You are who you say you are: Establishing digital trust with the blockchain
Over the last few years, blockchain use has gained popularity driven partly by the interest in cryptocurrency, but mostly with the growing understanding of what distributed ledger technology can enable through decentralization of trust. Most large companies have innovation teams looking at ways that blockchain technology can be applied, and many analyst firms, system integrators and other influencers have focused teams providing advice on applications of blockchain technology.
I have spoken to experts at leading financial, healthcare and government organizations about challenges they face with consumer identity management and where blockchain technology can help. Along the way, I have learned a few things, not the least being that while blockchain-based identity can disrupt the way users identify and authenticate themselves, it is not a great fit for every organization today and it will not replace all existing enterprise identity management systems.
Unlike an online retailer where users can use their Google or Facebook account to register a (federated) login, creating an account with a bank or healthcare provider is more complex. This is due to the value of the information being protected, as well as the regulatory requirements that mandate higher standards of identity proofing and authentication within these industries.
The user must provide personal information, create a username and select a password, and often times they must also answer questions that will help automate recovery of these credentials if they are forgotten. In some cases, the user also has the option to provide a mobile phone number to enable multi-factor authentication to further prove their identity.
On the other hand, an organization must capture all of this information and verify the user’s identity to make sure the user is indeed who he or she claims to be before they can create an account and authenticate them each time they access their account – across every channel. Failing to meet these steps has legal liabilities, and can also lead to reputational and financial exposure.
The end result is that the user has many digital identities – one for each relationship. This process is equally challenging for the consumer and the organization. For users, this process can be time-consuming and frustrating – both with all the information they have to provide each time they register to open an account, and the passwords they have to remember when accessing their account. For organizations, this process is expensive and involves a great deal of risk because:
- User identity verification has become increasingly difficult due to the numerous data breaches and the consequent inability to use “knowledge-based authentication” (KBA).
- There is user friction throughout the entire online enrollment and authentication process often results in high drop-off rates and lower digital adoption.
- And finally, there are risks and costs associated with managing and maintaining a centralized repository of user credentials (passwords, biometrics, KBA responses) as these are valuable targets for identity thieves.
Concept of digital trust
In the non-digital world, we go through a rigorous proofing process with the government to get a passport or driver’s license and then use one of these documents to get a job, apply for credit, sign up for health insurance, etc. But this notion of trust is limited and works because the employer, creditor, or the insurance company trusts the government issued identity to verify the user.
In the digital world, even though some organizations may be connected (i.e., health insurance with hospital or pharmacy), the user must go through the same verification process each time – resulting in yet another digital identity. If organizations that share a common interest could agree on protocols for trusting members of their ecosystem to provide a verified identity for the user, they could greatly reduce these complexities and increase the trust and assurance of the user identity. For example, a user goes to their health insurance company, which would act as an “issuing party,” and is issued a digital identity – a digitally signed document that asserts who they are. The same user could then take his or her digital identity to a “relying party,” such as a hospital or pharmacy, that could accept this information because they trust the insurance company. This is where we can start to see the benefits of offering a shared digital identity and the establishment of true digital trust.
Let’s take this one step further. We could one day replace passwords if a shared digital identity that contained all of the user’s personally identifiable information (PII) was given back to the user and strongly associated with something unique to them, tamper proof and available in a convenient form factor, such as a smartphone.
Because issuing parties and relying parties only interacted through the user – and only with the user’s direct consent – we could also solve the privacy and consent related issues, ensuring that no one was granted access to a user’s PII without their approval. This would then greatly reduce risk for the enterprise because there’s no central repository of passwords for bad actors to steal and no PII that is made available to call centers.
Shared digital identities have the potential to simplify identity verification and authentication and can do this in a way that preserves the user’s privacy while at the same time reducing friction, costs and risks for the enterprise. For the user, it means no more managing multiple identities and most importantly, no more passwords. Now that’s security and simplicity – and isn’t that what digital trust should be?