Building shared digital identity using blockchain technology

I previously described challenges both consumers and organizations face when it comes to user identity and how a shared digital identity can reshape digital trust as we know it.

In an ideal future state, every consumer would have a strongly proofed, government-issued digital identity that could be shared with anyone. The user would own and manage this identity on a personal device and all digital interactions would accept this digital identity for enrollment and authentication. But today, we live in a world where:

  • Governments are far from being able to issue digital identities
  • Millions of organizations provide digital access to users
  • There is virtually no notion of digital trust.

We need to walk before we can run. So how do we get started?

Blockchain-based digital identity

The picture below is conceptually what a blockchain-based shared digital identity solution would look like.

building shared digital identity

Blockchain-based digital identity architecture

The foundation of a shared digital identity solution is an identity wallet – where they can store and manage all their identity information. However, issuing identity-related information back to the user so that they can control it brings its own related challenges:

  • How will the user keep this information safe?
  • Just like there are many forms of government-issued IDs, can there be different identity issuers?
  • How does a relying party trust the issuing party?
  • How can the relying party know that the information has not been modified by the user?
  • What if the user loses this information?

Users can leverage modern smartphones with strong hardware-level security to manage all their identity-related information in this identity wallet. Issuing parties can digitally sign the identity information and cryptographically tie the information to the user’s wallet before issuing it, and then record the transaction on the blockchain. Relying parties can trust that information because it is digitally signed by an issuing party they trust, verifiably issued to this user and the blockchain provides an additional trust layer to ensure nothing has changed (it has not been revoked, is not coming from a de-authorized device, etc.).

Ecosystems which share identities and trust

When compared with a traditional database, a blockchain is more complex to operate, but a blockchain has important properties that a database lacks. These properties include decentralized consensus, immutability, highly distributed/replicated information and support for digitally signed transactions.

Together, these properties provide the building blocks for a “decentralized trust” layer. Therefore, a blockchain really makes sense when trust is decentralized – and when applied to “identity” it implies a collaborative ecosystem or consortium of organizations, where no single member “owns” the user’s identity and each member wants to collaborate and share the user’s digital identity, with user consent.

In the example of a healthcare ecosystem, there are many payers (insurance companies) and many providers (pharmacies, hospitals, etc.). A payer works with many providers and each provider accepts many payers. All the providers clearly trust the payer and the proofing that was done before an insurance card, or other document, was issued. This trust has been established because they know they’re going to get paid if they deliver services to the user.

But today, they still do their own proofing before allowing the user to create an online account – because they have no way to obtain a verified digital identity of the user from the payer. There are many such examples of ecosystems (financial services, utilities) where companies should be able to trust others to do a thorough job of identity proofing. This is where a blockchain-based identity solution can help.

Conversely, if a single organization provides access to enterprise applications to its employees, or it’s a single organization with a large number of partners, a blockchain-based solution is unnecessary – as these scenarios do not meet the required criteria of having multiple issuing parties and multiple relying parties. No decentralized trust is needed in this case as all the partners implicitly trust the single organization at the center of the ecosystem. A federated model where the partners call into the single central enterprise would be a simpler solution.

Organizations where user consent and privacy matter

In the real world, users decide with whom they can share their identity documents, such as their driver’s license. Also, the government does not know, or keep track of, each time the user shares this information with someone. This is known as User Consent and Privacy – where the user is in control of their information and can decide what to share and with whom without fear that their interactions will be tracked.

If we want to transition to digital identities that can be shared, the user needs to be able to achieve the same level of privacy and consent or better. The insurance company that issued the identity to the user should not be able to track who the user shared that information with in the digital world. Federation technology like Google and Facebook logins today have this challenge where the identity provider knows each time the information is provided to a relying party.

To eliminate this, we have to mimic the government identity paradigm and issue the identity back to the user. With the strong push towards data privacy regulations like GDPR and PSD2, organizations have no choice but to implement these changes. This is another key requirement where a blockchain identity solution can help.

Conclusion

Initial traction for blockchain-based identity solutions will start with ecosystems that trust each other’s proofing techniques and see value in sharing identities. As these digital identity ecosystems gain traction – with more issuers, more relying parties and more users – many more organizations will see value in adopting such a solution and the list of organizations that can benefit from such a solution will also grow.

Over time, just like countries started to issue passports that are recognized across borders, these islands of digital trust will also start to interconnect and give us what we all want – complete digital trust based on a single digital identity.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.