IBM And SecureKey Technologies are to deploy a digital identity and attribute network based on blockchain. The solution is aimed at making life easier for consumers to prove their identity and share personal data. This is not just about “who am I?” It is also about allowing consumers to share other data such as salary or earning data when applying for a loan or renting a property.
Proving identity is likely to be the first use of the solution. Know Your Customer is a regulatory requirement for banking across multiple countries. It is used to prevent fraud, criminal activity or the transfer of money to terrorists. KYC is a problem for many banks due to the paper chain required and the need for customers to present a lot of data to the bank.
According to Marie Wieck, general manager, IBM Blockchain: “What IBM is building with SecureKey and members of the digital identity ecosystem in Canada, including major banks, telecom companies and government agencies, will help tackle the toughest challenges surrounding identity. This method is an entirely different approach to identity verification, and together with SecureKey, we have a head start on putting it on the blockchain. This is a prime example of the type of innovation permissioned blockchain networks can accelerate.”
What is the problem SecureKey and IBM trying to solve?
This solution is designed to simplify verification of identity or data sharing without risk. It is not a simple task. For decades banks and other organisations have positioned themselves as trusted sources of data. When a retailer wants to verify a potential customer taking out a credit agreement, it contacts the customers’ bank who verify the customer. The problem with this is that the system is circumventable and open to abuse.
Credential brokers often hold large amounts of data about individuals. This means that they are a key target for hackers and criminals. If security systems are breached the data stolen allows the criminal to impersonate the customer. As this is data held by a trusted partner any reuse of this data is seen as being authorised by third-parties. The system also allows the holder of the data to track the customer. They will know who has requested data, what has been requested and often why it has been requested. This means that privacy is weakened for the customer.
Recently, NIST set out a list of reasons why not to use credential brokers. They are concerned about the concentration of personal data in the hands of the broker. They also warned about them being a single point of failure that would expose users.
What does the solution do?
According to Greg Wolfond, CEO, SecureKey there are several things that this solution does to improve security and privacy. They are:
- Network operator cannot see the data. Any data shared between the requester and the authenticator is kept encrypted. There is no point at which the data can be intercepted or viewed by the network operator.
- Data movement is limited. User data stays at the authenticator unless the user authorises it to be shared with a requestor. This is important as it means that data is not being unnecessarily duplicated. The fewer copies of data the less risk of data theft.
- The authenticator does not need to know where the data is being consumed, just that it has been requested and they need to verify it.
- The receiver doesn’t know where the data is held just that a valid authenticator has verified the data.
- There can be no tracking of the consumer by an intermediate party as everything is encrypted.
Permissive blockchain delivers granular control
This is a permissive solution and there are other benefits not called out explicitly by Wolfond. For example, a customer can control the granularity of what is shared with third parties. In a healthcare scenario they could choose to only share billing details with administration departments. They could also restrict access to psychiatric records when being admitted for a minor surgical procedure. When you combine medical and financial there are other privacy benefits.
A patient might need to prove they have the funds to pay for a medical procedure. There is no reason for the bank to know what that procedure is or where it takes place. Similarly there is no requirement for the medical establishment to know where the patient banks or details of their account. This solution would allow an abstracted exchange of key data to satisfy the needs of requester and authenticator without breaching patient/customer privacy.
More than just an identity sharing solution
Wolfond says that this is more than just an identity sharing solution. He gives the example of someone wanting to make a payment where the payment could be authenticated through this system. Such an approach Wolfond believes would allow banks to reintermediate themselves back into the payment chain.
This is likely to appeal to banks. They tried being a credential broker in the 1990’s when digital identity first came along. The problem was that their systems weren’t good enough and there wasn’t the trust from the public. Government also failed because their processes were too stringent and people were concerned about control of the data.
This system carries much lower costs to banks. They already have to Know Your Customer as part of regulations. What is likely to interest them even more is the use of blockchain. By having an immutable record of the data and how it is used means that they don’t require complex and costly systems. They will also welcome the fact that they don’t need to store additional data types. This means that there is no hit on the systems and data storage banks already own. Additionally, if it allows them to offer new services for lower cost, many will see it as a perfect win.
Isn’t this something that OAuth was meant to solve?
To some degree, yes it is. OAuth allows for granular controls over data but is rarely implemented fully. Facebook is a good example of this. When it comes to “basic data”, Facebook does not allow the user to select what a third-party can see. For more advanced types of data a user can opt to not share but apps often make data sharing a requirement. This means that users tick the data share box without being able to understand what the data is being used for.
Facebook is far from the only company doing this. Google shares a lot of data between its different companies and with third-parties. It is often hard for a user to determine what has been shared and they have little recourse over stopping it.
Conclusion
This is being positioned to begin with as a banking driven solution. That is not surprising. SecureKey has received funding from a number of Canadian banking and finance organisations. However, it is already looking beyond identity to the secure sharing of other data. This is where the solution is clever and has a much wider appeal.
If the current trials and deployment are successful it could be rolled out as a replacement for OAuth and other credential sharing systems. There is a caveat to that. Two factor authentication is poorly supported due to cost, complexity, system limitations and a lack of skills. For this to gain a wider acceptance it needs to be not just frictionless for the customer but for the entire chain from authenticator to requestor. It also needs to avoid any need to buy in technology or reskill a workforce.
SecureKey believes it can meet those requirements. If it can, this could be the first wide-ranging blockchain-based application with serious consumer appeal.
