Will the vastly-hyped tech solve the digital ID challenge?
Defining self-sovereign identity
Imagine a world where upon birth an individual’s name, date of birth, parents and some other biographical data are recorded and stored in a distributed ledger. That individual – only hours old – and her parents own that record and data, not a company, state or federal government.
The identity can be used to register for school and enable access to health care and other social services. At a certain age the individual takes sole possession of their identity and can use it for a host of purposes – establishing social media accounts, opening bank accounts, signing contracts and applying for a driver license.
When people say they’re going to use Blockchain for applications other than Bitcoin, that’s not really accurate. They’re using distributed ledger technology.
Over time, the identity will receive attestations – credit scores, identity proofing – that give it a high assurance to be used in the same way that someone shows a passport or driver license in the real world. But the owner decides what information is given up from that self-sovereign identity. It never leaves the individual and is always under her control.
This is the model that a couple of organizations are looking at to change the way identity is managed in the digital world. ID2020 wants to enable identity for the 1.5 billion people in the world currently without one, says Dakota Gruener, executive director at the not-for-profit organization.
ID2020 is working toward U.N. Sustainable Development Goal 16.9 – legal identity for all – so that government and non-government organizations can help all people become part of society, financially included and economically active. The group seeks to create a system by the year 2020 that would be technically and legally compliant for children regardless of nationality, origin or status.
The scenario ID2020 envisions gives the individual complete control over their identity. “We have this vision where people can self-provision bits and pieces of their identity to others,” Gruener says. “People can say ‘this is my identity and I disclose what I choose.’”
This same idea is driving Evernym, a company looking to use distributed ledger technology for identity, says Timothy Ruff, co-founder and CEO at the company. He thinks the current conversations about digital identity are too focused around access. “Self-sovereign identity is something permanent that you control and nobody can take away,” Ruff explains. “It’s something you can use to connect to someone or something else. It’s not just about access.”
A baby born in a small village in a third world country doesn’t need access to anything, but they do need an identity, say Ruff. As they get older that identity can grow with them, they can use it for access and they can choose what information to give up. Evernym envisions a system that uses a combination of encryption, digital signatures and biometrics to secure the data and link it to the owner.
“This is a permanent digital existence that everyone in the world should have,” Ruff explains. “Even if the government doesn’t recognize it at first, they will have to in time.”
Evernym is using the term self-sovereign identity but Ruff sees it more as a self-sovereign digital existence. “An account that is yours forever fundamentally changes the way we interact, the way we buy things, the way we manage consent,” Ruff says.
This idea is not without its share of obstacles. The government is the issuer of identity documents, everything from birth certificates, Social Security cards, driver licenses and passports. If they don’t accept a credential issued though such a system it would be a problem.
Governments would have to buy into these systems to make them successful. “If this is seen as a challenge to nation states, some governments might not be excited about facilitating the system,” say Gruener says.
If a country already has a national identity program in place this self-sovereign identity can exist alongside that program, Gruener says. “They don’t have to be at odds,” she adds.
It will be crucial to bind or link the record created at birth with the individual as they grow up. “The biometric piece is very important because it’s a way of validating the individual,” she says. “The challenge is that the standard set of biometrics – iris or fingerprint – don’t work well on an infant.”
Secure attribute broker
Evernym and ID2020 envision a system where the user is at the center, doling out permission at will. Another model uses distributed ledger technology as an attribute verification service with a federated identity scheme. Instead of having identity at the center and doling out permissions, relying parties would ping the ledger to verify necessary attributes, says Andre Boysen, chief identity officer at SecureKey.
As it stands now people have two identities, one online and one in the real world. The model that Boysen proposes would have that real world identity verified and then secured with a digital signature in a distributed ledger. Anytime someone wanted to verify an attribute they would check the ledger.
This model could offer additional privacy as well. The relying party would be able to trust the data, even though they don’t know where it’s coming from, and the ledger wouldn’t know who is checking the data. Put all of this into a federated identity scheme and it could solve a lot of problems, Boysen says.
This type of federated identity standard could serve as the model for an “identity grid,” Boysen says. Identity now is where electric production was in the 1800s when each company produced its own electricity in each town. Then the realization dawned that by pooling efforts there could be efficiencies gained.
The same may be true for identity. A system like this could move more transactions online and enable greater efficiencies, Boysen explains.
Storing pointers to identity data may be the way distributed ledgers make their way into identity, says Eve Maler, vice president of innovation and emerging technology at ForgeRock. Distributed ledgers cannot be erased so individuals wouldn’t be able to change information stored there. “Identity information can change and if you’re under regulations where you have the right to erasure there’s a problem because you can’t erase anything on a ledger,” she explains.
SolidX is a new company that aims to let consumers receive attestation to their distributed ledger identity making it a strong, high-assurance tool, says Bryan Reyhani, chief commercial officer at the company.
Those bits of attestation and identity information would be stored in a distributed ledger and secured with PKI, Reyhani says. “Today, cloud-based identity solutions are about personally identifiable information, and they’re a central honeypot,” he explains.
SolidX’s solution stores a public key in the distributed ledger and the private key on the user’s phone, Reyhani says. When accessing different sites with the login, the user would choose the SolidX credential from a menu that would prompt the user to authenticate on the mobile device with either a fingerprint or PIN. After the authentication is validated the user would gain access to the site.