Back

Fulfilling the Potential of Digital Identities: Blockchain, Privacy, Security Challenges & How to Overcome Them

April 17, 2019
4 minutes read
Category: Security
Author: Harry Cheung

This might come as a shock, but do you know that over 1 billion people in the world have no official proof of identity?

What this means is no voting rights, no access to financial institutions or healthcare, and a systemic violation of basic human rights.

I’m sure you will agree with me that this is simply unacceptable, especially when you consider the wide variety of issues implementing digital identity systems as part of a larger digital transformation would help solve.

And we know all these benefits, I myself have written a plethora of posts on these topics on the IPification blog.  After solving the issues with digital identity proofing (KYC) to prevent the creation of synthetic identities, the challenges of managing the digital identities and how to overcome those challenges also need to be discussed.

With its huge potential and the fact that 161 countries in the world right now have ID systems that use digital technologies - however efficient or not they might be - it is the perfect time to dwell into the realm of these issues and the possible solutions.

More specifically, in this post, I’ll tell you about the major challenges to establishing efficient digital identity systems - blockchain, privacy and security, and the possible solutions to overcome them.

Is Blockchain the right technology to use for digital identity management?

By now, there aren’t many people in the world who haven’t heard about blockchain. And since its main features include that it’s anonymous, untrackable and decentralized, it’s easy to see why when the question of managing digital identities comes up many heads turn this way.

Let’s start with its decentralization. In the modern age, fewer and fewer people trust their governments to safeguard their personal data and identity. As such, blockchain used in this aspect sounds appealing to many people.

Yet, one has to wonder if this technology is developed enough to be widely used in such a way, especially when the question of whether blockchain is actually untrackable is raised.

I’ll give you the short answer - not really, although it is effectively anonymous. You can see who has interacted with whom and when, but all under anonymous nicknames. To match these to actual identities is not very simple, it’s actually very difficult to do.

But, need I remind you that over $1.8 billion in cryptocurrency were stolen in 2018?

Add to that the fact that there is only 1 in 5 chance that money stolen in this way will be returned, and it’s safe to say that blockchain, or at least blockchain alone, still isn’t ready to be the supreme digital identity managing technology.

Let’s say someone steals your digital identity managed on the blockchain. How will you get it back? Or, will you be able to get it back?

So what can we do? Why not mix in the good old public key infrastructure (PKI)?

PKI picks up what blockchain lacks to actually be feasible in today’s society serving the purpose of digital identity management.

First of all, it’s compliant with different privacy laws. It offers the must-have ability to delete some information from your record as well as transparency as to who has looked at your data.

While blockchain would provide privacy at a more acceptable level for the ever-more skeptical user of today, it’s important to remember that we still have to abide by laws. Just think about if you were stopped in the street by a police officer requesting to look at your ID - would you consider it an invasion of privacy? Probably not.

From there, some suggest basing this centralized identity service on blockchain. This means that only those who have your data could see it, only trusted third-parties could see the metadata of your transactions and you are well aware of who is looking at your data.

Though the implication of this method would be that you would have to have some identity provider you can trust, it isn’t much different than trusting your government with your identity as it is now.

Maybe most importantly, this isn’t all theory. It actually happens to function very well in Estonia where people have been using this system for taxes, healthcare, voting, etc. since 2012.

They use a third-party service provider there for the digital identity service, separate from the government, and unable to use any of your data by law. Other third-parties then evaluate this service provider against the ISO standards to provide another level of trust.

If what you like about blockchain is that it’s not controlled by the government, but would still like to be able to control the data in your record, and although not actually decentralized, combining these two just might be the way to go.

But, it seems to be that in this discussion, one important aspect often seems to be forgotten.

Authentication as the proof of identity to tie effective digital identity systems together

So, what good is a great digital identity system if the authentication technologies used as proof of identity are ineffective? And this type of security, especially on mobile considering that over 5 billion people were connected to mobile services in 2007, should also be a priority.

I’ve said this many times and I’ll say it again - to actually be effective, security needs to be implemented in the design phase of a project. If you ask me, an ongoing multi-factor authentication system would be the one to go with, as long as they don’t unnecessarily overcomplicate this process for the end user.

There are many authentication options available today, and you use at least three different ones (try passwords, 2FA or biometrics). What it all boils down to is how effective these solutions are.

Well, not very - and you’ll notice a pattern here - at least not on their own.

If used, any or all, they should be part of a larger ongoing authentication system. Only in this way will they provide the needed level of protection in the era where more than three-quarters of users across Asia, for example, have experienced some type of online theft.

And don’t forget the value which users assign to the convenience of authentication options when taking your pick. Although it might seem strange to you, they actually prefer it to security.

A way to provide both, but also decentralize the whole process of managing digital identities even further by including another trusted third party in this process already exists.

At IPification, we believe that mobile network operators are the key to mobile identity.

It’s their wide coverage combined with the increasing number of mobile users and the operators’ technological capabilities to enable running of secure cryptographic operations (which is precisely the data that IPification relies on)  that make them the best candidate.

Going back to Estonia, mobile operators there enable users to have their digital identities on their phones along with their digital signatures so they can access any e-services and even vote in this way.

So, we know that it works! And our solution is here to enable it.