Ventana Research Analyst Perspectives

Identity management is an old problem that has taken on new dimensions in the digital world. In 1993, at the dawn of the World Wide Web (WWW), The New Yorker ran a cartoon featuring two dogs talking, one perched in front of a computer. The caption reads: “On the Internet, nobody knows you’re a dog.” The phrase quickly evolved into a meme highlighting the issue of identity uncertainty in the new digital environment.

I’ve written about the many uses of blockchains in business beyond cryptocurrency and financial trading platforms, the two most recognized use cases today. Done correctly, identity management will be an important use of the technology because it can simultaneously address issues of personal privacy and authentication. In other words, unless you want them to, nobody knows you’re a dog. But if you aren’t and you have proper credentials from a recognized authority, anyone can be reasonably certain that you aren’t a dog.

Identity Management

Let’s first stipulate that it’s impossible to be completely certain that someone is who they claim to be. Let’s also recognize that blockchains will not automatically solve many of the identity management and authentication issues that businesses and individuals confront in the non-digital world. For example, whether and to what degree does one “own” his or her identity? Does an individual have the right to control what another individual or corporation says about him or her? And, to what extent does an individual have a right to be forgotten?  

Technology cannot answer these questions but it can improve the level of certainty and therefore trust in identity management and authentication. Because of their inherent security (through public key encryption and multi-independent node structure), blockchain distributed ledgers can enhance trust, give individuals greater control over access to their personal data and simplify the process of managing and accessing certifications and accreditations.

When it comes to assessing and understanding digital innovation, it’s useful to first consider what exactly the innovation will replace to sort out what’s changed and what hasn’t. In the pre-digital world, for example, with a passport you could establish your identity with a high degree of trust and security. For certainty, it had a crude biometric authentication device (your picture). It contained personal information about you and your citizenship relevant to authorities such as your date and place of birth. It might contain the visas that define your permission to travel to and in a country. However, in presenting your passport to confirm your identity you also divulged other personal information such as a history of the places you had travelled to since its issuance. For a number of reasons, in the process of proving you are who you claim to be, you are compelled to provide information that you might not want an individual, company or authority to have.

Although passports reflect a high standard of authentication, a forged passport isn’t especially difficult to obtain. To achieve a virtually foolproof means of establishing identity, in spy novels (and in real life) a banknote ripped in two is often used to provide a secure yet anonymous means of identification. That’s because the serial numbers and the random tear pattern must match. A torn banknote is an efficient device and a useful metaphor for some aspects of blockchain digital identity management (such as public key encryption). It has the advantage of providing authentication while protecting privacy, but it also has limited value beyond a simple and reliable, one-time-use counterparty ID for a narrow purpose.

Blockchain identity management systems are intended to address many of the shortcomings inherent in pre-digital identity management approaches. They can provide a high degree of trust while providing individuals a high degree of control over the personal information others are allowed to see. And they can do so efficiently for a wide range of purposes.

Not a Dossier

It’s important to recognize that identity blockchains have a structure very different from what’s been used in the past. The blockchain isn’t a dossier. Identity components such as a name, date of birth or biometric information are stored as “hashes,” a function that converts one value to another. The actual identity data is not part of a blockchain itself. A hash value is a natural fit for cryptography because it masks the original identity data with another value and an effective cryptographic hash function cannot be reverse-engineered. A hash can only be used to generate a value by someone or some system that has permission to look it up from a hash table. That table is stored at a different logical (and likely physical) location. In practice, the identity hashes on a blockchain will likely reference dozens or scores of tables located in multiple locations.

To give a simplified example, Abel issues Baker Corporation a “key” that allows Baker to confirm that all the specific identity components on his application jibe with his identity record. Baker can confirm their accuracy because the company is allowed to corroborate, for example, that Abel’s date of birth agrees with the information on a digital birth certificate record (without revealing the father’s name, hospital, birth gender or whatever) and that the college identified on the application verifies that he is a graduate (and, if requested, that his major and dates of attendance are also correct).

The demand for secure identity management has grown in recent years as concerns have mounted about privacy, safety, identity theft and assorted threats posed by authoritarian governments and criminals. Self-sovereign identity (SSI) management has emerged as a way to use technology to deal with threats posed by technology. As of now, there is no universally accepted strict definition of SSI, so what follows is an attempt to summarize key attributes.

Self-Sovereign Identity

SSI is a response to the persistent problems that individuals have encountered in the commercial world, where credit dossiers contain errors and criminals hack customer data and steal identities. Though it’s hardly infallible, SSI is a potential means to counter the control that governments and authorities have or may have in defining individuals’ identity and certifications. “Self-sovereign” means that the individual has a legal right to control information about his or her identity without interference. Consequently, he or she can elect which elements in the identity record can be confirmed by whom, when and under which circumstances. It also means that the individual has a legal right to a persistent identity. That is, no government, association or individual can unmake or modify someone’s personhood. To achieve that, components of data in the record are recoverable and never lost; they persist through the individual’s lifetime and beyond. Moreover, only the individual can add or modify his or her data.

Self-sovereignty demands technology that provides accessibility and persistence. That is, data must be easily accessed, systems that work with identities must be interoperable and data must be universally readable. I should also note that owing to the structure of a blockchain ledger, any changes are made through a correcting entry, never an erasure, so that all changes can be tracked and traced.

Certifications

The counterpoint to self-sovereign identity is certification: How does someone know that I am not a dog? Or that I have the qualifications I claim to have? In an increasingly digital world, it’s possible to address the need to authenticate information digitally. For example, an organization can authenticate that an individual has been certified by a recognized body to operate a forklift. For individuals, corporations and government or regulatory entities, the easy availability of certification can reduce frictions, cut costs and enhance compliance. Skills and experience also can be certified. In an increasingly services-oriented economy, digitally matching jobs with skills and certifications can accelerate staffing and hiring, making it easier to find the right people while reducing employment costs.

Some Technical Considerations

The potential value of using blockchain distributed ledgers for digital identities and certifications is enormous. Compared to existing methods (mainly paper and proprietary systems), blockchain technology is a more efficient means of supporting effective self-sovereign identity management and digital authentication. In the world of software, these types of blockchains can increase the business value of human capital management software, especially in hiring, staffing and career management.

That noted, there are a long list of challenges. Here are just a few:

First, from a technical standpoint, it’s essential that blockchains be able to make identity and certification data universally available. To do this, they must be able to connect disparate systems with a “loosely coupled” architecture that supports many-to-many relationships.

In computing, a loosely coupled system is one in which each of its components has little or no knowledge of the details of other components. When two such systems connect, the sender communicates a message in its native form and format with the expectation that the receiver will be able to fully and accurately understand the content of that message. Data standardization (including structures, conventions, definitions and taxonomies) are crucial for achieving a free, persistent interchange of information. Identity blockchains will need some degree of standardization and a method for extending that standardization. Common data definitions will be relatively easy to establish but extensibility is essential.

Second, it will be necessary to establish data infrastructures that ensure the persistence and immutability of identity and credentials. In practice, this means having permissioned blockchains with multiple nodes controlled by multiple independent entities. As is the case with blockchain distributed ledgers, each node replicates itself to others to make it almost impossible to tamper with the data in the blockchains, since any alteration must be done simultaneously to all instances. Moreover, because the blockchain only contains hashes (not the data itself) the data referenced by the hash must be replicated in multiple secure locations to ensure persistence.

Third, technology by itself will not address the many legal, regulatory and human issues that any system will confront. Exchanges of information in employment and commercial contracts, whether explicit or tacit, are controlled by law, regulation and custom. In every jurisdiction, issues that arise from the introduction of identity management will need to be adjudicated according to existing or new laws and regulations.

Barely at the Starting Line

Digital identity management is in an embryonic state. The rough outlines of its principles and the technology to support it are in place but there are substantial legal, cultural and technology challenges that must be addressed. This will be an evolutionary process. It will advance step by step into how individuals, businesses and governments interact in matters of identity and authentication. But we live in the digital age and digital identity management is inevitable. Because sometimes you must be able to prove you’re not a dog. 

Regards,
Robert Kugel
SVP & Research Director