Blockchain enjoys a tremendous amount of hype in the market. Unfortunately, the hype around blockchain can obfuscate the actual capabilities and limitations of the new protocol. As with any new innovation, the most important question is: what problem does this innovation solve?
With respect to digital identity, there are five important problems blockchain fails to address:
- Synthetic Identity
- Identity Verification
The blockchain is essentially a trusted, public ledger that uses a decentralized network of nodes to verify the integrity of a given transaction. On paper (and to idealists), a public blockchain enables a more democratic world where transactions and the network itself are unchained from centralized control. Unfortunately, the blockchain’s immutability does not hold under all conditions.
A “51% attack” allows an actor who controls 51% or more of the mining power on the network — the computing power that provides the “proof of work” to authenticate transactions — to create a new branch that would effectively overwrite and potentially reverse all of the transactions on the public blockchain. Dr. Gideon Greenspan put together a piece, The Immutability Myth, at Coindesk that explores this vulnerability in more detail. The short, sweet: 400 million dollars will buy enough mining equipment to equal the total mining power present on the bitcoin blockchain.
For a state actor, 400 million dollars, and even many multiples of that amount, is a trivial sum to invest in order to undermine a public blockchain. Given identity’s role in fighting terrorism in the financial sector, the risk of deploying and trusting a public blockchain at scale for sensitive transactions when it could be undermined by a state actor for hundreds of millions or billions of dollars is too high a risk to make a public blockchain for identity a viable approach. Private blockchains have mechanisms that can potentially overcome this challenge but then you are in more of a consortium control model, not too dissimilar from banks and Visa, versus a democratic control model.
The most difficult challenge in identity is establishing that a) the identity claimed is real and unique and b) that the user claiming the identity is the rightful owner of that identity and not, say, a member of organized crime.
With respect to the first component of identity proofing, synthetic identity theft — a practice where identity thieves combine a social security number from one person, a birth date from another person, and an address from a third person to effectively create a fake or “synthetic” identity — is a challenge that blockchain can do little to solve. It is a ledger, it records, it doesn’t verify or issue identity. As a ledger, blockchain depends upon the integrity of the inputs to the ledger, and, if the inputs are bad, then the ledger will simply record the synthetic identity on the ledger — garbage in, garbage out.
To put the scale of this problem in perspective: the FTC and ID Analytics estimate that a full 80% of credit card fraud is attributable to synthetic identity attacks.
The United States government, specifically the Social Security Administration (SSA), not blockchain, can solve the synthetic identity challenge, but, unfortunately, SSA limits the use of their API to employment and income verification so the private sector is on its own with respect to identity proofing writ broadly. If SSA extended their API to the market at large — potentially in a limited way to white listed entities in regulated markets — then the synthetic identity problem is solved.
In this context, blockchain is just one protocol, among many, that might facilitate coordination, but it cannot substitute for the critical role that SSA plays as the authoritative issuer of America’s de facto national identifier or for SSA’s decision to abstain from provide a trusted API to the market.
Once an identity is established as real and unique, the next challenge is to ensure that the user claiming the identity is in fact the rightful owner of that identity and not a criminal. This step is known as identity verification, and it is best done in-person a la a visit to the state DMV or online with stringent controls enforced per the National Institute of Standards and Technology (NIST) 800–63–2 or -3 standards. Even with those controls present, the process is imperfect and, if a bad actor does gain control of a real person’s identity, then blockchain cannot stop that bad actor from exploiting that person’s identity because authentication and identity proofing happen upstream.
NIST specifically notes in their recent blog post on trusted identity that “strengthening identity proofing while expanding options for remote and in-person proofing… is arguably the most difficult part of digital identity.” Multiple government agencies and private sector entities have suffered data breaches due to poor identity verification as DHS notes in a research solicitation here. And block chain does nothing to directly solve the identity proofing problem.
Blockchain advocates will likely point to the reputation that a public-private key pair that represents an identity might gain over time — giving confidence that the owner of the private key is in fact the legitimate owner of the identity given a history of trust — but this functionality is not new, does not require blockchain, and can be implemented today with a hashing repository, match keys built off one or more fields of PII to establish referenceable vertices, and existing protocols like OAuth 2.0, SAML 2.0, and OpenID Connect that can federate attributes and associated metadata regarding the identity proofing administered and the tenure of the login.
In fact, that is what we already do at ID.me and we filed a patent on the approach back in 2015.
Importantly, if trust in the proper ownership of the identity is predicated on the public-private key pair and the reputation of the pair to the claimed identity over time, then what happens if the user loses their phone/private key or gets a new phone? (Note: in most cases the user’s private key will be their phone). Of course, they will need to start over, to go back through identity proofing — validation, resolution, and verification — from scratch in order to claim their identity on the blockchain again as the owner of the private key that represents the identity. While legitimate users will need to re-bind authenticators to their identity in such cases, criminals will certainly exploit these account recovery pathways to take over identities because they can bypass the trust and tenure of the established login.
If there are multiple identity providers present as there most certainly will need to be, then standardization (see below) and fraud prevention (see above) become critical to ensuring the identity provider with the weakest proofing doesn’t become a vector to identity takeover on the network.
These problems will hold regardless of whether the network runs on blockchain or without it.
Blockchain does little to address the demographic challenges associated with issuing strong digital credentials at scale. Identity proofing and authenticating different groups like students, seniors, rural Americans, the homeless, millennials, and young professionals is an incredibly varied and complex challenge. Younger consumers do not typically have a financial history, they very well might be on their parents utility bill, and they may not have a significant government records trail for the same reason. So, while they might have lots of sensors and know how to use Touch ID and a facial biometric to authenticate, the identity validation of their static personal data is very difficult, one reason why most synthetic identity fraud targets younger Americans. Seniors tend to have the opposite challenge — validating and verifying the identity is easier — but older Americans tend to be less computer literate and to have fewer devices that would help them authenticate. Rural Americans have similar characteristics.
Because identity proofing and authentication are prerequisites to access the blockchain or to conduct a transaction, the blockchain does not solve the fundamental issue of trust or access that is necessary to grant the individual access to use their identity or, as noted above, to even verify that the identity is real and not synthetic. Additionally for data schemes where personal information is store on a smartphone rather than server side, the approach presumes that the individual has a smartphone and is capable of using that smartphone to transmit information. That is before getting into scenarios where devices are shared across multiple members of a household or community.
Identity federation has long held the promise of tying strong authenticators, like a password plus a biometric plus a device, to static bundles of personal information, like a Name, DOB, and SSN, so that the authenticators (the digital login), not the static information, is trusted to represented the identity. Protocols like SAML 2.0 and OAuth 2.0 which significantly predate block chain already enable encrypted assertions and JSON tokens respectively to facilitate sharing of information while RESTful APIs could authenticate a claim — such as a hash of an identity — rather than sharing the raw personal data itself.
Identity is fundamentally about trust in a given transaction: will you repay this loan? should I let you board this airplane? do you have enough credit to pay for this good or service? are you eligible for a student discount?
So, it is ironic that many efforts to collaborate on identity proofing in the public and private sector have largely come to naught because organizations don’t trust one another. Almost all regulated entities require their customers to create a login with them directly, to enter PII with them directly, and they then verify and validate that PII themselves directly with a data broker. This process could potentially happen multiple times in a day with the same vendor verifying the same person’s identity at different financial institutions or government websites.
There is no common sense explanation for why there is so much redundancy — and therefore additional friction — in the market prior to blockchain but there are a few reasons why most organizations don’t share data across the industry.
a) Large organizations view identity as a moat around their business. Sharing an individual’s data across organizations removes friction (i.e. it lowers switching cost) and if you are a large financial institution, the LTV of a customer dramatically outweighs inefficiencies in identity. Put another way, if you are JP Morgan Chase, why would you make it easier for your customers to open up a financial product at Citibank?
b) Many organizations do not trust other organizations to follow processes and procedures that they deem acceptable i.e. you might hear “that process might be fine at Bank of America but it would not cut it here at Capital One” (and vice versa). In most cases, this rationale is unwarranted — a byproduct of a phenomena called Illusory Superiority, like when 80% of American drivers believe they are above average drivers — but, in some cases, like the 2016 Wells Fargo scandal tied to two million false account opening, the fears are justified. And the fines that regulators can impose are substantial as well.
c) The demographic challenges of identity proofing and authentication make standardization of credential issuance difficult.
d) Lost authenticators requires re-verifying the identity back to the network.
e) There is no legal framework to control liability at scale if something goes wrong.
In short, the largest banks and telecoms — the natural identity providers for the online world — would need to accept a lot of risk, potential liability, and uncertainty in order to participate in an identity ecosystem. Executives generally don’t get fired for not sticking their neck out. They do get fired for trying something at scale and failing publicly.
And senior executives would be taking potentially enormous, short-term risk by sharing or validating personal data. After all, who is responsible if a hospital system allows a user remote access to medical records by trusting a banks’ KYC process — even if they just check a hash — only to find the user was a criminal impersonating the patient to obtain sensitive information they could then use to blackmail them?
Rules of the road for “identity chargeback” don’t exist yet.
The rewards are clearly substantial if a shared authentication system works, but the potential downside is so large that there are substantial personal and organization disincentives to sharing customer PII via any protocol or method be it raw data via SAML 2.0 or OAuth 2.0 or a hashing/claim validation scheme via blockchain or an API. As with most networks, no one wants to be first when the value is lowest and the risk greatest. Free riding is easier.
Blockchain doesn’t do a whole lot to change this dynamic.
Blockchain clearly provides massive utility, particularly concerning use cases that involve ownership of commodities, assets, and currency. However, digital identity and authentication are, for the most part, layers and steps that precede the blockchain application layer. Separating the steps is important to further a more informed and nuanced discourse amid all the hype.