Digital Identity Management: Why Blockchain Matters
Current identity management systems have privacy and security problems. And blockchain technology may be the solution for them.
What is Blockchain?
Distributed Ledger Technology (DLT), commonly simply called “Blockchain Technology”, refers to the technology behind decentralised databases providing control over the evolution of data between entities through a peer-to-peer network, using consensus algorithms that ensure replication across the nodes of the network.
More simply put:
Imagine a book (or ledger) that anyone could obtain, free of charge, where anything written on its pages would be there forever, and at the same time, would be cross-referenced with the other books to check whether what was written to be valid and true; this is the essence of DLT.
What is Identity Management?
Also known as “identity and access management”, or IAM, identity management comprises all the processes and technologies within an organisation that are used to identify, authenticate and authorize someone to access services or systems in that said organisation or other associated ones.
Examples of this would range from customers and/or employees accessing software or hardware inside a company/enterprise – and the level of access, privileges and restrictions each user has while doing so – or, in a governmental setting, the issuing and verification of birth certificates, national id cards, passports or driver’s licenses (that allow a user/citizen to not only prove his identity but also access services from the government and other organisations).
The problem with current Identity Management Systems
Most of the current identity management systems are weak and outdated. Paper-based systems are at risk of loss, destruction or fraud. Digital systems, if centralised, are honeypots of personal data for hackers. Constantly subject to leaks and breaches. Since 2017 alone, more than 600 million personal details – such as addresses or credit card numbers – have been hacked, leaked or breached from organisations
Identities need to be portable and verifiable everywhere, any time, and digitization can enable that. But being digital is not enough. Identities also need to be private and secure.
The importance of Blockchain for Identity Management
A distributed ledger (a “blockchain”) enables everyone in the network to have the same source of truth about which credentials are valid and who attested to the validity of the data inside the credential, without revealing the actual data.
Privacy and security for Digital Identity Management
Tykn’s digital identity management platform uses Sovrin. A global registry for public keys to verify off-chain data with those keys.
Through the infrastructure of Sovrin, the verifying parties do not need to check the validity of the actual data in the provided proof but can rather use the Sovrin blockchain to check the validity of the attestation and attesting party (such as the government) from which they can determine whether to validate the proof.
For example, when an identity owner presents a proof of their date-of-birth, rather than actually checking the truth of the date of birth itself, the verifying party will validate the government’s signature who issued and attested to this credential to then decide whether he trusts the government’s assessment about the accuracy of the data.
Hence, the validation of a proof is based on the verifier’s judgement of the reliability of the attestor.
Leveraging the Sovrin blockchain establishes trust between the parties and guarantees the authenticity of the data and attestations, without actually storing any personal data on the blockchain.
This is crucial as a distributed ledger is immutable, meaning anything that is put on the ledger can never be altered nor deleted, and thus no personal data should ever be put on the ledger.
Why is it a bad idea to put personal data on a blockchain?
- Putting personal data on the ledger puts the privacy of the users in danger (as it will constantly be subject to hacking and data breaches). It could always be hacked (if not now, probably at some point in the future)
- It violates current privacy regulation (e.g. GDPR; right to be forgotten);
- it is also not efficient as an identity is dynamic (attributes can change over time e.g. house address or number of children).
What exactly goes on the blockchain
Only references and the associated attestation of a user’s verified credential are put on the ledger.
Privacy can be ensured through non-correlation principles via pseudonymisation. So, instead of storing actual private information, the only things stored on the ledger (for the purpose of verification) are:
- Public Decentralised Identifiers (Public DIDs) and associated DID Descriptor Objects (DDOs) with verification keys and endpoints.
- DIDs are a new type of unique identifiers for verifying digital identities, and are entirely controlled by the identity owner. DIDs are independent of centralised registries, authorities or identity providers.
- The formal description for the structure of a credential.
- Credential definitions.
- The different (often tangible) proofs of identity or qualification issued by authorities; such as drivers licenses, passports, identification cards, credit cards, etc. Hence, credential definitions are — as the name suggests — merely the definitions of these different credentials to be stored on the ledger.
- Revocation registries.
- An option for issuers to be able to revoke the claim. The revocation registry is what tells the rest of the world how the issuer will publish the revocation information.
- Proofs of consent for data sharing.
- In order to prove consent or reception of data (basically saying the data has been received and checks have been executed on it), these consent receipts (i.e. proofs of consent) let people do so.
Self-Sovereign Identity Management
Through the use of the Sovrin blockchain, Self-Sovereign Identities may become a reality. A Self-Sovereign Identity is an identity you own. It’s yours. Only you hold it, on your own personal digital identity wallet, and only you decide who gets to “see” it and what of it they get to “see”.
This avoids the honeypot problem. There are no centralised storage of identity that may be subject to breaches. Meaning that for hackers to steal 50 million identity records they would have to hack those 50 million people individually. Considerably more difficult.
The Benefits of Self-Sovereign Identities
A digital identity management system where organisations store the minimum necessary personal data of their users means less personal data management and less bureaucracy. Reducing data management costs and increasing the efficiency of identification processes. All while putting people’s privacy and security first.
According to Darrell O’Donnell, a digital identity expert, companies are realising the major liability that is storing personal data of customers (or employees). Every breach, loss or theft of personal data may turn into significant lawsuits and fines. Which may mean that, in the near future, companies will also start working their way into Self-Sovereign Identity solutions.
Sovrin is a global platform, with 60+ trusted Stewards (like IBM, CISCO and Tykn) operating the network, covering every continent (except antarctica).