Amid privacy and security failures, digital IDs advance

Credit to Author: Lucas Mearian| Date: Mon, 06 Jan 2020 03:00:00 -0800

Frustration over a growing number of privacy and security failuresin recent years is driving the creation of digital identities controlled only by those whose information they contain.

Known as “self-sovereign identities,” the digital IDs will be used by consumers, businesses, their workers and governments over the next few years to verify everything from credit worthiness and college diplomas to licenses and business-to-business credentials.

“We are slowly graduating from crawling to walking. It takes one to two years ’til we have reliable capabilities to spark meaningful decentralized identity adoption,” said Homan Farahmand, a senior research director at Gartner. “A major non-technical hurdle is for organizations to learn the concept and take the necessary steps to appropriately adapt their business processes to decentralized identity ecosystems.”

A growing number of organizations is looking to better understand decentralized identity technology, which is predicated on blockchain electronic ledgers. Currently, there are more proof-of-concept projects than production systems involving a small number of organizations. The pilots, being trialed in government, financial services, insurance, healthcare, energy and manufacturing, don’t yet amount to an entire ecosystem, according to Farahmand.

“While these projects help identify gaps such as governance, user experience, standardization and interoperability issues, none of them [rise to the level of] a practical decentralized ecosystem to bootstrap pervasive adoption at this point,” Farahmand said.

Self-sovereign identity envisions consumers and businesses eventually taking control of their identifying information on electronic devices and online, enabling them to provide validation of credentials without relying on a central repository, as is done now. Self-sovereign identity technology also takes the reins away from the centralized ID repositories held by the social networks, banking institutions and government agencies.

A person’s credentials would be held in an encrypted digital wallet for documenting trusted relationships with the government, banks, employers, schools and other institutions. But it’s important to note that self-sovereign ID systems are not self-certifying. The onus on whom to trust depends on the other party. Whoever you present your digital ID to has to decide whether the credentials in it are acceptable.

“For example, If I apply for a job…, and they require me to prove I graduated from a specific school and need to see my diploma, I can present that in digital form.” said Ali. “And, most likely that credential would have to be cryptographically signed by the school that issued it. So the relying party – my place of work – would have to decide when I present the credential if the signing key is something they trust.”

For example, a place of employment could issue an electronic confirmation or “credential” that could be stored in that employee’s digital wallet saying you work for the XYZ Company. Even something as simple as a health club membership verification could be added to a user’s wallet and presented through a mobile app.

For consumers who are mindful of their online information – credit card numbers, date of birth, annual income, etc. – a blockchain-based network means the user controls who can see their data or get purchasing approval without releasing details such as their annual income or their age and address.

For businesses such as banks, rules such as know-your-customer (KYC) regulations  make blockchain-based digital identities attractive.

Self-sovereign identities can work like this: the user has a bank confirm a credit limit or an employer confirm annual income; that confirmation information is encrypted, but available, on a public blockchain ledger to which the consumer holds the private and public cryptographic keys.

A consumer who wants a car loan from an auto dealership, for example, can give the dealer permission through a public key to confirm that he or she has enough credit or annual income to buy a vehicle – without revealing an exact dollar amount. So, for example, if the dealer wants to ensure a consumer earns more than $50,000 a year, that’s all the blockchain ledger will confirm (not that the person actually earns, say,  $72,587 or some other exact figure).

The confidentiality technique is known as zero-knowledge proof (ZKP), a cryptography technology that allows a user to prove that funds, assets or identifying information exist without revealing the details behind it.

Self-sovereign identities extend to businesses or other organizations that want to be able to verify – or be verified – for transactions with other businesses or government agencies. For example, Ernst & Young has created a public blockchain that lets companies use ZKPs to complete business transactions confidentially without exposing sensitive business data.

In another example, CULedger, a cooperative owned by dozens of credit unions for the purpose of providing back-office services, worked with blockchain company R3 to create a distributed identity management platform called My CUID. After a pilot ended in December, they launched a proof-of-concept (PoC) that acts as an settlement rail for cross-border customer payments.

The blockchain-based settlement system also acts as a distributed identity platform, enabling users to be verified by their credit union and then take their digital ID with them for use in cross-border payments, no matter what country they’re in or what financial institutions are involved. In essence, My CUID is meant to be agnostic as to the settlement system used.

“So, the PoC they developed was built to use the SWIFT payment rail, but they can use whatever rail they want, and it can even use a cryptocurrency to settle [a financial transaction] if they need it to,” said Abbas Ali, R3’s head of identity management.

R3, created five years ago by a consortium of leading financial services firms, heads up a group of more than 300 companies working to build distributed applications on top of Corda, their blockchain platform. Third parties can develop dApps (known as CorDapps), for use on the Corda platform in any number of industries, including financial services, insurance and healthcare.

“In simple terms, you can think of the [blockchain] platform kind of like the operating system. It provides all parts of identity on the network; it provides a protocol for participants to communicate with each other, but that’s as far as it goes. Any specific use case or business application on top of that would be based in the form of a CorDapp,” Ali said.

“At the application level, we have a lot of partners developing identity access management solutions using what’s called decentralized identity [DiD],” he added.

CULedger’s My CUID eliminates the need for user names and passwords and relieves  credit union call centers from the obligation of resetting them when a customer loses them. The digital identity, which is encrypted using a public key infrastructure (PKI), is controlled solely by the credit union customer.

My CUID differs from modern payment rail systems in that a user’s identity is attached to every transaction they make. Current systems, such as SWIFT’s settlement rail, don’t send the user’s identity with a wire transfer; it remains separate from the wire instructions, meaning only the bank sending the money knows who is sending it.

“The advantage is for the receiving party,” Ali said. “For them, this is just one example of the use case they developed this PoC for, but they have a bigger vision. They want people to have flexibility to move between different providers. You have an identity on your phone or, let’s say your credit union-issued application…. [If] you decide to transfer to a new state or country or change credit union provider, you can take that identity with you. That’s the bigger use case there.”

How CULedger’s MyCUID mobile app works: The image on the left shows a credit union member being asked to verify their identity. The second image (right) shows the member confirming it is indeed them. Had the member pressed “no,” the credit union would be alerted that they might be dealing with be a bad actor or non-member.

The financial services industry as a whole is focused on developing decentralized identity systems that would eliminate today’s method of identifying users by keeping their information in siloes controlled by one company or a federation of partner companies, Ali said.

Key to a DID is that no one entity or person verifies a business’s or person’s identity. The onus for identification verification is on the relying party.

“Whoever you present your digital identity to has to decide if the proofs you’re presenting through the wallet are acceptable,” Ali said. “What’s most important isn’t what you say about yourself but what a trusted organization says about you.”

That means a bank, government, healthcare organization or any other entity verifying information about a self-sovereign identity user becomes responsible for ensuring the info can be trusted.

For example, in 2017, MIT began piloting Blockcerts, a blockchain-based network and application for storing and sharing academic credentials. MIT worked with Digital ID company Learning Machine to develop the application.

Today, Blockcerts is up and running and used by 69% of graduates. In the last graduating class of 3,718 students, 2,561 opted to have their diplomas digitized and made available through the blockchain-based application, according to Mary Callahan, MIT’s registrar.

Blockcerts creates a single digital identity wallet a graduate can present through a link to would-be employers or other schools to verify academic achievements.

MIT’s Blockcerts mobile application stores verified digital diplomas that students can share with potential employers or other schools.

“As you might imagine, having… a piece of paper that indicates you graduated is a valuable commodity in the world. So fraud was an issue,” Callahan said. “There’s also the opportunity to really recognize a student’s lifelong learning. For our students, this is one stop along their learning trajectory. They may be obtaining certificates, badges, masters degrees, PhDs, and this can put them all together in one simple portfolio of their credentials.” 

MIT has aggressively marketed Blockcerts to students through the school’s newspaper, display boards and the administrators of various academic departments – an effort that lead to a doubling of its uptake over the past year, according to Peter Hayes, assistant registrar at MIT.

“One thing we’re doing in terms of outreach now is working with the career services office to raise the profile for potential employers. They host career fairs with 400 to 500 employers on campus,” Hayes said.

Last year alone, the Blockcert application was used 4,124 times to verify graduate credentials, Hayes said. “So, while students haven’t given us direct feedback, we can see … numbers [that] indicate they are using it,” he said.

The self-sovereign identity movement spans industries, according to Gartner.

Examples of efforts to create DID infrastructures include:

A growing number of startups and traditional identity and security vendors are also entering the decentralized identity market directly or indirectly, according to Gartner’s Farahmand.

For decentralized identity and verifiable claim exchanges to become ubiquitous, however, there needs to be industry standardization, interoperability, and autonomous operation by pushing some legal agreements and policies into the decentralized protocols (e.g. smart contracts).

“That’s where we hope to see more collaboration between decentralized identity and blockchain communities to leverage smart contracts and initiatives such as [the] Accord project,” Farahmand said. (The Accord project an ongoing effort to make it easier for anyone to build smart contracts and documents on a neutral platform.)

Decentralized identity and verifiable claim exchanges are key to enabling functions such as user authentication, digital signature, consent and verifiable claims, according to Farahmand. “While we observe implementation of all these use cases for consumers, workforce and business-to-business scenarios, verifiable claim exchange is by far the most impactful because it can disrupt the way we exchange identity data,” he said.

A verifiable claim exchange could be relevant across many industries such as finance, healthcare, education, retail, professional services and even IoT.

R3’s Ali agreed, saying it will take a greater standards effort to advance a global decentralized identity network.

“You need to remove one of biggest hurdles, which is lack of interoperability,” Ali said. “You need interoperability, because we don’t believe one blockchain can rule them all.”

http://www.computerworld.com/category/security/index.rss

Leave a Reply