Digital Identity Today is Broken — But We Can Fix It
Six Companies Defining the Future of Identity
The ways we create and manage our identities in our increasingly digital world are broken. We have separate credentials for nearly every service we interact with, but often reuse the same simple passwords, leaving ourselves vulnerable. Our credentials and sensitive data are then stored in databases with thousands or millions of other users, creating attractive targets for hacking and theft.
We experience all of the problems of fragmented, siloed identity systems — yet reap none of its promised benefits, such as increased privacy or diffused risk. In the cases where we do have relatively secure, integrated identities to which we attach lots of personal information, these identities are in reality owned by massive companies, like Google or Facebook, who can revoke our access at any time.
There are better paths to follow. It is possible to create a future where our identities are more secure, easier to use, and under our control. Here are six companies laying the groundwork for that future:
You know how when we create accounts for certain apps or services — especially sensitive ones relating to money — we’re asked to enter our phone number? Then, they send us an SMS with a string of numbers (a one-time passcode) that we enter to confirm that’s really our phone number? That’s called “2-Factor Authentication”. It’s good from a security standpoint but it can also lead to frustration or just giving up altogether.
Enter Averon. They’ve done integrations with all the mobile phone networks in the US, so the whole verification process can be done automatically and instantly in the background, without any action required from the user. As a straight replacement for traditional SMS-based one-time passwords, it’s already a no-brainer. Should they manage to deliver this paradigm in some adjacent areas, it’s really going to blow folks away.
Blockstack empowers users to create and manage our own identities from our own devices. In fact, Blockstack’s vision goes far beyond just identity: they’re trying to re-invent the Web itself around decentralized applications, putting us back in control of our data and providing better security, privacy, and reliability for our digital activities.
Leave aside any philosophical or ideological ideals around why people should be able to own and control their digital identities; user-owned identity is a desirable model for many businesses — especially in the financial and healthcare industries — where possession of personally identifiable information (PII) can become a liability rather than an asset.
Think about all the hacks we’re seeing of various large companies and government agencies every other week. Blockstack enables a future where data thefts are both less attractive to hackers and also less damaging to companies and their customers, because sensitive data is stored under the control of each individual rather than in centralized repositories.
Social Security Numbers are horrifically insecure, acting as both username and password in many settings, and being collected and stored by nearly every employer, financial institution, telecom company, or healthcare provider with which we interact. Our SSNs are virtually guaranteed to be stolen at some point. So what can we do about it? Insert Civic.
Civic’s initial product is an identity theft protection service, similar to LifeLock or ProtectMyID but at a much lower cost (the basic plans is free, a more full-featured standard plan is only a few dollars per month). Civic also takes this a step further, building out a fraud prevention network, where partners like banks or telecoms check with Civic before putting in a request to one of the credit reporting bureaus. Civic then pushes an alert to your phone, giving you a chance to approve valid requests or proactively block fraudulent ones — it’s like adding two-factor authentication to your SSN.
Like Blockstack, Civic also has a bigger vision that includes letting users independently interact with various services using a verified digital identity registered on a blockchain.
Every website we visit, video we watch, and purchase we make is being tracked by a variety of companies who then sell our digital profiles to a variety of advertisers. Even our internet service providers (ISPs), through whom all our data flows, have been cleared to sell our web browsing history without our consent. What is most concerning isn’t necessarily that this data is being collected, but that it’s being done without our permission, without our control over who it’s shared with, and without our receiving anything in return.
DataCoup is trying to put us back in control of our data, letting us collect it from the social and financial apps we already use, then allowing us to sell access to it as part of an anonymized data set. We get more control and compensation; advertisers and researchers get more complete profiles to work with. The transparent, consensual, and mutually-beneficial exchange of personal data is a welcome alternative to the unilateral privacy-violating tracking done by creepy ad-tech companies.
Enigma is like a B2B version of DataCoup, using advanced cryptographic techniques. Instead of selling access to anonymized data sets, Enigma makes it possible to allow certain analyses to be run directly on encrypted data, without worrying that the data might then be stolen or passed along to other parties without the owner’s consent.
Founded by MIT alums and built on technology developed in the MIT Media Lab, Enigma does something called secure multi-party computation and does it an order of magnitude more efficiently than previous approaches. This makes it possible for Company A to allow Company B to conduct certain types of analysis on Company A’s data, without Company B ever having unencrypted access to the data itself. Data privacy: delivered.
It’s hard to say we really control our own identities if the data associated with them can’t be trusted. Tierion provides tools to link identity attestations and other data to a blockchain, so that their integrity can be proven without the involvement of a third party.
How does this work? At a high level, Tierion lets companies make a single entry on a public blockchain to “notarize” as many pieces of data as they want, then generate receipts that can be given to users or auditors to let them verify the existence and integrity of any specific data point.
While most businesses are going to want to use Tierion’s API to get up and running quickly and painlessly, everything is built on top of an open standard called ChainPoint, largely designed by Tierion’s founders. That means that you don’t have to worry about vendor lock-in or Tierion going out of business, because anyone will still be able to independently create and validate proofs adhering to this standard.
We believe these companies are among those leading the way toward a positive and inspiring future for identity. To propel innovation in this space even faster, we’ve invited all of them to participate in Mosaic, a digital identity lab we’re launching out of IDEO CoLab.
By working together, we’re going to help them apply their products and technologies to some of the thorniest identity issues raised by leading designers, technologists, and corporate innovators, who we’ll be announcing in the coming weeks. If you’d like to join us on this journey and build with these companies, get in touch.
Together, we’re going to move towards building more usable, secure, and human-centered identity systems. Watch this space.