What we do: Identity as a Service
This blog is fourth in a series explaining how Mydex’s personal data infrastructure works. It explains how our platforms help deliver our mission of empowering individuals with their own data: how it enables them to use this data to manage their lives better and assert their human rights in a practical way on a daily basis.
Blogs in this series are:
- What IS a Personal Data Store?
- Personal Data Stores and Data Sharing
- Connecting ‘data about me’ to the world around me
- Identity as a Service
Thirty years ago, when the Internet was still a new thing, a joke started doing the rounds. “On the internet,” it said, “nobody knows you’re a dog”.
It was a flippant comment but it was also amazingly prescient. This issue of knowing who the other person is at the end of the line, has continued to dog the provision of digital services ever since.
When you see a friend or family member in the street you can recognise them instantly. In that instant, your brain processes dozens of cues relating to their facial features and expressions, their voice, size and weight, gait, mannerisms and gestures, so that you ‘just know’ it’s them. It does these things so fast and accurately that it seems incredibly simple. But it is not, as robotics and AI practitioners have discovered to their cost over many decades.
None of the cues that our brains process so brilliantly are available when you deal with another person remotely, online. Hence that early Internet joke.
For a society and economy that does more and more things online, this is incredibly important. It’s not just about fraud, though that is a big and ever-present danger. It’s also about simple practicality, efficiency and quality. If people and organisations want to do business with each other online, they need to be able to recognise one another. The whole issue of online or ‘digital identity’ is a sine qua non of all online service provision: without being able to recognise people when they sign up to and use an online service it’s impossible for that services to operate.
Mydex personal data stores are helping to solve this problem, in two ways.
Two meanings of ‘identity’
Before we go any further, there’s one big source of confusion that we need to address. In the context of online interactions and transactions the term ‘digital identity’ is commonly used to mean two very different things. In many conversations and debates, people move seamlessly from one of these meanings and back again without even realising they’re doing it. The result is endless confusion.
One of these meanings is knowing (or at least being pretty confident) that the person (or organisation) that you are dealing with is who they say they are. This is the whole area of identity assurance (sometimes called identity verification). Like all those cues of sight, sound and behaviour that we use to recognise our friends and family, this can involve gathering quite a lot of information about the person and ‘binding’ it to them. So, for example, if you know their name and address and age and that they have this passport number and that driving licence number and so on, the more bits of information you have about them, the more confident you can be that they are who they say they are.
The second meaning of identity is more mundane and administrative, but perhaps even more important. It’s about simply recognising them when they turn up at your front door — when they log in to a website or app for example. This, we call identity authentication.
The two may be connected. For example, a bank might go through a process of identity assurance when first providing them a customer with a bank account. At this stage the bank needs to have lots of details about who the person is. But once that process is complete, all the bank needs to do is recognise that customer when they return to use the service by, for example, use of a username and password and/or other authentication steps. This is the identity authentication bit.
On the other hand, identity assurance and identity authentication might not be connected at all. With some types of service, say when you are subscribing to a newsletter, the service provider doesn’t really need to know who the person is at all. All they need to know is if it’s the same person returning to use that service. In this case, the person could just as well use an invented name such as Mickey Mouse, along with a password like M-Mouse and it wouldn’t really matter. The service could still operate.
Once the ‘relying party’ (the party using the authentication) knows that the person is using the same identifiers, they can then map their activities, records, specific preferences etc to that individual, for their use of the service, without necessarily knowing who they actually are.
Mydex’s role in identity
Mydex’s personal data store infrastructure makes a fundamental contribution to both types of identity challenge. By enabling individuals to amass large quantities of verified attributes (sometimes referred to as verified credentials) about themselves, and to share these verified attributes easily, quickly and safely, our personal data stores go a long way to solving the problem of identity assurance and verification, without the need for privacy invading processes such as ‘identity cards’. You can see more detail about what we do on this front here.
However, the focus of this blog is on the second, practical, administrative matter of identity authentication — what all of us have to do many times a day when logging in to different types of online service.
Here, the current state of play is … a complete mess.
It grew into this mess quite naturally. First off, in the very earliest days of online services, service providers had to recognise customers when they logged in, used and returned to the service. So they invented the username and password.
It’s a pretty neat solution, except for one thing. Every different organisation created its own bespoke process for recognising people when they use a service, requiring individuals to invent (and remember) hundreds or perhaps thousands of different usernames and passwords. (Or, for the sake of convenience, they could use just one username and password, in which case if they ever got hacked the hacker would have access to every single service they had ever used).
This organisation-centric ‘bespoke solution’ to identity authentication multiplied costs and complexity for both people and service providers many times over. Most service providers had no desire to be in ‘the username and password business’ but took it on simply because they had to. It was a cost of doing business.
Then, monopolist digital platforms like Google and Facebook spotted a market opportunity. “If you log in to our service we can use the credentials we have created for you to log you on to other services!” In this way, individuals didn’t have to remember hundreds and different usernames and passwords, and service providers could get out of having to manage their username and password business. How convenient! Social sign-in was born.
On the surface, it looked like an ideal win-win. But there was only a drawback to this ‘solution’ and it is an ABSOLUTELY HUGE drawback. It delivers privacy ‘bleed’ on a gargantuan scale. By letting the digital monopolists provide ‘social sign-in’ services, individuals effectively give them permission to track their movements across their entire internet, gathering data about everything they do online — all to further concentrate power and profits in the hands of these monopolists.
Social sign-in is one of today’s volcano issues and scandals, just waiting to blow up as and when people begin to realise just how deeply invasive and pervasive and exploitative it is — all to escape the inconveniences and costs created by the first faulty attempts to solve the identity authentication problem in an organisation-centric way.
Where Mydex fits in
With Mydex’s Identity (authentication) as a Service (IDaaS) the core idea of social sign-in (e.g. only having to log in once to access many different services) is still achieved but without any privacy bleed. In fact, the goal of a single log-in is achieved while enhancing individuals’ rights and control.
It works like this. When an individual gets their personal data store they set up a username and password by which Mydex can recognise them when they log-in (i.e. no different to any other service provider). They have this for life. Then, once the individual is logged in to Mydex they can use Mydex’s connections with other services that are connected to Mydex to automatically log in to those services too.
This means that individuals can flow from one service to another without ever having to log in to these other services — because all the handshakes are working for them, automatically, behind the scenes, not getting in the way of what they are trying to do.
But this time, there is no data surveillance. Mydex is not tracking the individual anywhere. It is not collecting any information about where they go or what they do online. It is simply using the fact that it has established a secure connection with another service to open a gate and let the individual through, if and when they want to pass through that particular gate (i.e. to that particular service).
Service providers can still minimise their involvement in the username and password service but with an added benefit that, in using Mydex’s IDaaS they are not handing over oodles of data about their customers to Silicon Valley digital monopolies. Any data generated by the transaction or interaction goes into just one of two places: into relying parties’ own systems or into the individual’s personal data store. Never to a third party, including Mydex. That’s because Mydex cannot see any of the data that goes into the individual’s personal data store as explained here.
The result is that both sides benefit from both convenience and efficiency and added safety. Why added safety?
Originally, identity authentication systems were established by organisations to protect their own digital front doors. They were designed to protect the safety of the organisation, not the individual. The Mydex approach is designed to help individuals protect their digital front doors. It’s about empowering citizens with agency; with the information services they need to make their way efficiently and effectively within a complex world of service provision.
Because data about interactions is stored in the individual’s PDS, every time the Mydex ID is used it creates a log which the individual can inspect. For example, it could alert them to the fact that somebody has tried to use their ID to log-in to a service. In this way, the individual gets an audit trail of every use of their Mydex ID. This information is held in their PDS for their use alone, away from prying eyes — information that is NOT handed over to the likes of Google or Facebook.
Just to emphasise: This is data that Mydex itself cannot access because each individual has their own private encryption key to their own PDS. This means that while Mydex holds the data (in encrypted form) in its systems it cannot actually ‘see’ its content.
Extra added value
The above provides a simple summary of Mydex’s Identity as a Service model. But there is more to this simple service than meets the eye.
First, individuals can increase the security of their interaction if they want to, by adding in extra layers of security. They can, for example, require a ‘multifactor authentication process’ whereby an additional piece of information is used to authenticate their identity. This could be a one time code sent to their phone, an email, or from an authenticator app.
Second, The individual can also add other identifiers like email addresses and mobile numbers to their MydexID to protect them from use by anyone else. Registering multiple email addresses and mobile numbers also allows the individual to select any of these alongside their core MydexID itself to login, because they are all linked together. This delivers greater security and protection and also overcomes those issues where people lose access to an email or mobile number. Now they always have back-up routes for accessing their MydexID and linked services.
Third, individuals can set preferences about where notifications may be sent to them, for example a specific email address, a mobile number, or both. Each person has different ways they prefer to get notifications. This gives them the ability to make that choice independently of any relying party (service provider).
This is NOT about giving service providers the power to create hoops for individuals to jump through. It’s about enabling individuals to add extra layers of security if and when they feel they need to. It’s about putting the individual in control.
Fourth, there may be occasions when an individual wishes to log in to a service provider (such as a researcher or survey outfit) where they share information about themselves but want to do so anonymously. They can use their Mydex ID to do this. This is because, along with the Mydex ID comes what we call a ‘universal unique identifier’ (UUID) which hides their Mydex ID and contact details from the service provider.
This UUID acts like a wrapper that hides what is inside. It provides the same guarantees as those provided by the username and password but without actually providing these actual identifiers. It can be used by the service provider to recognise that it is the same person returning to the service without actually knowing who that person is.
This enables researchers who want to participate and work with someone over a period of time to see changes in their behaviours/life without actually knowing who they are. And it enables individuals to participate in such research, safely and securely.
Fifth, the system allows identity authentication to work ‘in reverse’ where, if they have already signed in to a service that’s connected to the Mydex IDaaS, individuals can use the fact that they have logged in to this service to also log in to their personal data store (PDS). There, they can add and update data and manage their preferences, including things like adding more Multi Factor Authentication Options and approving connections between their PDS and subscribers adding data.
Further Benefits
Service providers further benefit in a number of ways. As well as not having to operate their own username and password business, they can use the Mydex ID to connect to the individual’s personal data store (if the individual wants them to connect). This opens the door to safe, secure, permissioned, two way data sharing.
For example, if the individual already holds a profile about themselves in their PDS — a profile containing data usually held in a service provider’s ‘My Account’ functionality — then the individual can simply click a button to provide that information to the service provider. No more having to fill in online forms!
This makes the process of onboarding onto a new service much easier, quicker and safer, especially for smaller organisations.
Service providers can also trigger multi-factor authentication processes if they require it — as do most banks for example. In particularly sensitive situations, it is also possible to create unique identities that only work for that particular transaction and cannot be reused once that transaction has been completed.
Conclusion
Thirty years ago, it was a joke that people didn’t know who they were dealing with when interacting online. Today, it’s no longer a joke. It’s a massive cost and hassle for millions of people and organisations alike. These costs and inconveniences are being gamed and abused to an absurd extent by both frausters and monopolists.
But there are ways to solve this problem safely and efficiently. And Mydex has found a way to do just that.
