Director of Avenga Labs
How do the computers know that we are who we are?
How do they verify our identity?
The most popular method is based on the existence of something or the knowledge of something that no other people have.
The most common expression of this method is using passwords, which are expected to be unique for a given login, creating hard to guess combinations of the login and the password.
Our emails and phone numbers, and the fact that we have access to phones and can receive text messages, is also one of the most popular methods of authentication with digital products.
The other examples are having identity cards from the government or credit cards issued by the banks. Many of the modern cards can be used for digital signatures and authentication.
And let’s not forget about the biometrics methods which are finally being done well and are easy to use, like FaceID and fingerprint scanners on our smartphones. (It’s based on something, again, unique to us such as our faces, fingers, etc.).
Passwords are not secure, are fairly easy to break and people tend to use the same passwords in too many places. Simple passwords may be easy to remember but they are easy to break, and make it easy for hackers to maliciously use our personal data. Most of us do not have the skills to remember many complex passwords to make them hard to break.
Another major problem is the lack of proper security practices on the side of the digital product providers. Massive leaks of our personal data are too common nowadays and are very often as a result of neglecting the basic rules of security.
But passwords as a method are also to blame for that.
Two factor authentication is making things much more secure, but many users still don’t use it, and sometimes it makes things more complicated, which nobody really wants.
Today we use custom user/password combinations less often, because we don’t want to have thousands of logins and passwords.
Social network authentications, like Google, Facebook, Microsoft, and Apple, are here to help us use only a few authentication methods to access any internet or mobile application.
However, people don’t want to use their social accounts for serious activities like bank accounts or insurance.
And of course, all passwords vs. humans related problems do exist in the context of social accounts.
From a privacy perspective, organizations such as Google, Apple, Facebook, and Microsoft are able to see what you are doing online, to which services you log in, when, etc. It’s the gigantic organization somewhere out there which is controlling your identity, not you.
Is there any other way? Can you imagine the world without passwords?
Something as easy as using social media authentication, but more secure and private?
Yes there is and it’s called decentralized identity.
A user has their private keys and there’s a wallet that is keeping it safe by using biometrics and passwords as a second layer of protection.
Proven cryptographic systems that are publicly available distributed ledgers (i.e., blockchains such as Bitcoin, Ethereum, or Sovrin) are used to store them securely in your transactions; everyone can see them but nobody except you is able to modify your identity.
→ Explore DLTs – how to choose the right blockchain for your business
Decentralised Identifier (DID) is a unique representation of the user in the digital world.
The authentication claim is sent to the web site and the other party can find public keys in the public blockchains and verify the user’s private key cryptographically and then the user is authenticated.
The difference? Lookup takes place in decentralized ledgers which are not under the control of any organization, cannot be tampered with, and there’s no central institution that controls it.
The user is the owner of their own identity! Great news finally, however there’s no rose without a thorn.
What about losing the digital wallet stored inside the phone?
With centralized identity it’s easy, someone keeps it for you and you have to perform some kind of operation, such as password recovery with SMS or physically go to the bank and show your identity card, to get a new password/token.
With decentralized identity, it’s the responsibility of the user to store the private key or private key passphrase securely.
This is a very limiting factor from a convenience point of view. Laptops break and get lost, as well as smartphones. Currently one of the ways to overcome this is to physically print the passphrase of the private key or physically store private keys on flash drives in secure bank deposit boxes. Not very digital, we have to admit.
Is giving people the option to be owners of their digital identity a good idea?
For all the privacy proponents and believers, certainly yes.
But for the regular less-techy people it can be a frustrating experience.
Researchers are looking for new ways to recover lost keys and identities without impairing privacy.
Decentralized identities (DID) can store more personal and business information than just identifiers, like health info, other identifiers, and personal data. Instead of storing them in some kind of external database where they can be read, leaked or lost, you keep them close to you and enable access only when needed.
→ Read more why Essentially, Data is good. It’s the use cases that can be problematic
The identifiers are not just for people, but for billions of internet connected devices as well.
The Decentralized Identity Foundation group is a set of companies working together to bring ready to use solutions to the world. The group includes Microsoft, Hyperledger, and other famous names. The giants missing from this list include Google, Apple and Facebook.
So, it’s therefore hard to be very optimistic about this attempt to create globally available digital identity cards for every citizen in the digital world, across countries, and owned by individuals independent of any government or institution.
It’s technically possible to achieve this and there are smart people working on it.
We, at Avenga, are looking for usability improvements for Distributed Identities (DI) in order to be able to help your business take advantage of the new trends in the security and privacy space.
You really don’t have to wait-and-see the benefits from blockchain technology for business.
→ Explore Security-first system for COVID-19 test results in the blockchain.
And your digital product’s security and privacy are close to our hearts and minds.