These days anyone who’s heard about blockchain knows its potential stretches far beyond just cryptocurrency. As one example, blockchain has already been deployed to great effect by pharmaceutical companies in the supply chain business.
It works well because blockchain ledgers act as a single source of truth regarding information from multiple entities. That data is verified through consensus and protected via cryptography, creating an immutable digital record. It means blockchain is the ideal tool to prevent counterfeiting and fraud.
Those same features also make blockchain a great candidate for identity management, whether for individual people, employees, devices, or machines.
Anyone who’s studied identity management will be fully aware of its complexity. It involves the identification, authentication, and authorization of individuals to provide them with access to systems, applications, networks, and more. Existing identity management systems work, but because sensitive information is used, they also create a high risk of identity theft, fraud, and data breaches.
The problems with existing systems are manifold. For many of the world’s poorest people, simply obtaining an identity is beyond their means. The World Bank estimates that 1.1 billion in the world have no form of ID whatsoever and no easy way of obtaining one.
Moreover, the information people use to verify their identity is inherently sensitive. They’re generally asked to provide documents such as a passport or driving license and information such as their social security or tax number. Most of this valuable information is stored on centralized databases operated by legacy software companies. Those databases may have multiple single points of failure, and with millions of records containing personally identifiable information, they present tempting targets for hackers. A 2018 study by ForgeRock found that PII is the most targeted data in security breaches, comprising 97% of all data stolen in attacks that year.
Identity verification systems based on distributed blockchains have enormous potential, enabling secure storage and managing digital identities for both individuals and enterprises. They can help prevent data breaches, but they also allow individuals to retain control over the sensitive data that’s used to prove their identity, a concept known as self-sovereign identity.
SSI describes a digital identity that the user controls and owns. One of the key benefits of this is that individuals have the right to choose which aspects of their identity they wish to disclose within different contextual settings and domains. In other words, it allows them to control how their personal information is used, rather than giving it up to corporations by filling in a form to use their services. A person’s SSI will generally be stored on their device or encrypted and distributed on the blockchain.
SSIs can be considered digital passports that use decentralized identifiers to create verifiable yet decentralized digital IDs. They’re the cryptographic counterpart to traditional security credentials such as user names and passwords.
One example of SSI is the Sovrin Network, an open-source network that facilitates the online management of digital identities. The Sovrin Network was created to facilitate the evolution of the current siloed identity system built on vulnerable databases and endless passwords to a blockchain-based system that enables friction-free and highly secure ID verification.
In the Sovrin Network, the blockchain is distributed across server nodes hosted by trusted entities known as “Stewards”. Each Steward stores a copy of the ledger used to verify any credentials issued by the network. As a result, organizations that deploy Sovrin can avoid the regulatory burden of storing huge amounts of sensitive information.
Another platform concerned with self-sovereign IDs is GlobaliD, which issues identities that comprise a name and “key data” that defines who that person is. That key data can be more conventional information such as a person’s name, address, date of birth, plus more advanced identifiers including biometric information and social media profiles.
GlobaliD’s are portable, meaning they can be used with any official partner that has adopted its ID verification system. GlobaliD is designed for companies that want to convince users they’re committed to privacy. Neither GlobaliD nor its partners can view the key data without receiving that person’s explicit consent.
A similar concept is the basis of KILT Protocol, which provides individuals with a way to prove their identity without revealing their personal information. GlobaliD brings verifiable, real-world credentials such as birth certificates and passports to the digital realm while keeping that information secure. KILT Protocol can also create identities for devices, machines, and services.
KILT Protocol relies on three elements to trust its credentials: claimers, attesters, and verifiers.
Claimers can be individuals, businesses, or even objects that want to claim something about themselves to create an online identity. They create these claims using an identifier such as their name and signing it. So, for example, a person named John can claim to be a data scientist.
That’s where attesters come in. Attesters play an important role in KILT Protocol, verifying people’s, businesses, or object’s claims. They do this by cryptographically signing an attestation to a specific claim. Once a claim – I am a data scientist – has been attested, it then becomes a credential that the user (in our case, John) can store in their wallet.
Attestors occupy the most important role in KILT’s network, certifying people’s claims are valid. However, they don’t have access to an individual’s credentials. So in the case of John, he would have to ask someone such as a previous employer or his former university to attest his claim that he is indeed a data scientist.
The final element of KILT Protocol is the verifiers, who are demanding to see credentials. They could be businesses providing some service to the claimer, for example. The verifiers can choose which attesters they’re willing to trust and must also identify each claimer via a cryptographic challenge – something necessary to prevent the unauthorized use of an attested credential. So, for example, with John, the verifier might be a potential employer looking to hire him. So I would be able to look at his credential to check he is a data scientist.
At present, we’re still in the very early days fulfilling the potential of blockchain-based identity management. Widespread adoption of such systems is a long way off. Yet, the concept has proven its ability to replicate the trust-based system of real-world identities to build a superior version of the Internet, where people’s data is no longer treated as a commodity by the biggest tech players.
A recent report from Allied Market Research bullishly forecasts that the blockchain identity management market will grow from $107 million in 2018 to $11.46 billion by 2026, illustrating just how important this will become.
One thing is for sure. Identity management is a fascinating new use case for blockchain and will be the subject of much further exploration, research, and investment in the years to come.
This post was last modified on Feb 24, 2022, 12:53 GMT 12:53