Self Sovereign Identity and blockchain-How will they revolutionize the IAM issue ?
Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in existence, information technology (IT) managers have control over users’ access to critical information within their organizations.
The challenge of identity and access management
Today, almost 60% of all major IT firms admit that IAM has become increasingly important to protect against outsider cyber threats and ensure that the right users have access to the right information. Here’s a glance at a number of the more significant IAM challenges.
1. The prevalence and ease of access to non-public data: Many personal profiles on social media leave little to the imagination, while email addresses and phone numbers are easily accessible with the click of a button. Cybercriminals not only easily steal this type of data but also find businesses on the black market where personal information can be easily purchased.
2. Reusing passwords: Passwords are now required in order to maintain and manage any online account. However, as users tend to use an equivalent password for various accounts, if one account is compromised, others are often easily compromised also.
3. Multi-factor authentication: Furthermore, multifactor authentication is not foolproof and is usually used for high-value applications, making them a target for classy hackers who are in search of the potential benefits to be reaped.
4. Cloud applications: The use of cloud-based applications has grown substantially, enabling a worldwide, interconnected workforce powered by cloud technology. However, when several different cloud systems are used, it becomes a challenge to ensure that the right people have access to information. This can leave valuable, classified information up for grabs and agencies susceptible to hacks.
5. A centralized, authoritative IAM repository: Nowadays, every organization needs to have a central repository of its intellectual resources. As centralized IAM databases are extremely high-value targets, a centralized management must calculate the potential risks of centralizing critical data, so appropriate countermeasures are often implemented.
So, what’s the solution?
Good IAM practice dictates the seamless controlled access and rights for each user on the network. While many agencies may have IAM best practices in force, they’re only effective if they’re strictly followed across the organization. Unchecked or mismanaged exceptions and exemptions to IAM policies and rules are the commonest reasons for compromised data. While multifactor authentication will eventually become present everywhere, people who implement it’ll constantly have to balance security compliance and operational flexibility.
We will focus on how digital identity applies to living and breathing human beings. It’s going to be interesting. As you should know that digital identity can be applied to an organization, an application, a device or a person but digital identities can also apply to people in this context.
Digital identity is a set of information relative to a specific person that allows them to prove their details. It can be used as a general validation for any identity claim and might find several applications such as medical records, voting, taxation or border crossing.
Before we start to explore how blockchains are relevant to digital identity for human beings, let’s focus on the concept of identity itself. The UN’s convention on the rights of the child grants every living person the most basic human right, the right to have an identity. It typically consists of one’s name, date of birth, nationality and state identifier which can vary from country to country.
Without having their identity confirmed, a person can’t vote, work legally or own property. Traditional government level management of identity is centralized which means that the process of issuing and validating is exclusively performed by state-authorized entities, for example, if you want to get access to various social media websites, you need to create a separate account for every single one of them. By doing that you entrust your data to a third party that can further relay it to other entities. This can significantly reduce the level of control you have over your personal information.
In this dynamic world, users are demanding more control of their identities and a decentralized digital ledger like blockchain can grant that control by requiring minimal information for each transaction that needs authorization.
On the other hand, a biometric-based solution such as Aadhar (India) or National Biometric identifier (USA) not only centralizes a wealth of sensitive data but also becomes a significant target for malicious actors. Additionally, a multimodal biometric solution also calls into question the constitutionality of such a capability concerning privacy.
What’s even more concerning is your information might later be used in ways you haven’t previously thought possible, that was the case with Cambridge Analytica, the well-publicized case of a serious privacy breach at Facebook. Cambridge Analytica’s (CA) Dr. Alexander Kogan developed a mobile app that was harvesting Facebook user’s data. Even though the claimed purpose was purely academic, it was later revealed that the gathered information was used to create psychographic maps. Something very useful for targeted advertising Facebook and CA was accused of a data breach but claimed it was misled as to the purpose of data collection.
In response, CA said that commercial use was explicitly included in their terms of service the case is still pending and apart from being a clear example of personal data abuse. It raises another concern, the lack of transparency. It is really difficult for people to control what’s happening with their details once they’re given to a third party.
This brings us to another fundamental issue associated with centralization. The potential for identity theft. Because your data such as passport numbers, Aadhar card numbers, or credit card details are stored in a centralized server, it makes them extremely prone to cyber-attacks and that’s where blockchain steps up as a potential solution.
Self Sovereign Identity and blockchain:
Let’s look at the following aspects of blockchains, in handling personal ID-data integrity, security, simplicity and privacy.
Unreliable- A blockchain is typically described as trustless, thanks to its distributed ledger mechanism. All the data regardless of its purpose is maintained and verified across numerous participating nodes. This eliminates two fundamental human-related causes of tampering, negligence and malevolent action. It is up to various consensus mechanisms to make sure that before a valid decision is made multiple nodes will sign off on it. Distributing the data through a peer-to-peer network makes it possible to keep the information consistent and up-to-date.
Integrity- Something that is a core component of a larger phenomenon known as data integrity. This integrity is very important as tampering with such public records can affect citizens businesses and public services. By indexing the stored data with hashes and putting it on the ledger, we can prevent this scenario from happening. Effectively if any piece of data is changed, it ends up not matching the blockchain and is rejected.
Security- In addition to ensuring integrity and removing the need for trust inside the network, blockchains provide security and data encryption. This can be achieved by using a so-called zero-knowledge proof which is yet another method of authentication.
Simplicity- Instead of verifying the validity of the information it is the validity of the attester, for example, a state authority issuing documents that are verified by using zero-knowledge proof, we can effectively prove the information without disclosing it.
Privacy- Zero-knowledge proof guarantees the trust between entities by allowing them to confirm any piece of data without revealing it. Of course, all data can be additionally secured by a cryptographic solution achieved by combining public and private keys with automated and decentralized management.
Now let’s dive into the technical side of things. One way personal data can be handled on the blockchain is by applying a unique identifier that can be freely created by any user. This is called a public decentralized identifier or public did. It is a token that identifies a subject, confirms one’s control over it and allows the owner to set trustable interactions. What’s important is that the public doesn’t depend on any centralized authority or identity providers. To make a claim verifiable three actors are needed, a human user, an issuer most likely an authority or an organization and a claim which is equal to any given statement or information. Please note that verifiable claims should not be confused with verifiable credentials as the latter have a wider definition.
A claim is a piece of information while a credential is a definition of a specific group of claims. Verifiable credentials allow the owners to express real-life credentials on the blockchain in a secure and trustworthy manner. They include the framework that connects issuers, verifiers and identity owners. Another important mechanism that enables digital identities to work in distributed ledger technologies (DLTs) is a decentralized key management system.
By using the blockchain it replaces the traditional distribution of key certificates given that are cryptographically generated so that a central registration is not required. Decentralization in blockchains effectively means the identity is managed by its holder who fully controls the access to claims. It removes third parties from the process, this leads us to the phenomenon called a self-sovereign digital identity whose main feature is that it fully belongs to its holder.
It cannot be taken away or used without the user’s consent. What is also important is that the amount of data used or disclosed can vary depending on the specific tasks that it’s needed. Now that we know the benefits and the technical aspects of digital identities on the blockchain. Let’s discuss the possibilities of its real-life usage- widespread adoption might bring significant real-life benefits such as social analytics, reinforced border control, secure cashless payments or more efficient taxation. It can also be used to ensure fair and democratic elections.
At least several important issues we can mention such as the spreading of fake news campaigns, disinformation, hacking databases with voters, personal information. Just to name a few, hackers might also be tempted to tamper with the systems announcing the election’s results. Let’s see how blockchains can mitigate these issues.
We already know that creating an electronic voting system that is tamper-proof and provides complete anonymity is possible within the blockchain. Using this technology can also potentially increase voter turnout by making it possible to reliably vote through mobile applications. In 2018 the city of Zug in Switzerland piloted an e-voting program. The participants had their digital ids created and registered through the u-port app that ran on Ethereum. In a follow-up survey, 42 of the respondents expressed satisfaction that e-voting is slowly becoming an option and the trial was considered a success. A similar solution was also tested in West Virginia where the voting app-enabled overseas residents to participate in the U.S midterm elections.
To prove their eligibility the voters were required to take a photo of their id and make a short video of their eyes moving. In this particular case, facial recognition was used to confirm private key ownership. The local government called the trial a success but not enough data was disclosed to perform an independent evaluation regarding the security and the accuracy of the process. Of course, those two pilot programs were conducted on a really small scale but they already showcased both the opportunities and the challenges of using DLT in the voting process.
The most fundamental issue ironically stems from one of the main advantages of using blockchains for voting. While a blockchain is decentralized the elections, at the end of the day have to be handled by a centralized entity. This means that public institutions have to be engaged and have to agree to manage the process in a decentralized manner. Defining levels of control and governance in this process could pose a huge technical and legislative hurdle. Other problems can stem from the typical blockchain challenge of striking a balance between decentralization, scalability and privacy, the ever-present scalability trilemma.
Apart from voting, managing digital identities on the blockchain also holds the potential of increasing the efficiency of government services. It can also reinforce people’s trust in the authorities thanks to its tamper-proof and transparent nature. In a wider perspective, it can be used in tax systems, providing social security services or issuing documents. But its impact can also be felt in everyday lives. Imagine that the validation of your identity could take place simultaneously with the action that requires such validation and you don’t need to produce additional proof of id. These could range from serious matters such as buying a house or receiving medical care to trivial ones such as buying a beer.
As we see blockchains can theoretically set the framework for seamless and secure usage of digital identities by human beings when compared to conventional identity management systems it is more secure, transparent and more temper-proof. It also eliminates the risk of human error but it is still too early to consider it an ideal solution for mass usage in public services mainly due to the lack of standardization and the ability to interrupt. The good news is that there is a growing number of public authorities, academic entities and developers working on improvements to this technology which will certainly result in us finding the solutions to all the challenges discussed in the blog.
Written by: Chandrashekhar Satav, Blockchain Developer.
