Close

Using Blockchain for Identity Management – Five Compelling Examples

As cybersecurity threats become increasingly prevalent and sophisticated, the case for blockchain technology as a way to secure and improve identity management grows stronger.

Blockchain can give people more proactive control over their data and make it more difficult for unauthorized users to exploit it. Blockchain startups are exploring more decentralized data management systems by, in some cases, teaming up with financial services, technology, and government organizations to mitigate the risks of large-scale cyber-attacks and identity fraud. They’re also finding ways to give individuals, including the underserved, access to services that require valid identification and they’re able to do that much more efficiently than current know your customer processes.

In this piece, I’ll elaborate on what blockchain technology is, why there’s a need for an improved identity management system and the different use cases for blockchain identity management.

What are blockchains?

The blockchain name provides a good visual reference for how the technology works. Blockchains are digital ledgers that uses cryptography (in this case a way to protect digital information through encryption) to store blocks of data that are chronologically chained together through virtual networks distributed throughout the world. Copies are stored around the internet, making it difficult to falsify information.

Since blockchains are not centrally managed through a single organization and are designed to be tamper-proof, fraud is less likely. Users can transact directly with other users through the use of their public and private keys. There is no need for an intermediary, like a bank, to manage the transaction. Read our refresher on cryptocurrencies.

While blockchains have been around since at least 2008, they have gained traction mostly in the past several years with the rise of cryptocurrency. Larger organizations and startups are now exploring this technology as a solution for improving transactions of all sorts, from bank transfers and legal contracts to identity management.

The current state of identification management

Currently, people receive many different identification certificates, including social security and medical ID cards; however, their personal data may be stored in many places, including their bank, their insurance company, their employer, and on any subscription software they use, such as their Netflix account. Any of these intermediaries could be, and increasingly are, hacked, exploiting their users’ personal information.

In mid-2017, an Equifax data breach exposed 145.5 million users’ data. The breach was caused by a software flaw which allowed the hackers to take over the company’s website.

To combat money laundering and other illegal financial activities, financial services firms must comply with know your customer (KYC) processes. These firms collect and verify identity information to screen new customers and assess risk. The process is cumbersome and expensive—blockchain startup Civic estimates KYC costs firms $15-$20 per new customer enrolled—and prevents many people without sufficient identification documentation from opening bank accounts.

There a high risk of getting KYC wrong…You need to carry out rigorous tests on major clients at least every 12 months, and that’s very expensive. Many global banks are finding that their relationships with smaller regional banks and financial services firms are not worth the cost anymore, and they are exiting those relationships. Five years ago there was a strong correspondent banking network, and this now being dismantled.

—Joachim von Hanish, former director for Standard Chartered

The onus is on organizations to verify and protect users’ data. Legacy systems, improper data management, inefficient verification processes, internal systems exposed to malware, and faulty third-party applications make it too easy for a sophisticated hacker to access personal information.

A Department of Justice study found identity theft cost Americans $15.4 billion in 2014. It also costs Americans a combined 20.7 million hours to resolve identity fraud. The Canadian Council of Better Business Bureaus estimates identity theft costs more than $2.5 billion a year to consumers, banks, credit card firms, stores and other businesses in Canada. Stolen information includes names, addresses, social security numbers, and in some cases, driver’s licenses and credit information—everything needed to open a fraudulent credit account.

Organizations, such as banks, credit agencies and government institutions, are a weak point in the current identity management system because they’re vulnerable to hacking and data theft. The annual 2017 Identity Fraud Study found 6.15 percent of the US population were victims of identity fraud in 2016, up by more than two million from the previous year.

Blockchains can remove the intermediaries and allow citizens to manage their own identity. Let’s explore some use cases.

Blockchain Identity Management Use Cases

The blockchain is currently being tested in several use cases. Here are some of the more prominent ones related to identity management.

The Civic App

People need a more secure way to manage their identity than paper-and-plastic certificates, and they also need an easier way to monitor their accounts for signs of identity theft. The Civic App allows users to authenticate and verify the use of their information in real-time. The app also helps organizations expedite the process of, and cut costs for, identity verification.

An individual can download the app to their smartphone and use it like a virtual ID card. Civic Identity Partners, such as a government agency, can push authenticated identity information to the app while also acting as a trusted authentication authority. Since this is all done via blockchain, Civic does not store the data on a single, hackable server. Users also access their accounts through biometric verification (fingerprint or 3D facial recognition) which provides an extra level of security should the user lose their smartphone.

When a user needs to submit proof of identity for a new bank account, for example, the bank can verify the person’s identity and risk much faster because the app would stand in place of the current KYC process. The user would scan a QR code from the bank, submitting a request for information. Once the account holder approves the request, the bank receives a verification and the transaction is recorded on the blockchain.

Similarly if a user wants to create a new online cryptocurrency exchange account, they can scan the site’s Civic QR code and instantly verify their information instead of needing to submit a photo of their government-issued ID and connect another account. This could also improve the process for people who want to participate in initial coin offerings. Note that Civic actually raised funding via an ICO has been active in securing partnerships since their launch.

Civic also acts as an early warning system for identity theft. Users will receive notifications when Civic believes their information is being compromised or used fraudulently. The company is currently offering an employee benefits program with Zenefits integration to help employers prevent cyber-attacks from within.

SecureKey and IBM Blockchain

A similar idea to Civic is being applied in Canada with SecureKey, a digital identity network built on IBM Blockchain (which is built on top of the Linux Foundation’s open source Hyperledger Fabric v1.0). Starting in 2018, Canadians will be able to more quickly verify their identity, using their smartphones, to sign up for new bank accounts, driver’s licenses, and utilities.

Users will need to have their identity already verified through a trusted source like a bank or credit agency, but that one verification will provide the credibility needed to quickly sign up for other services without needing go through the whole KYC process again. Backed by Canada’s leading banks as well as the Digital ID and Authentication Council of Canada and the Command Control and Interoperability Center for Advanced Data Analytics, the project will allow citizens to privately share their data, and to only share the data needed to access the service they apply for.

ID2020 Digital Identity

In June 2017 Microsoft and Accenture unveiled a new tool that combines biometric data with blockchain technology to create permanent identity records. The tool, which is still unnamed and in the prototyping stage, would be particularly useful for refugees to verify their identification.

“Approximately one-sixth of the world’s population cannot participate in cultural, political, economic and social life because they lack the most basic information: documented proof of their existence. Establishing identity is critical to accessing a wide range of activities, including education, healthcare, voting, banking, mobile communications, housing, and family and childcare benefits,” Accenture explained in a news release.

MONI

In a similar line, asylum seekers in Europe can receive a prepaid Mastercard developed by Finnish startup MONI. The card is linked to a unique digital identity on the blockchain, acting like a bank account and an ID card in one. For those without official documents, MONI allows them to pay bills, buy groceries, and gain employment. Immigration Services can monitor transactions but only public keys will be visible in relation to these transactions. No one will have direct access to accounts except for account holders.

The MONI app can also be used by travellers, who can link all their credit and debit accounts to the app. If their MONI card gets stolen while abroad, or they lose their smartphone, they can monitor transactions and block the card altogether from any web browser.

E-Stonia

With a relatively small population (1.3 million people), Estonia is the test case for digital government. Part of their effort to move all government-related transactions online, including voting and filing taxes, is the Estonian ID card.

The blockchain-powered identification card allows Estonians to access e-services like banking and medical prescriptions through their digital signature. No more waiting in line at a government office to verify identification that can be easily lost…in theory.

Estonia’s former president, Toomas Ilves has been very vocal about scaling this model across the European Union. The software, operating systems, and technical architecture are currently available for free to help other countries build similar services. They also offer a e-resident program that extends some of this identity functionality to residents of any country.

While this is an exciting development, it requires a very high security level. Unfortunately, a flaw in the cards’ Infineon chips made it easy for someone to find a user’s private network key through their public key, affecting 760,000 cards. The same flaw affected around 60 million smart cards in Spain. The “ROCA Flaw” has the potential to disrupt voting, undermine national identity cards and cybersecurity at the government and corporate level. ID databases have been closed in Estonia and in Spain’s Basque region, certificates have been revoked on the smart cards, rendering them useless as digital signatures until updated or replaced. Private keys will be harder to decode in the future.

 

Blockchain as an identity management solution is still nascent when viewed broadly though a general technology perspective. When viewed strictly in a blockchain context, identity management is one of the most immediate use cases. It provides a promising opportunity to mitigate identity theft and fraud, and reduce costs and time spent on KYC processes. At the same time, it also provides opportunities for refugees to start fresh, with access to jobs, banking, and other services. Digital identity holders will be able to access services more efficiently and control how much of their data is shared. While cybersecurity concerns are a real concern still, improved technology will build trust in this new way for people around the world to manage their identity.

About the Author

Josh Davis is a Strategist with ITFO Communications and Managing Editor on the blockchain and cryptocurrency research team. He has over a decade of experience in financial services and technology communications, helping clients implement tangible, multi-year global programs by leveraging future trends. His research on emerging technologies has been quoted in top publications, including The New York Times, Tech Crunch and Forbes.
Email

Write Your Comment