Identity management via blockchain?
2018-06-15
Why could blockchain technology play an important role in identity management? Interview with Rouven Heck from uPort by Helge Michael from main incubator
Rouven Heck is working at Consensys, a leading company for blockchain technology founded by Joseph Lubin (Co-founder of Ethereum). At Consensys, Rouven is head of product development of the uPort Digital Identity solution platform.
Rouven, why could blockchain technology play an important role in identity management?
The Economist called blockchain the ‚trust machine‘. Trust is key for an identity management system and with the availability of public blockchains this trust infrastructure can be made available to everyone. In combination with increasing access to secure devices/chips and internet connectivity, we can build a self-sovereign identity system that gives the control back to the people/individuals – away from 3rd parties.
At a basic level, the blockchain enables a user to self-register an identity without reliance or interference from a third-party. The user can now sign any type of transaction or message with his private keys, and everyone can validate the correctness by checking the blockchain.
Recently, a lot of companies are aiming to develop identity and authentication products and services. What is the reason for the strong interest in this topic?
Digitalization is happening in almost every business and in recent years, personal data has become one of the biggest economic assets. The more people are using digital services, the more data that gets gathered. This raises many concerns, including identity theft, data breaches, etc., meaning the need for a strong identity solution is increasingly important.
With the increase in digitalization comes an increase in complexity around authentication. Today, everyone is managing dozens of accounts with username/password or using federated identity systems like Facebook or Google, which leads to a trade off between security & user experience (e.g. the same password for many services, a central place to store all of them or remembering 100 different passwords), or privacy & user experience (every login with Facebook provides more information about you and your behavior to a company which makes billions in profit selling this information).
Identity is a much broader, global issue e.g. many refugees who lack access to proper identification, or other 1.1 billion people worldwide who have no way to identify themselves in a reliable way. Without identity people have hardly any chance to participate in our society – i.e. no access to financial services, insurance, and limited ability to receive aid distribution.
What exactly is a digital identity and how can a digital identity change people’s life?
I would simply define digital identity as a collection of information about a person, device, or entity consolidated into a digital representation. This usually requires an identifier with a set of attributes & attestations that allows a user to establish some form of reputation, a requirement to build the trust need to safely interact with other identities.
I assume hardly anyone could imagine a life without the internet. Almost every transaction/interaction online requires some type of digital identity, even if it’s not explicitly obvious. Digital identity is already part of everyone’s life and will only become more important with every new digital service people use.
Could you please explain what the uPort Digital Identity is?
A uPort identity consists firstly of a permanent identifier that is rooted in the Ethereum blockchain and secondly of a collection of data or credentials associated with an identity. The identifier is a address that refers to a smart contract, which is controlled by the user with a private key. Being in full control of the private key, the identifier and all it’s associated information makes the identity self-sovereign, rather than subject to 3rd party interference.
uPort’s mobile application allows a user-friendly way to manage private keys and associate data. It allows the users to login to sites seamlessly and securely without a 3rd party. It ultimately gives the user control of their data; only the user (who holds their private keys) can selectively disclose data to other trusted parties.
uPort is built on top of Ethereum, the largest 2.0 blockchain in the world. Why could blockchain technology play an important role in identity management?
Blockchains can provide the required trust such that nobody else can delete, control or censor my identity. We use Ethereum because it provides the security of a large ecosystem in combination with Smart Contract capabilities to allow user-friendly and secure key management. In a self-sovereign system only the user has control, but what happens if the user loses his phone or pin? There is no hotline or company to call, therefore we are building recovery logic into smart contracts to ensure that the user is always in control of their identity.
What happens in case of identity thefts if there is no central counterparty?
First of all it’s important to note that identity theft will be very different in decentralized identity system. E.g. after the recent hack from Equifax the information available is likely sufficient to perform identity thefts in a large number of systems for millions of people.
In a decentralized system, there are multiple ways to protect or quickly recover if someone would be able to get access to your identity. In the current model, static data like birthday, mothers maiden name or social security numbers are used to protect accounts – once leaked this data cannot be revoked and are weak links in today’s system. However, if you have to use a private key signature for every interaction, it only requires you to replace a compromised private key once and the security is established again.
The management & replacement of the private key is therefore very important – and with Ethereum we have the technology to build solutions which allow us to define a set of rules to manage/recover keys easily for the user.
“Verimi, a German identity initiative founded by a consortium of German companies including Allianz, Daimler, Deutsche Telekom and Deutsche Bank has recently concreted its plan to start an identity platform for German and European customers. Do you think in the future is room for several identity providers or do you think there will be a strong market concentration at one identity provider and the winner takes it all?
Verimi sounds very interesting and a good step towards an alternative to Google & Facebook, but from my limited knowledge from the public information, it’s ultimately a platform which is operated by one entity. This entity is in control of users IDs and their data. Therefore whilst it seems like a great offering for German and European customers, it’s not fundamentally different from existing federated systems.
I don’t believe it’s either desirable or likely that we will end up with one identity provider. I assume that to establish a truly globally accepted identity system, it needs to be an open standard technology stack, which is not controlled from any individual or group of companies. Like TCP/IP or HTTP are open standards which are adopted around the world to build the internet as we know it – I believe the future is a similar identity protocol based on the decentralized and self-sovereign principle. That is one of the reasons, why we are a founding member and strong supporter of the Decentralized Identity Foundation (DIF), which now includes a number of startup competitors as well as big companies like Microsoft & IBM as members.
The city of Zug (Switzerland) is one of the first communities in the world to offer their citizens the opportunity to get a digital identity starting September 2017. uPort has been chosen as the technological solution for this project.
What usage possibilities does a digital identity offer in Zug?
It’s great to partner with the city of Zug because they are very open to exploring new possibilities with us. In the early part of 2018, the plan is to allow citizens to get an official attestation from the city of Zug assigned to their uPort identity. This attestation will then grant access to eGovernment services like simple e-Voting on minor decisions and government-related payments, and later, potentially many more services.
Are you in discussions with other companies, cities or even countries that want to use uPort?
We are working with multiple other organizations and governments on a range of projects centered around decentralized identity rooted in the Ethereum chain. One such project which we can publicly talk about is with Brazil’s Ministry of Planning, where we developed a pilot for the government agency to leverage the blockchain to verify user identities and notarized documents.
Many governments entities not only want a better identity system for their citizens, but are also very interested in blockchain solutions and ‚Smart Cities‘. For interaction with blockchains you need to enable citizens to use private keys; for Smart Cities, in many cases, blockchain systems are seen as the best enabler for new technologies such as the Internet of Things (IoT) and therefore the foundation for modern cities. Every IoT device will need a way to identify itself – so will their owners, organisations and so on.
uPort is a member of the Decentralized Identity Foundation (DIF), a group of major companies and startups, including headliners Microsoft and Accenture.
What is the major goal of the foundation?
The goal of the DIF is to create a set of standards & practical reference clients to establish blockchain-agnostic decentralized identifiers (DIDs) and ensure interoperability across a spectrum of solutions. As more organizations work across a range of blockchain technologies, we believe DIF is the best way to enable interoperability and therefore scalability on a global level.
And last but not least, how long do you think will it take until digital identities become as self-evident as personal profiles in social networks?
I believe that we usually underestimate the time until it starts to take off, but then also underestimate the speed of adoption. My guess is it may take 3-5 years until it’s normal for people in the developed world to have a self-sovereign identity; likely double the time for a major impact in less developed countries.
Many thanks for the interview Rouven and all the best for your project.
For more information on uPort, we recommend to watch the following video.
https://www.youtube.com/watch?v=qRevDM9D8WE