Amid privacy and security failures, digital IDs advance
Blockchain-based digital wallets could give owners control over their digital identity in a way that would eliminate the business silo systems of today
6 January 2020 | 0
Frustration over a growing number of privacy and security failures in recent years is driving the creation of digital identities controlled only by those whose information they contain.
Known as ‘self-sovereign identities,’ the digital IDs will be used by consumers, businesses, their workers and governments over the next few years to verify everything from credit worthiness and college diplomas to licenses and business-to-business credentials.
“We are slowly graduating from crawling to walking. It takes one to two years ’til we have reliable capabilities to spark meaningful decentralised identity adoption,” said Homan Farahmand, a senior research director at Gartner. “A major non-technical hurdle is for organisations to learn the concept and take the necessary steps to appropriately adapt their business processes to decentralised identity ecosystems.”
A growing number of organisations is looking to better understand decentralised identity technology, which is predicated on blockchain electronic ledgers. Currently, there are more proof-of-concept projects than production systems involving a small number of organisations. The pilots, being trailed in government, financial services, insurance, healthcare, energy and manufacturing, do not yet amount to an entire ecosystem, according to Farahmand.
“While these projects help identify gaps such as governance, user experience, standardisation and interoperability issues, none of them [rise to the level of] a practical decentralised ecosystem to bootstrap pervasive adoption at this point,” Farahmand said.
What is a self-sovereign identity?
Self-sovereign identity envisions consumers and businesses eventually taking control of their identifying information on electronic devices and online, enabling them to provide validation of credentials without relying on a central repository, as is done now. Self-sovereign identity technology also takes the reins away from the centralised ID repositories held by the social networks, banking institutions and government agencies.
A person’s credentials would be held in an encrypted digital wallet for documenting trusted relationships with the government, banks, employers, schools and other institutions. But it is important to note that self-sovereign ID systems are not self-certifying. The onus on whom to trust depends on the other party. Whoever you present your digital ID to has to decide whether the credentials in it are acceptable.
“For example, If I apply for a job…, and they require me to prove I graduated from a specific school and need to see my diploma, I can present that in digital form.” said Ali. “And, most likely that credential would have to be cryptographically signed by the school that issued it. So the relying party – my place of work – would have to decide when I present the credential if the signing key is something they trust.”
For example, a place of employment could issue an electronic confirmation or ‘credential’ that could be stored in that employee’s digital wallet saying you work for the XYZ Company. Even something as simple as a health club membership verification could be added to a user’s wallet and presented through a mobile app.
For consumers who are mindful of their online information – credit card numbers, date of birth, annual income, etc. – a blockchain-based network means the user controls who can see their data or get purchasing approval without releasing details such as their annual income or their age and address.
For businesses such as banks, rules such as know-your-customer (KYC) regulations make blockchain-based digital identities attractive.
How a self-sovereign ID works
Self-sovereign identities can work like this: the user has a bank confirm a credit limit or an employer confirm annual income; that confirmation information is encrypted, but available, on a public blockchain ledger to which the consumer holds the private and public cryptographic keys.
A consumer who wants a car loan from an auto dealership, for example, can give the dealer permission through a public key to confirm that he or she has enough credit or annual income to buy a vehicle – without revealing an exact dollar amount. So, for example, if the dealer wants to ensure a consumer earns more than $50,000 a year, that is all the blockchain ledger will confirm (not that the person actually earns, say, $72,587 or some other exact figure).
The confidentiality technique is known as zero-knowledge proof (ZKP), a cryptography technology that allows a user to prove that funds, assets or identifying information exist without revealing the details behind it.
Who’s leading the charge?
Self-sovereign identities extend to businesses or other organisations that want to be able to verify – or be verified – for transactions with other businesses or government agencies. For example, Ernst & Young has created a public blockchain that lets companies use ZKPs to complete business transactions confidentially without exposing sensitive business data.
In another example, CULedger, a cooperative owned by dozens of credit unions for the purpose of providing back-office services, worked with blockchain company R3 to create a distributed identity management platform called My CUID. After a pilot ended in December, they launched a proof-of-concept (PoC) that acts as an settlement rail for cross-border customer payments.
The blockchain-based settlement system also acts as a distributed identity platform, enabling users to be verified by their credit union and then take their digital ID with them for use in cross-border payments, no matter what country they are in or what financial institutions are involved. In essence, My CUID is meant to be agnostic as to the settlement system used.
“So, the PoC they developed was built to use the SWIFT payment rail, but they can use whatever rail they want, and it can even use a cryptocurrency to settle [a financial transaction] if they need it to,” said Abbas Ali, R3’s head of identity management.
R3, created five years ago by a consortium of leading financial services firms, heads up a group of more than 300 companies working to build distributed applications on top of Corda, their blockchain platform. Third parties can develop dApps (known as CorDapps), for use on the Corda platform in any number of industries, including financial services, insurance and healthcare.
“In simple terms, you can think of the [blockchain] platform kind of like the operating system. It provides all parts of identity on the network; it provides a protocol for participants to communicate with each other, but that’s as far as it goes. Any specific use case or business application on top of that would be based in the form of a CorDapp,” Ali said.
“At the application level, we have a lot of partners developing identity access management solutions using what’s called decentralised identity [DiD],” he added.
Credit unions are in the thick of it
CULedger’s My CUID eliminates the need for usernames and passwords and relieves credit union call centres from the obligation of resetting them when a customer loses them. The digital identity, which is encrypted using a public key infrastructure (PKI), is controlled solely by the credit union customer.
My CUID differs from modern payment rail systems in that a user’s identity is attached to every transaction they make. Current systems, such as SWIFT’s settlement rail, do not send the user’s identity with a wire transfer; it remains separate from the wire instructions, meaning only the bank sending the money knows who is sending it.
“The advantage is for the receiving party,” Ali said. “For them, this is just one example of the use case they developed this PoC for, but they have a bigger vision. They want people to have flexibility to move between different providers. You have an identity on your phone or, let’s say your credit union-issued application…. [If] you decide to transfer to a new state or country or change credit union provider, you can take that identity with you. That’s the bigger use case there.”
The financial services industry as a whole is focused on developing decentralised identity systems that would eliminate today’s method of identifying users by keeping their information in siloes controlled by one company or a federation of partner companies, Ali said.
Key to a DID is that no one entity or person verifies a business’s or person’s identity. The onus for identification verification is on the relying party.
“Whoever you present your digital identity to has to decide if the proofs you’re presenting through the wallet are acceptable,” Ali said. “What’s most important isn’t what you say about yourself but what a trusted organisation says about you.”
That means a bank, government, healthcare organisation or any other entity verifying information about a self-sovereign identity user becomes responsible for ensuring the info can be trusted.
Self-sovereign academic credentials
For example, in 2017, MIT began piloting Blockcerts, a blockchain-based network and application for storing and sharing academic credentials. MIT worked with Digital ID company Learning Machine to develop the application.
Today, Blockcerts is up and running and used by 69% of graduates. In the last graduating class of 3,718 students, 2,561 opted to have their diplomas digitised and made available through the blockchain-based application, according to Mary Callahan, MIT’s registrar.
Blockcerts creates a single digital identity wallet a graduate can present through a link to would-be employers or other schools to verify academic achievements.
“As you might imagine, having… a piece of paper that indicates you graduated is a valuable commodity in the world. So fraud was an issue,” Callahan said. “There’s also the opportunity to really recognise a student’s lifelong learning. For our students, this is one stop along their learning trajectory. They may be obtaining certificates, badges, master’s degrees, PhDs, and this can put them all together in one simple portfolio of their credentials.”
MIT has aggressively marketed Blockcerts to students through the school’s newspaper, display boards and the administrators of various academic departments – an effort that lead to a doubling of its uptake over the past year, according to Peter Hayes, assistant registrar at MIT.
“One thing we’re doing in terms of outreach now is working with the career services office to raise the profile for potential employers. They host career fairs with 400 to 500 employers on campus,” Hayes said.
Last year alone, the Blockcert application was used 4,124 times to verify graduate credentials, Hayes said. “So, while students haven’t given us direct feedback, we can see … numbers [that] indicate they are using it,” he said.
The movement is real
The self-sovereign identity movement spans industries, according to Gartner.
Examples of efforts to create DID infrastructures include:
- Awareness through influential non-profit organisations such as the United Nations and World Economic Forum;
- Rethinking current identification methods such as efforts by the Global Legal Entity Identifier Foundation (GLEIF) or Canada’s development of a Verifiable Organisation Network (VON);
- Public sector initiatives such as the EU’s eIDAS (Electronic Identification, Authentication and Trust Services) or Canada’s PCFT (Pan-Canadian Trust Framework);
- Major vendors and identity providers entering the decentralised identity market;
- Decentralised identity and verifiable claims standardisation by W3C;
- Progress in open-source projects such as Hyperledger Indy, Hyperledger Aries, Ursa and the Decentralised Identity Foundation (DIF);
- Grassroot efforts in identity communities such as Internet Identity Workshop (IIW) or Open Identity Exchange (OIX);
- Identity requirements are being considered as the foundation of digital initiatives such as smart cities or efforts by MOBI to standardise vehicle identity.
A growing number of start-ups and traditional identity and security vendors are also entering the decentralised identity market directly or indirectly, according to Gartner’s Farahmand.
For decentralised identity and verifiable claim exchanges to become ubiquitous, however, there needs to be industry standardisation, interoperability, and autonomous operation by pushing some legal agreements and policies into the decentralised protocols (e.g. smart contracts).
“That’s where we hope to see more collaboration between decentralised identity and blockchain communities to leverage smart contracts and initiatives such as [the] Accord project,” Farahmand said. (The Accord project an ongoing effort to make it easier for anyone to build smart contracts and documents on a neutral platform.)
Decentralised identity and verifiable claim exchanges are key to enabling functions such as user authentication, digital signature, consent and verifiable claims, according to Farahmand. “While we observe implementation of all these use cases for consumers, workforce and business-to-business scenarios, verifiable claim exchange is by far the most impactful because it can disrupt the way we exchange identity data,” he said.
A verifiable claim exchange could be relevant across many industries such as finance, healthcare, education, retail, professional services and even IoT.
R3’s Ali agreed, saying it will take a greater standards effort to advance a global decentralised identity network.
“You need to remove one of biggest hurdles, which is lack of interoperability,” Ali said. “You need interoperability, because we don’t believe one blockchain can rule them all.”
IDG News Service