Will the vastly-hyped tech solve the digital ID challenge?
Too good to be true?
While distributed ledger and Blockchain might be the hot topics for identity right now there are still a host of naysayers.
“Self-sovereign identity is a flimsy definition of something that is utopian,” says Steve Wilson, vice president and principal analyst at Constellation Research. “The libertarians are conflating the idea of identity with personal data stores.”
Wilson likes the idea of personal data stores – a place where consumers can manage information – but they have nothing to do with identity. “Identity is a relationship one person has with another,” he explains. “Identity is how I am known in context with someone else.”
He is less keen on the idea of self-sovereign identity. “You have displaced people crossing oceans and land with no paperwork; how does Blockchain help them?” he asks.
The more realistic scenario is the refugee landing in a camp and working with aid workers to re-establish an identity, Wilson says. “Self sovereign is a mirage, it doesn’t help that refugee,” he adds.
Some say the idea of self-sovereign identity is similar to user-managed access or user-centric identity. User-centric systems enable an individual to control when they’re giving up information and what they are willing to share.
Some worry that user choice will not always be sufficient. “Self-assertion is fine when it comes to aisle versus window, smoking versus non-smoking but when it comes to an emergency situation in the hospital they’re still going to check your blood type even if you tell them what it is,” Maler explains.
In order to accept third-party attributes there need to be trust frameworks put in place. As it stands now, relying parties accept attributes from third parties when they are incentivized, such as getting money or obtaining marketing data. “Maybe eventually we’ll have more trust when it comes to distributed systems but for right now I think it’s more aspirational,” Maler adds.
Self-sovereign identities have to be accepted in the real world and that may be a challenge, says MIT’s Hardjono. “It sounds catchy but it needs to be grounded in reality,” he explains. “An identity needs to be accepted by relying parties.”
While some make the case for distributed ledger systems to have some applications in the identity space, there is a lack of understanding from many of the market newcomers, says Jeremy Grant, managing partner at the Chertoff Group.
“There’s a wave of people and companies flooding into the identity market making bold claims about how the Blockchain will solve identity,” Grant says. “Unfortunately, most of them don’t understand enough about the basics of digital identity to speak intelligently on the topic, let alone answer tough questions about why Blockchain technology provides a better approach than other technologies.”
“There may yet be a great application for Blockchain in digital identity, but it will have to overcome the damage being done to the concept by this wave of ignorance,” says Grant.
Identity application for distributed ledgers
Distributed ledger technology may find its place in certain identity applications that are a bit more niche. Ping Identity found one of these applications with universal logout for single sign-on environments.
An overlooked problem for enterprises is making sure employees are logged out of systems. “The identity industry solved the single sign-on problem with SAML and then OAuth, but on the flipside, universal logout has not been solved,” says Mance Harmon, senior director of Labs at Ping Identity.
To help solve this problem, Ping announced a seed investment in Swirlds, a new platform that uses hashgraph to solve the universal logout problem and create a new standard for Distributed Session Management. Hashgraph is a type of distributed ledger – similar to Blockchain.
Global logout is necessary in case an employee is terminated or the employee’s device is lost or stolen.
When applied to identity management, the Distributed Session Management system built on the Swirlds hashgraph platform reduces risk by giving IT organizations a “kill switch” for identity authentication in instances of employee termination and lost or stolen devices.
The standard enables global session logout for all active Single Sign-On and Application Sessions across both web and mobile apps, independent of the identity protocol being used. It also generates a cryptographic timestamp and proof of receipt, providing the assurance and certainty that session commands are received and when they were received.
The system puts in place a session management database that the identity provider uses and each of the apps enabled by single sign-on also has access to, Harmon says. When an employee logs into an app an authentication session is placed into the session management database and hashgraph ensures that the record is accurate.
Niche use cases like this are where distributed ledgers may prove most useful. Financial services companies are looking at it for a range of applications, says Thomas Hardjono, technical lead and executive director at the MIT Internet Trust Consortium.
One application would have a distributed ledger used to keep track of an employee’s pre-IPO shares of a company, Hardjono says. For example, if a software engineer is working at a startup this ledger would be used to keep track of how many shares are issued to the employee.
“They want to have a Blockchain underneath it so it would be an immutable ledger,” Hardjono explains.