Proving your identity and stopping others from impersonating you has always been a difficult problem to solve, both online and off.
We haven’t cracked the problem yet. That’s why 6.6% of ID theft in the US last year involved forged government documents, and why passport theft is such a big business. When someone steals name, address, social security number and date of birth information about a company’s customers, that’s another sign that we’ve failed at solving this problem. When it happens to a quarter of the adult US population in one go, it’s a massive security issue.
There are emerging signs that one technology might help solve the problem once and for all: the blockchain.
Solving the identity problem
Microsoft and Accenture have addressed the thorny problem of ID management using a prototype blockchain-based system targeting the world’s disenfranchised.
The two companies, both of which have been actively pursuing blockchain tech for a while, unveiled an application using the decentralized ledger technology. It tackles a problem facing over a billion people worldwide which goes far beyond identity theft: they have no documented proof of their existence at all.
Proof of identity is crucial for many people needing to claim basic social services and civil rights. Announced at ID2020’s recent summit, the prototype would enable them to prove their identity using biometric authentication.
You might ask why you couldn’t simply print ID certificates for people, or even get the government to issue them with digital credentials. India did this with its Aadhaar program, a voluntary digital ID system that it rolled out nationwide.
Decentralized blockchain technology addresses a specific issue facing many of the world’s people, though: they don’t want governments knowing everything about them.
In many cases, people may be fleeing oppressive regimes who would love to know their personal details and drag them back for persecution. In fact, safely authenticating refugees to give them safe harbour and social services was one use case for the ID2020 app.
Blockchains are effectively distributed databases that everyone has access to, preventing bad actors from tampering with the system (and in the case of ID systems, forging credentials). In a blockchain, everyone’s data is encrypted in a distributed, shared ledger, and no central authority has the key.
The Microsoft-Accenture project isn’t the only blockchain-based initiative intended to change the way we think about identity. In early May, Hyperledger (the Linux Foundation’s project to create a standard reference blockchain implementation) announced its adoption of Project Indy, another initiative to tackle ID with decentralized blockchain tech.
In May at Consensus 2017, a collection of companies including Microsoft formed the Decentralized Identity Foundation (DIF). The idea is to move identity away from a centralized ownership model to a decentralized root of trust.
From then to now
How has digital identity worked in the past, and how will blockchain-based ID be different?
Identity usually consists of two things: an identifier that people can attach to you as a person, and a set of attributes that tell them things about you.
Think of the identifier as your unique serial number. Historically, institutions providing services ranging from ecommerce sites to government agencies have used social security numbers, cellphone numbers or even email addresses as identifiers. These are easily stolen, copied, or spoofed, which means that they are terrible ways to identify someone.
The attributes about you are the qualities that make up your identity in the real world – your name, age, gender, employer, salary, bank account number and so on. Whereas an identifier might identify you, your attributes authenticate you. A bar serving alcohol might need to authenticate your age before it can legally admit you, for example.
Traditionally, the services that we access often store the identifier and the attributes together, which risks them all falling into the wrong hands at once. That’s exactly what happens now on a daily basis. You’ll provide details about yourself to companies that store them poorly and get hacked. Once someone has access to that data, it’s difficult to get it back, and they can use it to access online or offline services as you.
The other problem with centralized identity is that when you let someone control your identifier, you give a disproportionate amount of control over your ID. When you use your Google or Facebook identity to sign up with services on a regular basis, then that search engine or social media network gets to control how you are verified with everyone else. They may also pick up some handy attributes of yours along the way. In fact, their business depends on it.
How the blockchain handles identity
Blockchain-based systems change the story. They make the identifier more secure by turning it into an encrypted asset. This is usually a digital certificate or some kind that that the owner controls via a private/public key. Because it’s encrypted, no one can copy or spoof it. Only the owner can unlock it.
Blockchain-based ID also stores personal attributes separately from the identifier. They seem to take a common approach, storing these attributes with a small number of trusted third party institutions.
This third party could be a technical service provider specifically equipped to store them securely. In some cases we’ve heard of, this could even be a regulated entity like a bank or a telco, which has already done the due diligence on you via their know your client (KYC) processes.
If you access a service – anything from a dating site to a digital locker at the gym – it’ll need to check two things: your identifier (to make sure that you are really you) and then some attributes (to make sure it can offer you the service).
You can prove that you own the identifier because only you have control of it.
Then, the service must ask a trusted service provider that stores that information for the attributes, but that can only happen with your permission.
If an ecommerce site wants to get specific information about you, such as your credit card details and address, it would first communicate with you. You might give it permission to digitally get that information from a trusted third party that would send it along.
The benefits of blockchain ID
The upside of this model is that it moves the user to the centre of the picture from the edge. Instead of letting someone like Facebook control your identity, and instead of giving your personal data irretrievably to hundreds of different services that won’t look after them properly, you’re in control.
A system like this makes it possible for you to allow access to some information, but not others. If you’re buying liquor, you could allow the liquor store to validate your legal age, without letting them know anything else about you. Conversely, if you’re applying for a loan, you could allow the loan company access to more information, such as your salary and address.
You could also theoretically revoke this information, telling the trusted party to only make the information available for a couple of minutes – just long enough for a service provider to authenticate you for a service.
There are challenges, of course. One is security. What happens if the trusted third party is hacked and your attributes stolen? This may be a risk, but it’s far less risky than giving your identity and attributes together as a convenient package for many ill-prepared service providers to mismanage. At least there’s more control this way, and it becomes possible for the trusted third party to encrypt the information, perhaps only unlocking it when you give it permission using your digital key.
The other challenge is interoperability. We’re at the start of the blockchain’s commercial adoption, and there are already many different chains and emerging standards. How can we avoid its fragmentation before it begins?
The interesting part about this is that the parties involved really seem to want to make it interoperable, in a way that hasn’t’ happened successfully before. Sovrin, which gave Project Indy to Hyperledger, is also involved with DIF, for example. The idea is have these ID systems function across multiple blockchains.
Like any new technology, the blockchain can sometimes seem like a solution looking for a problem. Marketing types are eager to apply its magical glitter to anything for a sales boost. Digital identity is a real problem in need of a solution, though, and blockchain technology has real promise as a tool for managing it. We’re in the very early days of this, but it’s all very exciting.