As our social systems evolve, our identification adjusts to match the increasing demands imposed by these changes to our personal lives. When communities were small with nascent travel and interaction between communities, people could be simply identified by their first names and their relationship to their family. In fact, many last names have historical roots to this relationship – for example, Johnson means the “son of John”. Such identification was sufficient.
As societies grew in numbers and interactions became more complex, other identification attributes were added. For example one’s place of birth, by city or area would become necessary to identify them and even help in de-duping individuals with similar names. Over the past one hundred years, other more unique attributes have been attached to identities to better deal with a more complex and evolving societal interactions including government based identification numbers, dates of birth, country of birth and even facial images to associate these attributes to a live person. This information has often been documented in physical ID cards such as passports and driver licenses. These forms of identification that are still used today provide access to services and locations in our physical world – often verified by an individual or agent through visual inspection.
Over the past 40 years, our global societies have evolved beyond the physical world and now spend a considerable amount of time in cyber-space to access services for entertainment, communication, information gathering, e-commerce, banking, business and much more. The new form of identity created to satisfy identities for this societal evolution has been usernames and passwords. Nearly every website or mobile-application still uses usernames and passwords to authenticate individuals. The inherent weakness of this approach has given rise to various forms of second factor to protect those identities.
However, as we observe the increasing rate of successful hacker attacks, the inevitable question rises about how well digital identities have evolved with the ever-increasing complexity of our evolving digital social systems. The recent breach at Quora, where over 100 million usernames, passwords and other identifying information was stolen is only the continuation of the trend that has included Reddit, Yahoo!, Equifax, Marriott, Under Armour, Aadhaar, OneLogin, eBay, Uber, JP Morgan and many more. Even federated ID systems like Facebook have been hacked with user login-session-tokens stolen.
The inherent problem with the evolution of our identities is that we trust and rely on central services such as governments, banks, or other service providers to store and maintain an abstract of our identity. No matter how strong those central services are, a single hack can expose millions of user’s identities. Stealing user identities in the non-digital world of 40 years ago was less scalable and effective. But today, large-scale hacking creates highly efficient identity-theft. The loss of a password or answers to secret-questions compromises more than the site that maintained that information, for many users, since the same password and answers are used across multiple sites, other non-breached services can also be compromised. Additionally, each attack exposes millions of user’s information and utilization of that information does not require a physical person to impersonate the user. Machines can take over and access sites on behalf of victims and quickly identify opportunities for hackers.
Central stores of user identities are inherently open to large scale attacks – this is a structural weakness in the central store approach and not necessarily the fault of services that host those central stores. As John Chambers, Cisco CEO, stated “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”
Next Generation Digital Identity
The best way to address a problem is to eliminate it altogether. Electric-vehicles altogether eliminated the combustion engine and thus the maintenance and repair required to operate it such as oil changes, tune-ups and transmission repairs. They have simplified the architecture by replacing the engine with a simpler motor that is immune to many problems inherent in combustion engines. Similarly, the next generation identity does not patch the existing username-password models that are maintained in central servers with a Band-Aid – such as second factors. It eliminates usernames and passwords completely.
The ubiquitous ownership and use of mobile devices along with Distributed Ledger Technology (DLT – also known as blockchain) enables a new approach to identity where users can own their own identity and all necessary keys to prove their ownership of that ID on their personal phones. It will no longer be necessary for service providers to house authentication codes for users, rendering breaches of their servers useless for identity-theft.
User’s personally identifiable information (PII), such as their name, date-of-birth, social-security-number, passport-number, email and phone number, can be kept encrypted on their device. Additionally, a private-key and a digital-id that is unique to that user is also created and kept on the device. The private-key is never shared. Each field of identification can be one-way hashed with a salt (a random number) and digitally-signed with the user’s private key. The result can then be hashed and placed on a public DLT. The user can prove the ownership of that record on the public DLT by digitally-signing a challenge string using the same private-key used to sign the fields that were hashed and stored on the DLT. To protect the use of the private-key, device-access-control such as a PIN, TouchID or equivalent can be required. Other third parties of authority, such as a bank, a government agency, or simply a service-provider can verify the identity of the user – once. They can then create similar one-way hashes of the user attributes and sign them with their private-keys. The result is then hashed and also placed on the public ledger. The one-way hashes that are digitally signed are ultimately a certification.
The user can now share one or more attributes with other service-providers (or the same one) and have them validate the user claims of their identity against the certifying third party at transaction speed. There are no central databases or service providers to trust or hack. Only the user with the private-key is able to make a claim for their identity. The process is multi-factor and more secure, but to the user a simple interface. With this method, a user can be validated once and verified everywhere.
The records on the DLT are meaningless without the user first providing their information and certifications. The hashes lack any PII, but can be used to prove the authenticity of claims.
Beyond the private-key, the user’s biometrics can also be hashed, signed and placed on the blockchain such as their facial image. This information can be further utilized to tie a physical person to their device.
With this model, hackers need to breach each phone device one at a time versus a single large-scale attack. The records on the DLT are immutable and always signed by the providing party and hence prevent a hacker from modifying or faking them.
Account Recovery – The Weakest Link in Identity Management
Aside from central storage of usernames and passwords that are susceptible to hacking, account recovery is perhaps the next weakest link in identity management. Today, hackers often use answers to secret questions or other compromised second factors to recover a user’s account with reset passwords. In a world where the user identity and private-key are stored only on their personal-device, one has to wonder how can a user recover their identity if they lose their phone.
Blockchain wallets are notorious for this weakness. Many victims who use crypto-currencies have lost significant virtual funds (that ultimately translate to fiat currency) due to loss of their private-key without a proper backup or recovery mechanism. If we rely on a DLT based identity for access to all of our digital world, we cannot simply keep hackers away but risk our own access. As users, we must be able to securely recover our private-keys and data.
At ShoCard, we have created a patent-pending solution for a dynamic-split-password multi-factor recovery mechanism that does not require a user-password and can allow an individual to recover encrypted data without exposing the information to either service-providers or any man-in-the middle. Without addressing the private-key and data recovery, a DLT identity solution will not scale in adoption.
Changing Old Habits
As is the case in almost any evolution, changing old habits is perhaps the biggest challenge facing new and improved system adoption. While it is somewhat unanimous that usernames and passwords are insecure, painful and disliked by users and service-providers alike, there is a reluctance to change and adopt something new. In 1999 and 2000, Bank of America was one of the first banks to provide online-bill-pay in partnership with Yahoo!. There were numerous advantages for both consumers and the bank, but adoption was slow and most other banks did not follow suit until several years later. Today, one can hardly think of a bank that does not offer online bill-pay and in fact expectations have grown beyond that with mobile check-deposits, peer-to-peer payments and much more. Similarly, with DLT-based identity, changing old habits will be one of the greatest challenges, but as initial adoption takes place with key service-providers, the benefits and demand will force adoption across the board.
When we first started our company in 2015, the concept of distributed-identity using a DLT was non-obvious and only of interest to hard-core blockchain enthusiasts and researchers at large firms. Over the past three years, there has been major changes in understanding and desire to adopt DLT-based identity at financial institutions, health-care, travel and even with large platform providers such as Microsoft and IBM. The rate of digital fraud in all sectors is increasing the urgency for new solutions and growing digital fraud in finance is pushing the likes of MasterCard and other top-tier banks to pursue distributed-identity.
These moves are likely to create a coopetition environment where different providers will both cooperate and compete in growth and adoption of this new technology and implementation. It is unlikely that there will be only one solution-provider for all identities and more likely, a cooperative environment will evolve with interoperability between the different DLT-identity providers. This task will be much easier in the new world where users own their own identity on their own devices and are in control of providing permission to share their data without dependency on service-providers.