by: Jessica Groopman
The digitization of society is driving the digitization of identity. From health information to professional certifications, the need for identity information and credentials is growing in volume, variety and value. Traditionally, identity information is monitored and verified by third parties — be it the government or private sector. Faltering trust and new tools, however, are calling these structures into question.
As the volume of personal data, frequency of digital interactions and risk of security threats continue to increase, paper-based forms of identity are becoming increasingly unfit for the digital world. It is unclear, though, how emerging technologies will reshape identity.
In organizational settings, identity and access management (IAM) technologies have a large role in identifying, authenticating and authorizing who accesses services or systems. Several processes fall under this category, and access can refer to anything from customers signing into software and employees configuring hardware, to citizens using government services, to all manners of user verification, certification and proof. Identity attributes are the labels attached to identities: employment, nationality, relationship to a service provider, access to government entitlements and demographics. These labels are not just digital representations but proxies for proving who we are.
Distributed ledger technology (DLT), known more commonly as blockchain, is among several emerging technologies that present potential models for IAM. DLT is best understood as an umbrella term that encompasses various distributed designs for data security and computing, and the technologies bundled therein. At its core, it enables transactions, authentications and interactions to be logged and verified by a network rather than a single central authority. This ability to record and obtain stored data in order has been called a fundamental breakthrough in recordkeeping, with applications far beyond cryptocurrencies.
There are several use cases where blockchain technologies — or blockchain-inspired designs — may improve IAM processes. These include the following:
Multiparty verification involves the replacement of a central identity service company with a group of entities, governed by a network and owned by a joint venture or consortium. This is the broadest vision for applying DLT to IAM systems for greater efficiencies, though complexity of coordination across parties has limited adoption at scale.
According to the World Wide Web Consortium (W3C), “Verifiable credentials represent statements made by an issuer in a tamper-evident and privacy-respecting manner.” They are a crucial component of identity verification, and DLT represents opportunities to “digitally watermark” a fixed claim. Just as blockchain-based nonfungible tokens have enabled artists to digitally watermark their original media, a similar capability can be applied to verifying identity credentials. That said, companies should not store personally identifiable information (PII) on-chain; they should only store the hash of the claim on-chain.
In public blockchain architectures, or hybrid architectures built on open source software, access is not limited and there is potential for global search and discoverability of attributes without requiring a central directory. Such transparency can threaten privacy principles, but with additional layers of privacy engineering, more accessible distribution has the potential to improve financial inclusion and help enfranchise those unable to prove their identity.
Attributes could be encrypted and smart contracts — the terms of encoded logic and algorithms on a blockchain — could be encoded to decrypt them when needed. To avoid storing PII or attributes themselves on a blockchain, only the signature of the hash of the attributes should be stored on the ledger, while the user presents the attributes from their device.
How do we know the origin and accuracy of identity attributes? After all, an attribute is only as reliable as our confidence in its source. Just as a shared ledger has improved transparency and efficiency in tracking food across the supply chain, a shared ledger could potentially create transparency in the timestamps of sources issuing identity attributes. This same capability could be useful for key lifecycle management, specifically for synchronous visibility into the lifecycle metadata of cryptographic keys — i.e., who has access to what. The academic world is considering its use because it could assist with verification and authenticity of certifications and hiring credentials.
What do service providers actually need to know to authenticate someone? Various DLT capabilities, such as smart contracts, zero-knowledge proofs or selective disclosure, can be configured to minimize which data or attributes are required for verification and which are never revealed.
In many enterprise contexts, creating a log of interactions is not only an operational and security best practice but a requirement for regulatory compliance. While a blockchain is not compulsory when logging information for an audit — e.g., a user is enrolled, a user logs in, a user requests permissions or a user is deactivated — it can be useful for synchronization across parties, maintaining log integrity and reducing the potential for tampering or fraud.
Another use case enabled through shared audit trails is compliance verification, as auditors can be permission-based stakeholders within the shared ledger network. Many enterprise identity use cases also require compliance verification, such as know your customer (KYC) in financial services. In this example, the IAM-blockchain convergence would not remove the need for the central authority — in the case of KYC, a government authority — but could offer greater efficiency for both individuals and banks. A bank could “see” and attest that other banks have conducted KYC due diligence and verified the customers’ identities, all while reducing the bank’s costs.
Though the concept of full self-determination and shifting control of all attributes back to the end user long predates blockchain and IAM, DLTs have inspired several innovative designs to enable greater self-determination around personal data. Examples include consensus algorithms specifically designed for attribute reliability. Despite the potential for SSI, some higher-risk enterprise use cases — for example, in healthcare or financial services — may always require an external authority to validate identity claims.
DIDs are identifiers controlled entirely by the identity owner, independent of centralized authorities or providers. These are a component of SSI, designed to be user-controlled, unable to be reassigned and resolvable. This means they contain documentation of public keys, authentication protocols and verifiability via cryptography or an issuing authority’s signature.
Consider, for example, the opportunity these use cases offer in healthcare. The lack of communication between hospitals, insurance companies, caregivers, clinics and pharmacies prevent efficiencies, cost savings and accessibility of care. One of the core challenges to this problem is the identity layer. DLT-enabled use cases could achieve the following:
These use cases describe the benefits of combining blockchain and IAM, but they overlook an important reality: Identity is complicated. It is personal and increasingly biometric — and its digitization is unprecedented.
Although IAM bridges multiple domains, systems, technologies and service providers, the encoding of identity information into DLT is more than a technical endeavor. Asking questions about the data is important: What should be stored, who vouches for it, how it is maintained and who decides. These questions combine philosophical, economic, cultural and legal considerations. While the technology is still changing, it has the potential to shift the control points of identity from centralized but disconnected hubs to a decentralized and interconnected web of trust.