The way we use our ID has significantly changed as we use it more frequently, across geographical boundaries and increasingly online. This creates new challenges for ID-Management. We will explore how crypto-technology, notably blockchain and zero-knowledge-proof could impact the way ID is being used. Further, we will see to which extent Crypto-ID would contribute to improve the manner in which ID is managed.
by: Frank Roessig
featured: Frank Roessig, FinTech Lead at Telindus, Proximus Luxembourg
Identity management impacts our daily lives, as most activities require us to be identified. Buying a product entails being identified to pay securely. Going to work means being identified as a person authorized to access the premises as well as the virtual workspace. Administrative procedures demand that we show our ID. The same applies to travel, medical treatment and other services. Most of our devices, like smartphones, notebooks or tablets become usable only once we identified ourselves. Most online activities, like search engines, messaging and social networks, are founded on the tacit deal that our actions as identified individuals generate data that finances this service.
As we see, identity management is an omni-present need. On one hand, it protects us, as individuals, from having others access our information, rights or items. On the other hand, identity shields organizations from fraud but also enables administrations to monitor and detect illegal activities.
On top of the scope, the frequency of identity usage has likewise hugely increased. While a century ago, most people would barely use some kind of identification once a week, presently, we use some form of ID multiple times per day.
This makes sense, since technology enabled the evolution from a local society in which most dealings were done with personally known people, to a global village where transactions are done with unknow counterparts, some of them actually being machines. In this context, trust is a key to enable global transactions, and one of the pillars of this trust is to identify who you are dealing with.
But this evolution creates challenges for traditional ID-Management: Centralization, Lifestyle, Convenience, Control and Security
There are clear limitations of the classic IDs delivered by a central authority: the ID-card, passport or birth certificate that actually sit at the heart of our identification. But this also applies to other, centrally delivered IDs, like university degrees.
Indeed, here we are dependent on a central authority to provide us with this identity. This may at times be a cumbersome and long process that can be marred by inefficiencies. As an example, one division of the central authority provides you with an ID, but another division delivers the authentication. In some cases, corrupt administrations may abuse their position to ransom individuals for the obtention or the authentication of ID. Moreover, authoritarian governments can hold their citizen hostage by denying them an ID and thereby hugely restricting their freedom. Hence, centralization is a source of dependency that can complicate life. The lack of usable ID is undeniably a factor of exclusion from economic life, education and even medical treatment. This is significant as the UN estimates that 1.1 BN people have no ID.
Our lifestyles have fundamentally changed. During the past 30 years, a growing portion of our lives happens online. We shop online, we work from any location, we obtain administrative documents via web-portals, we communicate and meet online. Even complex services like medical consultations or notarization are moving online. This requires an online ID. With the advent of smartphones and other devices, the expectation is to use services across devices, which in turn begets a multi-device ID capacity. Also, the boundary between online and in-store are getting blurred. Indeed, in a phygital ecosystem, users seamlessly move from one to the other. This creates another challenge to operate linked online-to-offline ID-systems.
Further, people move more: they are born in one place, go to school in another, study in two cities and had jobs in three countries. This means that they are exposed to multiple layers of ID jurisdictions.
Users have a clear propensity for convenience. While formats have improved, carrying around a photo ID is simply bulky. Today, people expect to carry all we need in one device: A smart phone or smart watch. They expect to choose their channel, follow an intuitive process plus receive immediate gratification. But convenience also entails the ability to use intelligent services to which decisions are delegated. An example would be the PSD under which a client can authorize one bank to use their credentials to access all their other bank accounts to show an aggregate view on their financial situation and to progressively collect amounts across accounts to fulfill a savings target. Another example would be a shopping robot that would screen various shops to buy certain goods at given prices.
This type of user-experience must be enabled by ID but at the same time, the ID is not allowed to stand in the way!
Control is another problem for users. Sometimes, more information than necessary is provided. There are circumstances in which one must only prove their age but nevertheless provide ID information that is far exceeding that requirement. Often, we actually have no clue on what is done with our information, who is using it and how it is stored. While legislation like GDPR empowers us to have more control, the enforcement is generally not very practical.
Security lies at the core of ID-based trust and is therefore impacted from multiple angels.
Physical ID-documents or authentication can easily be re-used once stolen. Indeed, it is quite difficult for a person who is untrained to detect fraud based on simple photo ID.
Further, centralized digital IDs or ID services fast become honeypots that attract hacker attention. The successful theft of social security numbers and other personal data items that can easily be bought on the dark web, are a testimony to the weakness of centralization. Worse, in most cases people are not even aware that pieces of their ID have been stolen.
Yet, omni-channel systems open multiple attack points that can be targeted and must therefore be secured.
ID-Management has evolved over the years in view to enable our new way of life. Governments have created e-services, many online merchants enabled secured access and especially financial service providers offer easy plus secure payments. One good example is Strong Customer Authentication (SAC) driven by the Payment Services Directive 2 (PSD2) and that must be enforced by the end of 2020. It is based on something the client Has (i.e. a password), Owns (i.e. a smartphone) and Is (i.e. fingerprint). This combination permits dual-factor (2FA) or multi-factor authentication with a minimized friction for customers. This approach is also used for other services that go beyond payments.
In a concrete example, the user would instruct an online-shop payment through a notebook they own and on which they would have signed in using their password and then confirm by entering a code received on their mobile, which they accessed biometrically. This illustrates well how many IDs are necessary for a simple transaction.
These technologies are not necessarily new but their deployment should warrant a minimum quality level for digital identity usage. Indeed, we are lightyears away from having to physically go to a shop, sign a check and show our ID in order identify ourselves to complete a transaction.
Cryptographic ID-Management, notably blockchain (BC) and zero-knowledge-proof (ZKP) technology beholds the promise to further improve the way ID-Management is conducted.
Just to frame the basics, blockchain technology is founded key components: A chain of immutable and time stamped data blocks, A cryptographic protocol that allows for adding an information layer on the chain and distributed ledgers on which the data is stored. ZKP enables to share a verifiable proof of an information without actually having to providing that information.
There are many initiatives promoting Crypto-IDs. The W3J is at the center of a project to use Decentralized Identifiers (DIDs) that are part of a Decentralized Public Key Infrastructure (DPKI). Basically, an ID owner generates a DID representing their ID and shares it. The person receiving the DID, can then verify it on the public infrastructure through a universal resolver. Microsoft is building on this initiative to test a decentralized ID on bitcoin. The idea behind using a public network is that an ID-Owner would own their online sign-in IDs so that even if, for example, a social network was to close the account, the ID-Owner could continue to access all the services she uses through that social network.
Many others projects are founded on the notion of Self Sovereign Identity in which an ID-Owner uses a wallet stored on their device that keeps ID information. The ID-Owner can then share proofs of ID with chosen counterparts by providing them with cryptographic keys. These crypto-keys could be structured to provide access to partial ID-information and/or for a limited time.
The basic process entails an ID-Owner who generates a proof and shares this proof plus a usage consent with a Verifier. The Verifier then authenticates the proof with a trusted source, the Authorizer. The Authorizer can be the central entity that issued the original ID. But it actually suffices that it is considered by the Verifier to be a trusted source of truth. This may not necessarily the issuing authority. While it may be sensible to authenticate a passport with the issuing administration, a Verifier may for example choose to do so with an airline that the ID-Owner frequently uses.
It is generally advised that the ID-data itself is NOT stored on the chain but only encoded, meaning hashed ID-Data, and or metadata are stored on-chain. This is due on the fact that there are still doubts regarding the scalability of a blockchain infrastructure as well as on the compliance with data regulations, notably the right to be forgotten.
But we could go one step further. Most ID contains core data, for example a passport with first and family name, date and place of birth plus nationality or a degree with the first and family name, the university, degree and marks. Instead, the ID could be based on a biometric feature, behavioral signature, a network endorsement or a combination of all three. A biometric feature could be the hash of a retina that could then be combined with name and birth information. A behavioral signature could be the smartphone action profile that can be quite difficult to replicate. Network endorsement would be the digital proof given, for example via e-signatures that the ID-Owner is authentic. Here blockchain helps by creating an immutable reputation history that the ID has always been true and not abused. These Self-IDs are clearly independent from a central authority and rely on networks. In a certain sense, a person could start building their ID, even if a central authority is not able or willing to provide it to them. This approach is actually quite disruptive in that it completely departs from the current foundations of trusted ID.
Let’s now look at the promise that Crypto-ID could address the abovementioned challenges.
Crypto-ID enables individuals to actually create their own proof of ID independently from any central authority, by for example using a smartphone. They can then share this directly with somebody who can verify against a trusted source. Now, in most cases the ID-Owner still needs a central authority to emit the initial ID. But after the issuance, the ID-Owner could manage their ID independently from that central authority but would still have to rely on Authorizers. Self-IDs, in contrast, mainly require networks to act as source of trust.
If someone would want to rent a flat, they could simply provide the landlord with a proof of ID and employment that states they earn a minimum required amount, instead of having to provide a full copy of their passport plus employment contract. The landlord would simply have to authenticate the proofs with the respective authority and employer. Potentially a network of landlords and renters could confirm this authentication.
Persons who are currently on zero-ID and are not supported by their central authority could now build their Crypto-ID and be authentified through alternative sources of trust. This is a real progress if it gives them access to basic services like the opening of a bank account.
When it comes to our lives spend online and physically across jurisdictions, we can see that Crypto-IDs are lifestyle enablers as they allow to use and verify ID in a fast manner across geographical and online boundaries. An ID-Owner could open a new bank account based on proof of ID without having to share their full ID. Or a candidate would be able to share a proof of degree with an employer who could submit it to a public chain to authenticate the proof as correct degree. As such the candidate would avoid having to wait for a document certification by their university.
Things become less evident when we look at Convenience. The use of Crypto-IDs can indeed significantly smoothen and speed-up the execution of a service. Also, DIDs are a great tool to access multiple online services, notably through platforms, while warranting continuity. But the set-up and management of Crypto-ID is often not that easy. Most Crypto-IDs are still in an early stage. This means that the set-up of such an ID is complex and the way it functions not completely clear to participants. Even, if the creation of a Self-Sovereign wallet can be fast, its use heavily depends on the size of the network willing to accept it. The lack of standards and easy-to-use Crypto-ID systems make it difficult to attract a broad set of users. Indeed, today mostly IT-savvy users carry Self-Sovereign wallets and even fewer organizations accept this type of ID.
“Crypto-ID can enable our lifestyles and even open the door to new trusted forms of ID.”
Control is clearly an aspect where Crypto-ID is beneficial. The ID-Owner creates their proof, can decide which information to disclose with whom and also revoke access.
Let’s for example take Alice who wants to go out at night and only carries her smartphone. She generates a proof that she is over 18 and has no criminal record. When arriving at a club, she just shows a QR code representing the proof at the door to a reader that will verify that she can enter and the door will instantly open. The advantage, is that she is in control and enjoys an easy journey. The club has complied with legislation without seeing any personal information and therefore has a very limited data risk. Also, Alice could see on-chain, with whom the club has verified the proof.
With delegated services, Crypto-IDs allow the ID-Owner to trace how their ID is used and when to stop. A Financial service provider could use credentials to open accounts and do investments in the clients’ best interest. The client could at all time trace with which investment providers their ID is used.
The ability to control the use of ID actually beholds the potential to impact the data economy. The IP address is one’s internet ID and likewise, device addressed are IDs. If the usage by third parties of these IDs and other forms of ID elements is tracked and logged on a blockchain, it would be easier for an IS-Owner to select who can use their IDs and potentially impact the monetization.
From as security perspective crypto-technology adds interesting features. A distributed ledger infrastructure minimizes the honeypot temptation of central data servers for ID theft. It is more difficult to change and falsify ID-information on multiple servers at the same time and moreover it has so far not been possible to break the blockchain immutability.
The traceability of blockchain also offers the advantage that if a proof is used in an inappropriate manner, the ID-Owner becomes aware. By monitoring the usage of our Crypto-ID, systems could actually detect unusual patterns that would create alerts for the ID-Owner and others on the network.
We can see that Crypto-ID can contribute to independence, enable our lifestyles and significantly enhance the control we have. It even opens the door to new trusted forms of ID. From a security viewpoint Crypto-ID offer interesting qualities that must be put into perspective as security is a never-ending cat and mouse game where every new feature potentially opens new attack points. But Crypto-ID is not a magic bullet as central authorities will most probably remain the primary source of truth and even a trusted network can limit the freedom of an ID-Owner if for some reason it stops endorsing her ID. The convenience is still sub-optimal and is a major hinderance for the uptake the broad mass of users.
It requires evangelists, pioneering companies and technology providers to kick-off a new solution like Crypto-ID. Telindus, a Proximus Luxembourg brand, as a technology enabler, is active in various initiatives that drive new business models and improve user experience. This is the case with KYC that is often a burdensome activity, notarization and traceability. As an example, Telindus with the Luxembourg CTIE launched NotarChain, a chain that allows to verify notarization logs through hashes on-chain and thereby makes the process easier and faster. A similar system could also be used for ID-Document or degree management. Courageously, Luxembourg took first steps towards Crypto-based public services. In the field of KYC, Telindus is building Shared-KYC solutions, in which a person only has to do their KYC once and then consents to this information, including Shared-ID, to be distributed to authorized parties. This represents a huge gain in productivity and convenience. Here, crypto-technology ensures that this personal data is shared in a secure, compliant and controlled manner. Clearly, Shared-ID, is a building block on the road to Self-Sovereign Crypto-ID.
Hence, we may expect Crypto-IDs to enter our lives as a behind-the-scene technology that will be visible as mainstream features. And we should be open to surprises. But quite certainly, in the near future ID sharing and authentication will be immediate and under the stronger control of the ID-Owner…
The article is sponsored by Telindus and reflects only the opinion of the author.