable Credentials are a digital, cryptographically secured version of both paper and digital credentials that people can present to organizations that need them for verification. Identity documents like passports, IDs issued by the government, and driver’s licenses can be issued as Verifiable Credentials.
Each DID can have multiple Verifiable Credentials associated with them that are digitally (cryptographically) signed by their issuers like a government driver’s licensing department. DID owners store the credentials themselves on their phones and don’t have to rely on a single provider like Facebook or Google.
