Why Blockchain Isn’t A Feasible Authentication Solution, At Least Not Any Time Soon

April 30, 2019
4 minutes read
Category: Mobile Identity
Author: Harry Cheung

Let’s play a short game of association - I’ll give you a couple of buzzwords, and you tell me what the first thing that comes to your mind is.

Cyber attacks, data breaches, digital identity management, security, privacy, authentication.

Now, I’m going to go out on a limb here, but my guess is the majority of you thought of blockchain, hailed as the new technology that might, someday, be the perfect solution to mitigating these issues.

But is that actually the case?

Here is what I think - potentially, yes, but only after many modifications, discussions, compromises and only after a final consensus has been reached.

We’ll go into all of that a little bit later. For starters, let’s see what blockchain is, what it is used for and how it can translate to digital identity management and authentication.

Peer-to-peer distributed, immutable ledger of information with no intermediary

Chances are, even if you don’t know much about blockchain, you know that it’s some type of technology used for Bitcoin. And that’s true - but, it’s not a type of technology limited to Bitcoin. Or cryptocurrency at all.

Blockchain is a peer-to-peer distributed, decentralized, immutable ledger of information that consists of many blocks which are tied together, one after another. In the case of cryptocurrency, each of these blocks represents a record of each transaction deemed to be doubtlessly true by the majority of the users, meaning there is not one authority. 

Blockchain eliminated the need for “middle-men” which is precisely what attracts many users who are skeptical of having an authority control their data, and with all that has been happening lately, understandably so.

And as it is peer-to-peer distributed, this ledger cannot be changed on one computer, but again, the majority of these users would have to approve any changes making it harder to abuse this technology.

So, how does it translate to the management of our digital identities?

A decentralized, private blockchain for digital identity management

How would a decentralized, anonymous service like this possibly be able to manage our official, government-issued identities online? How do we connect these diametrically opposite attributes?

The answer is - we don’t. What we do instead is take the best parts of blockchain technology, but also compromise for it to be able to carry the title of digital identity manager.

As I wrote in my last post about blockchain in digital identity management, we can deal with the aspect of anonymity, even if it sounds like the biggest issue when it comes to managing our official identities.

This is because blockchain is only effectively anonymous - all interactions are public, but under anonymous nicknames. While there definitely would be some type of mechanism in which we could deliver our actual data to whoever demands it from us at a certain point, we have to think about the possibility of abusers matching these nicknames to our actual identities. Of course, that would certainly be incredibly difficult, but we have to remember that over $1.8 billion in cryptocurrency were stolen in 2018.

Still, the bigger issue here is decentralization - from the point of creation of an identity (remember the good old KYC), to the verification of data or any changes to it.

For it to actually be able to manage digital identities, the blockchain would have to be based on some type of centralized service, and this doesn’t have to be the government. It could simply be some trusted identity provider.

That is precisely what the system is like in Estonia, where people have been using it for taxes, healthcare, and voting since 2012. They rely on a third-party identity provider separate from the government and unable to use any of your data by law. To increase the level of trust, other third-party service providers actually evaluate them against the ISO standards.

What about blockchain for authentication? Will it ever live up to its promise?

Maybe, but not anytime soon - the biggest reason being that blockchain for cryptocurrency transactions and blockchain for digital identity management and authentication are very much different.

In cryptocurrency transactions, blockchain was a tool that allowed complete strangers to execute transfers without having to know anything about each other and without relying on any type of centralized authority. And for that purpose, blockchain is great.

However, I think you can tell why using blockchain, at least in its original form, for authentication could be problematic.

The blockchain ledger is public by default which raises significant privacy concerns. Although your data would be encrypted, it doesn’t mean that people wouldn’t be able to decode it, or at least track it back to you. When dealing with sensitive information like this, I don’t think anyone would truly feel comfortable with this aspect.

If we opted for private blockchain instead, we go back to the issue of decentralization. Add to that the fact that because this is your identity, we would need to have some type of identity proofing, and it’s clear that decentralization is not something to count on if we wanted to use blockchain in this way.

Furthermore, what about the verification and management every time someone wanted to authenticate? Who would do this?

Shouldn’t it be people since, you know, it is peer-to-peer distributed? Sure, it could be. But, remember that blockchain consumes loads of energy, and don’t forget one big difference - in the bitcoin blockchain, miners get issued a certain number of bitcoins in exchange. What would they receive for helping manage and verify authentication attempts?

And then there’s the issue of time. You might know that the bitcoin blockchain takes 10 minutes (or actually an hour) to refresh the ledger which is acceptable for when you want to transact cryptocurrencies. I’m sure you’d agree that when it comes to authentication, this is not fitting and something would have to be done about it.

Apart from that, and possibly the scariest of all, what if someone steals your private key which is your only connection to the digital identity in this hypothetical world?

If we presume that we’ve decided on the public and decentralized blockchain, you could wave your identity goodbye.

Don’t forget that in the bitcoin blockchain, you, and you only, are responsible for the safety of your cryptocurrency wallets. And then there’s the fact that is there is only 1 in 5 chance that stolen cryptocurrency will be returned.

If we opt for a private and at least partially centralized blockchains, which right now seems like something we would have to do, this could potentially be avoided. Then again, I don’t think a private and centralized blockchain sounds very appealing to the masses.

In addition, this topic is very complex for most people. The question of whether they would be comfortable having their identity managed and authenticated in this way has to be raised.

So, ultimately, after lots of discussions, modifications, and everybody coming to a consensus on the capacity in which blockchain is to be used for digital identity management and authentication, it could live up to its promise.

Personally, I don’t think something as important as identity management and authentication should be so complicated - and especially not when there are simpler, just as secure options out there ready to be implemented right now.