How Does Identity Work Today?
Companies often collect sensitive information about their users and store them alongside less-sensitive routine business data. This creates new business risks with the rise of user privacy-centric regulations such as GDPR and the shifting industry focus to corporate IT responsibility. When these data are relegated to tight-lipped data vaults, they become less useful in driving product improvements and attaining true customer understanding. Only after receiving large fines or developing stronger IT capabilities will many enterprises pursue expensive and risky projects to achieve the right balance between data security and business needs.
For IoT Devices
There are about 7 billion internet-connected devices. This number is expected to grow to 10 billion by 2020 and 22 billion by 2025. In a still-nascent industry, most IoT technologies do not incorporate appropriate identity and access management capabilities, not unlike the early Internet which consisted solely of trusted institutions. Interconnected internet of things (IoT) devices and objects must identify sensors, monitors, and devices, and manage access to sensitive and non-sensitive data in a secure manner. Leading IT vendors have begun to offer IoT management systems to address these service gaps. For example, it is not uncommon for a single organization to have tens of thousands of IoT devices, in contrast to the mere dozens or hundreds of traditional servers and user devices. Mismatching standards across devices is a common ailment with such volume. Security frequently remains an afterthought to the already-taxing implementation of simple management capabilities at scale, evident with large-scale IoT hacking emerging as a vogue topic at top IT security conferences.
Identity is integral to a functioning society and economy. Having a proper way to identify ourselves and our possessions enables us to create thriving societies and global markets. At its most basic level, identity is a collection of claims about a person, place or thing. For people, this usually consists of first and last name, date of birth, nationality, and some form of a national identifier such as passport number, social security number (SSN), driving license, etc. These data points are issued by centralized entities (governments) and are stored in centralized databases (central government servers).
Physical forms of identification aren’t widely available to every human for various reasons. Approximately 1.1 billion people worldwide don’t have a way to claim ownership over their identity. This leaves one-seventh of the world’s population in a vulnerable state – unable to vote in elections, own property, open a bank account, or find employment. The inability to attain identification documentation jeopardizes a person’s access to the financial system and in turn, limits their freedom.
Citizens with officially recognized forms of identification continue to lack complete ownership and control over their identities. They have a fragmented online identification experience and unknowingly lose the value that their data generates. Companies holding their data are subjected to frequent hacks, which forces a lifetime of fraud mitigation for the end-user. Once a social security number is issued and lost, there is little to no recourse.
Why do we need Blockchain for Identity?
Blockchain identity management systems could be used to eradicate current identity issues such as
- Data insecurity
- Fraudulent identities
Approximately 1.1 billion people around the world have no proof of identity, and 45% of those without an identity are among the poorest 20% on the planet. Cumbersome identification paperwork processes, expenses, lack of access, and the simple lack of knowledge around personal identity are primary roadblocks that keep over a billion individuals outside of traditional identification systems. Without possessing physical identities, one cannot enroll in school, apply for jobs, get a passport, or access many governmental services. Having an identity is crucial to gaining access to the existing financial system. Conversely, 60% of the 2.7 billion unbanked people already own mobile phones, which paves the way for blockchain-based mobile identity solutions which better suit the needs of vulnerable citizens.
At present, we store our most valuable identification information on centralized government databases supported by legacy software operate with numerous single points of failure. Large, centralized systems containing the personally identifiable information (PII) of millions of user accounts are incredibly appealing to hackers. A recent study shows that personally identifiable information is the most targeted data for breaches, comprising 97% of all breaches in 2018. Despite regulatory legislation and enterprise efforts to increase cybersecurity, 2.8 billion consumer data records were exposed at an estimated cost of more than $654 billion in 2018.
Additionally, the user’s digital identity landscape experience is exceptionally fragmented. Users juggle various identities associated with their usernames across different websites. There is no standardized way to use the data generated by one platform on another platform. Furthermore, the weak link between digital and offline identities makes it relatively easy to create fake identities. Fake identities create fertile ground for the phenomena of counterfeit interaction, which can help in the perpetration of fraud and lead to inflated numbers and lost revenue. In society, this vulnerability facilitates the creation and dissemination of evils like “fake news,” which poses a potential threat to democracy.
Due to the increasing sophistication of smartphones, advances in cryptography and the advent of blockchain technology, we have the tools to build new identity management systems; digital identity frameworks based upon the concept of decentralized identifiers (DIDs) – potentially including a new subset of decentralized identities known as self-sovereign identity (SSI).
How do Decentralized Digital Identities Work on Ethereum?
Blockchain technology allows for users to create and manage digital identities through the combination of the following components:
- Decentralized identifiers
- Identity management
- Embedded encryption
What is Digital Identity?
A digital identity arises organically from the use of personal information on the web and from the shadow data created by the individual’s actions online. A digital identity may be a pseudonymous profile linked to the device’s IP address, for example, a randomly-generated unique ID. Data points that can help form a digital identity include usernames and passwords, drivers license number, online purchasing history, date of birth, online search activities, medical history, etc. Biometrics, Behavioral, Biographic are the modals that make up a person’s identity.
How is Digital Identity Created?
In one example, users sign up to a self-sovereign identity and data platform to create and register a DID. During this process, the user creates a pair of private and public keys. Public keys associated to a DID can be stored on-chain in case keys are compromised or are rotated for security reasons. Additional data associated with a DID such as attestations can be anchored on-chain, but the full data itself should not be stored on-chain to maintain scalability and compliance with privacy regulations.
What is a Decentralized Identifier?
A decentralized identifier (DID) is a pseudo-anonymous identifier for a person, company, object, etc. Each DID is secured by a private key. Only the private key owner can prove that they own or control their identity. One person can have many DIDs, which limits the extent to which they can be tracked across the multiple activities in their life. For example, a person could have one DID associated with a gaming platform, and another, entirely separate DID associated with their credit reporting platform.
Each DID is often associated with a series of attestations (verifiable credentials) issued by other DIDs, that attest to specific characteristics of that DID (e.g., location, age, diplomas, payslips). These credentials are cryptographically signed by their issuers, which allows DID owners to store these credentials themselves instead of relying on a single profile provider (e.g., Google, Facebook). In addition, non-attested data such as browsing histories or social media posts can also be associated to DIDs by the owner or controllers of that data depending on context and intended use.
How are decentralized identities secured?
A key element of securing decentralized identities is cryptography. In cryptography, private keys are known only to the owner, while public keys are disseminated widely. This pairing accomplishes two functions. The first is authentication, where the public key verifies that a holder of the paired private key sent the message. The second is encryption, where only the paired private key holder can decrypt the message encrypted with the public key.
How are decentralized identities used?
Once paired with a decentralized identity, users can present the verified identifier in the form of a QR code to prove their identity and access certain services. The service provider verifies the identity by verifying the proof of control or ownership of the presented attestation — the attestation had been associated with a DID and the user signs the presentation with the private key belonging to that DID. If they match, access is granted.
What Are the Use Cases of Blockchain in Identity Management?
Decentralized and digital identification can be used in many ways. Here are some of the top use cases that ConsenSys has identified:
- Self Sovereign identity
- Data Monetization
- Data Portability
What is Self Sovereign identity?
Self-sovereign identity (SSI) is the concept that people and businesses can store their own identity data on their own devices; choosing which pieces of information to share to validators without relying on a central repository of identity data. These identities could be created independent of nation-states, corporations, or global organizations.
What is Data Monetization?
As the world begins to examine who owns and should profit from user-generated data, blockchain-based self-sovereign identities and decentralized models give users control and carves a path to data monetization.
Data Monetization refers to using personal data for quantifiable economic benefit. Data on its own has value, but insights derived from personally identifiable data substantially increases the value of the underlying data. There are quintillion bytes of data created each day, by 4.39 billion internet users. Over 60% of the global GDP is expected to be digitized by 2022, meaning personal data will continue to increase in value.
Currently, the online data that we generate is intangible, invisible, and complex. Attribution is critical in the processes of ownership, and SSI makes it possible to attribute your online data to your DID. From there, individuals could monetize their personal data, for example, by renting it to AI training algorithms or choosing to sell their data to advertisers. Users would also have the option to keep their data hidden and protected from corporations or governments.
What is Data Portability?
Article 20 of the European Union General Data Protection Regulation (EU GDPR) grants users the right to data portability, which pertains to the data subject’s right to have their personal data transmitted directly from one controller to another, when technically feasible. This right has the potential to enhance user experience, cutting down on the need to reverify their identity across various services and platforms. With DIDs and verifiable credentials, it is possible to migrate identities that were anchored on one target system to another with ease. Data portability reduces friction for the user, while simplifying the sign-up process which increases user adoption. DID data portability also allows for reusable credentials, where user can quickly re-verify themselves while meeting regulatory Know Your Customer (KYC) requirements. This is especially useful to reduce customer onboarding time that avoids drop-out rates and cut costs in the financial sector by skipping the cumbersome identity verification process where usually a lot of documents need to be provided and checked.”
How does blockchain enable increased economic contribution?
Digital ID is expected to contribute greatly to economic growth worldwide over the next 10 years, and it is considered inclusive since it benefits individuals largely while stimulating economic activity for the global market. For example, a McKinsey study reveals that reaching the unbanked population in ASEAN could increase the economic contribution of the region from $17 billion to $52 billion by 2030.
Additionally, the reported value attributed to digital identities is estimated to expand by 22% yearly, with economic benefits of close to €330 billion for European businesses and governments by 2020, and nearly twice as much value for consumers – €670 billion. Decentralized identity models give users the chance to unlock this value, which will, in turn, grow the global economy.
What Are the Benefits of Decentralized Identity?
Regulations such as the EU General Data Protection Regulation (EU GDPR) strengthen identity standards that require modern identity solutions. Governments look towards distributed ledger technology to bestow identities to the unidentified and to protect citizen’s personally identifiable information.
Blockchain technology offers the following benefits:
- Decentralized Public Key Infrastructure (DPKI)
- Decentralized Storage
- Manageability and Control
Decentralized Public Key Infrastructure (DPKI)
DPKI is the core of Decentralized Identity. Blockchain enables DPKI by creating a tamper-proof and trusted medium to distribute the asymmetric verification and encryption keys of the identity holders. Decentralized PKI (DPKI) enables everyone to create or anchor cryptographic keys on the Blockchain in a tamper-proof and chronologically ordered way. These keys are used to allow others to verify digital signatures, or encrypt data to the respective identity holder. Before DPKI, everyone had to buy or obtain digital certificates from traditional certificate authorities (CA). Thanks to Blockchain technology, there is no need for a centralized CA anymore. In turn, DPKI is an enabler for many use cases, namely verifiable credentials (VC). Many people today use the term verifiable credentials (VCs) to refer to digital credentials that come with such cryptographic proofs.
Identities anchored on blockchains are inherently safer than identities stored on centralized servers. By using the cryptographically secure Ethereum blockchain, in combination with distributed data storage systems like InterPlanetary FileSystem (IPFS) or OrbitDB, it’s possible to disintermediate existing centralized data storage systems while still maintaining trust and data integrity. Decentralized storage solutions, which are tamper-proof by design, reduce an entity’s ability to gain unauthorized data access in order to exploit or monetize an individual’s confidential information.
Decentralized storage is one of the core components of secure identity data management. In a decentralized framework, credentials are usually stored directly on the user’s device (e.g., smartphone, laptop) or securely held by private identity stores.
Such private identity stores are referred to as identity hubs such as uPort’s TrustGraph or 3Box. When solely under the control of the user, identities are considered self-sovereign. This, in turn, means the user can both fully control access to the data without having to worry about access being revoked. Data under the user’s control makes the information more interoperable, allowing the user to employ data on multiple platforms, use the information for different purposes, and protect the user from being locked into one platform.
Manageability and Control
In centralized identity systems, the entity providing the identity is generally responsible for the security of the identity data. In a decentralized identity framework, security becomes the responsibility of the user, who may decide to implement his or her own security measures or outsource the task to some service like a digital bank vault or a password-manager like app. Additionally, blockchain-powered, decentralized identity solutions forces hackers to attack individual data stores, which is costly and generally unprofitable.