What is a digital identity?
We all rely on digital services for many of our daily tasks such as shopping, paying bills and banking. Whatever the digital service, when we create an account with any organization we must prove our identity. This is a standard know-your-customer business practice by many organizations. Once established, a person’s digital identity is typically authorized by a username and passwords, a one-time password (OTP) or some other mechanism.
There is no way to prove one’s digital identity the same way we do with physical proof of identity in the offline world. This is because there is no standard way to verify the originality of digital documents, which is essential.
Challenges with digital identities and digital documents
Users create digital identities with organizations such as banks, online retailers, electric companies, etc. To create digital identities, supporting digital documents must be provided. For example, Internet banking can require proof of address, age, even a social security number for those in the US.
‘Digital document’ at present refers to the scanned copy of an original document. The general problem with such a digital document is that the data is unorganized—it requires manual intervention to extract the relevant details. Such digital documents can be easily forged or morphed, which still makes the digital medium unreliable. For example, John provides the scanned copy of the driving license as proof of age to his bank. But in order to extract the necessary information from the scanned document, someone has to manually read the license to verify John’s age. There could also be a possibility that the scanned document could have been forged, as the bank did not cross-verify it with the authority which provided a driving license to John. Hence to avoid these problems, a simple and secure solution must be devised and one such way is to create a common online identity system.
However, assigning a common identity introduces its own set of problems. How will the identity be verified and who will verify it? Who is the identity provider? How safe will the details be when being shared by the identity issuer or identity verifier?
Ideally, an individual’s common identity would be a database with complete user information including personal details, relationship details, financial details, etc. The sensitive nature of the user’s information—including fingerprints and iris scans—raises another set of questions such as: How will the details be shared with others? Can a user’s personal details be shared with others without the owner’s consent?
Self-Sovereign Identity (SSI)
One alternative solution is a self-sovereign identity (SSI) system. SSI is an emerging concept, where the identity owner can control the data and all its attributes. Self-sovereign identity works in the same way as identity verification in the offline world. There is no centralized authority to control the workflow. The data is highly secured and remains under the control of the owner, who can decide how, when and where they distribute their identity.
The principles envisioned for an SSI system that were first detailed by Christopher Allen include:
- Existence: Users must have an independent existence.
- Control: Users must control their identities.
- Access: Users must have access to their own data.
- Transparency: Systems and algorithms must be transparent.
- Persistence: Identities must be long-lived.
- Portability: Information and services about identity must be transportable.
- Interoperability: Identities should be as widely usable as possible.
- Consent: Users must agree to the use of their identity.
- Minimization: Disclosure of claims must be minimized.
- Protection: The rights of users must be protected.
To achieve a level of acceptance and a critical mass of users, the system of digitally signing documents must utilize a public blockchain and a mobile application.
Blockchain ensures that a user’s digital signature on a document validates the identity of the user and the original content of the document has not to be changed. Blockchain is used to store the documents online, which safeguards that the system is secure and decentralized. Using a secured blockchain mobile app will allow the user to approve or reject requests from organizations that are requesting their personal documents.
Workflow for a self-sovereign identity
The SSI solution will act as an identity wallet by creating a system that ensures data privacy and abides by security laws. Users can register with the SSI solution using a mobile app. Registered users will be provided with a unique ID and can authenticate their ID by using an OTP, fingerprint, pin or another login mechanism.
The next step after the user registers their identity is to generate a public-private key pair, which can be done using OpenSSL. Under this system, the user can:
- Access their wallet and add or remove digital records at any time
- Categorize their information as personal, family, educational qualifications, medical history, etc.
- Create digital records by selecting the document type and enter the required details, which are called claims; for instance: I am John. I am a doctor.
Next, the digital records claimed by the user must be authorized by the respective authorities. Only then will they be considered valid. As shown in Figure 1, the user sends the digital record and corresponding proofs such as scanned documents and the public key to the approving authority. The authority then validates the digital record, maps the public key sent by the user with the digital record and signs it. The mapped public key will be validated by the requestor at a later stage. The authority could be a government body such as an election commission or passport office, or a private organization such as a medical company.
Once the digital record is signed by the respective authority, the final document is ready for public sharing. The digital record is now stored in the blockchain network of the SSI system. The blockchain network would be a public, user permission approved distributed ledger.
The user can use their unique ID as a reference and this ID along with public key can be given to organizations that request proof of identity. The organization will have a similar registration process with the SSI system and will request proofs using the user’s unique ID.
The SSI system then asks the user for approval before sharing their digital record with an organization. The user can allow or deny the request, which ensures zero-knowledge proof cryptography, which protects user privacy and enables the user to disclose personal information selectively.
Once the user gives their approval, the SSI system will encrypt the record with the organization’s public key and share the proofs with the organization. The organization will then decrypt the digital record with its private key and validate the authority’s signature and verify the user’s public key, unique ID mapping.
Figure 1. The Process for Securely Sharing a User’s Digital Record
Some SSI solutions record only the hashes of digital record on the blockchain and the actual private data will be saved on the users’ device and is exchanged peer-to-peer with the peers of the SSI system. However, this method has an inherent security threat since the documents are stored in local storage.
Key Features of the SSI:
- Enhanced data security
- Decentralized architecture
- Secured data storage and data sharing
- Data sharing is under the control of the user
By utilizing blockchain to secure digital identities, companies will be able to increase the value-added for their customers. In an age where our most important financial and health-related information is stored online, it’s imperative that customers feel their information is safe and secure and being shared only with the necessary parties for the intended use. Companies who don’t put security first will inevitably fall behind as customers choose to only share their valuable personal data with brands they trust.
Contact an Altran Blockchain Security Expert Today