The Imperative for Self-sovereign Identification (Get Lost Equifax)
- Chris Skinner, Chairman at The Financial Services Club
- 12.09.2017 07:30 am undisclosed
I’m making a presentation on cybersecurity this week at our Nordic Finance Innovation meetings. This meant preparing a few new slides from scratch as I don’t have a set deck for cybercrime, and sat and started ideas just as the news dropped about the Equifax breach. You’ll all know about this by now, but over 143 million Equifax accounts were hacked during June-July 2017, including customers’ social security numbers, name, address, date of birth, driving licence and other sensitive info. In other words, all the information you need to open new accounts and access existing accounts.
As we have known for a long time now, it is no longer good enough to use customer’s personal information for account access. After Ashley Madison and so many other incidents (Tesco Bank, Lloyds Bank, JPMorgan Chase, SWIFT, the Federal Reserve, the IRS, the Department of Homeland Security eBay, Yahoo, Google, Adobe, Target, Neiman Marcus, Home Depot …), surely we should be moving away from this antiquated system. Bear in mind it’s been used for almost two decades, it’s no wonder the system is no longer working.
So the banks add second-factor authentication (2FA) with secure entry pads and PINs, but they still rely on personal information for account access when you ring their call centres, and this is just annoying.
Yes, I may need to know my mother’s maiden name, first pet’s name, favourite rock band and inside leg measurement when I ring my bank, but then they add we just need to ask a few more questions before we access your account and my heart sinks.
In particular, questions like name a regular monthly payment set up on your account and the amount paid or name the last three transactions where your was card last used and for how much leaves me irritated, as I’m sure it does everyone else. In fact, when calling just to ask why my card is blocked, the five or six account access questions are plain annoying.
Is there a solution?
Of course. In fact, there’s two. First is biometrics and TouchID, voice, eyes and more can easily be used for authentication via a smartphone. Why banks aren’t incorporating these into their onboarding and access mechanisms beggars belief …. or maybe not, as banks would need modern systems to use such radical authentication techniques, and that’s a big ask. Far easier to rely on name, address, date of birth and all the information the hackers stole from Equifax.
Even then, I’m not a huge fan of biometrics if I’m honest, as it’s also hackable as it’s data. If it’s data it can be compromised and replicated and mimicked. I am far more a fan of the second solution: a self-sovereign identity scheme.
This is explained really well by Rhodri Davies on the Charities Aid Foundation website:
Emerging technologies (particularly blockchain, although not exclusively) are making the development of “self-sovereign identity” a real possibility. Trustworthy identification has been one of the main challenges facing the internet ever since it was invented, because none of the traditional, offline means of verifying that someone is who they say they are apply (as famously encapsulated in a New Yorker cartoon by Peter Steiner in 1993, in which two dogs are seen using a computer and one is saying to the other “on the internet, nobody knows you’re a dog.”) The way this challenge has been overcome up to now is to rely heavily on the role of trusted third parties (banks, government agencies, the Post Office, law firms etc) as guarantors of identity. When it really matters for us to know who someone actually is on the internet, it almost inevitable involves recourse to one of these third parties to confirm it. This gives these organisations a huge amount of power. (You can read more about the challenges of identity on the internet in this fascinating article by Kim Cameron of Microsoft)
We might be on the brink of a fundamental shift in the way that personal identity works – one that will make many existing systems and rules entirely redundant.
The basic idea behind self-sovereign identity is that rather than have our information held by third parties (often without us even knowing what that information is) and used to guarantee our identity and make decisions that affect us; we could turn the entire model on its head and give each individual control over their own digital identity.
Obviously, this identity has many different aspects that are only relevant or appropriate to certain contexts. For example, you might want a prospective employer to be able to access information about your educational qualifications, but you probably don’t want them to be able to see that you are also the life President of a Mighty Morphin’ Power Rangers LARPing society.
Currently these different aspects are kept separate by virtue of the fact that the information is held by different third parties, but that means that you have little control over when this information gets shared. So the LARPers might grass you out to your employer for some reason, or- more seriously- a healthcare provider or a wearable fitness tech device might pass on data to insurance companies that would affect your premiums. With self-sovereign identity, you would hold all of the different elements of your online identity in a “box” or “wallet”, and would then be able to choose which of those elements to reveal in any given context.
With self-sovereign identity, you would hold all of the different elements of your online identity in a “box” or “wallet”, and would then be able to choose which of those elements to reveal in any given context.
As Don and Alex Tapscott put it in their book Blockchain Revolution:
“What if ‘the virtual you’ was in fact owned by you – your personal avatar ─ and ‘lived’ in the black box of your identity so that you could… reveal only what you needed to, when asserting a particular right. Why does your driver’s license contain more information than the fact that you have passed your driving test and demonstrated your ability to drive?”
Self-sovereign ID would give us far more control over which information we release, and raises the intriguing possibility that we could start charging organisations for our data.
We need not get in the detail of how blockchain could make this work here (You can find out more from a blog by Antony Lewis from R3 or by checking out the work of organisations like Evernym or uPort who are working to make self-sovereign ID a reality), but the basic facts to be aware of are:
- The technology offers a way of creating and maintain an immutable record of transactions
- This record is public
- All kinds of things can be recorded on a blockchain, including ID information (or, more likely a hash of the information, as putting your entire ID on a public ledger is probably a recipe for disaster.)
- Different parties could access the relevant information recorded on the blockchain, thus removing the need for the information to be stored in multiple locations
- There are cryptographic techniques (e.g. “zero-knowledge proofs”) which would make it possible to confirm that you have a particular piece of identity documentation without having to disclose any of its content.
- There would probably have to be a role for trusted authorities of some kind to confirm that the information recorded on the blockchain matched that in the real world (in much the same way as organisations like the Post Office currently play a role in the UK government’s Verify scheme by checking that someone has the relevant passport/driving licence before they are issued a verify ID that they can use in interaction with other agencies like HMRC etc.).
I really like this idea as it flips the ownership, verification and authentication process from third parties (trusted and untrusted) to me. I own my identity and I allow access to a persona of my identity on demand. I’ve blogged about such things before and wrote a long blog entry over a year ago about digital identity ledger-based systems. Nevertheless, I am not advocating that blockchain solves everything, as illustrated by this proof of concept summary paper from Rabobank. It just gets us along the way.
All in all, it is pretty frustrating that time is passing by so fast and yet the industry is not moving to keep up with the needs for improved online authentication. Hopefully they will eventually. Meanwhile, I hear some banks are thinking of using our DNA to authenticate. Go to a cash machine and spit on it for cash. Pop into a branch and give blood to get a loan. Sounds about right.