What if every online service, business application and public service platform required only one account? Which is not based on a central controlling instance and which simultaneously is highly secure?
Everyone knows this scenario: Managing accounts on Facebook, Amazon, Google and many other online services requires an e-mail address and – hopefully – a unique password. This approach leads to a flood of digital identities and the disclosed data gets harder to manage and control. In a business context, a similar trend can be recognized. A hard to grasp number of applications and data repositories needs to be access controlled, and access rights need to be timely revoked as soon as necessary. Again, in the context of public services, further digital identities and access rights are required.
To get this “Identity Spam” under control, several providers have accepted the challenge and consider Identity Federation as valid solution. Services like Identity as a Service (IDaaS) allow a Single-Sign-On (SSO) for users, which renders individual administration of accounts obsolete. Going forward, the user merely needs one digital identity to which his access is tied. However, the SSO functionality requires the IDaaS integration with all relevant systems. Compatibility, security and availability are critical operational success factors. Even if they are fulfilled, in this scenario the user still needs to abandon sovereignty of his data. The user’s trust in the IDaaS provider, which is also a Single Point of Failure, is crucial.
An approach consistently driving forward IDaaS but also demanding a new way of thinking for all those involved is Bring Your Own Identity (BYOI): A digital identity which is fully under control of its owner. Without a central controlling authority. With the inherent possibilities to distinctly disclose particular pieces of information for specific purposes and to retract access independently and on demand. Bring Your Own Identity can be utilized in private, business and also governmental contexts.
How is Bring Your Own Identity brought to life?
With the Blockchain technology! It is possible to build digital identities – IDs – connected to profiles, containing information of the owner in designated attributes. These bits of information can be confirmed – or attested – by third parties like officially authorized organizations. Besides assigning IDs to individuals it is also possible to allocate IDs to companies, websites or applications. By data confirmations and links between IDs assignment of access rights is possible. For example, an application ID could attest to a personal ID that its owner is a legitimate application user, allowing both authentication and authorization. BYOI can be realized by various technological solution options, e.g. Blockstack (https://blockstack.org), uPort (https://www.uport.me) or Sovrin (https://sovrin.org). A wide adaption could unlock significant advantages for both users and integrating organizations: Once compatibility hurdles with existing systems are taken, cryptographic security, high availability due to a decentralized architecture and even sovereign control over personal data are the reward for users.
Significant interest – but still no immediate success
Besides the legal uncertainty for Blockchain technology and aspects brought to the field by EU General Data Protection Regulation (EU-GDPR), it is in the nature of classic Blockchains (e.g. Bitcoin) that basically anyone can participate in the network and read transactions. For many applications, this public character is not suitable and the unmanageable dependency on the whole network raises concerns about long term feasibility and stability. In addition, consensus mechanisms used today, especially Proof-of-Work, are quite energy-intensive. Hence in a professional context, i.e. for private businesses and public authorities, so-called Public Permissioned Blockchains appear to be more appropriate. In this Blockchain – or rather Distributed Ledger – all participants can read, but only known and approved ones can write, i.e. validate transactions. While transparency and decentralization still prevail in such a Consortium Chain, a certain controllability emerges in parallel, promising sustainability.
The digital identity via BYOI bears a great potential for all parties involved. Open questions are solvable. However, a fundamental willingness to engage in this new technology is essential. A possibly significant implementation effort with existing system landscape must not be neglected – but this applies for any IDaaS. Loss of a private key on the user side would be fatal, meaning his digital identity would be lost – if recovery mechanism are not implemented. Furthermore, it is harder to regulate a Blockchain which per se lacks a central instance, as the whole network has to accept and adapt changes – here the Consortium Chain can be a way out. Many supporting facts and aspects for Bring Your Own Identity via Blockchain – who takes the first step?