Blockchain - The golden bullet to Identity part 1
Introduction
I’ve been hearing ‘Blockchain’ a lot, but not a lot about what it is, or what it gives you, or how it will change the way we live – which allegedly it will. Oh yes, and it’s a foundational tech. for Bitcoin.
One of the applications of blockchain is in identity verification, which is what has caused me to get out the cyber-spade and do a bit of digging.
Identity Verification
Identity verification is the next step in Identity and Access Management (IAM) and or Identity Relationship Management (IRM). IAM platforms can deal with securely managing access for users, but how do we know who those users are who signed up in the first place? It is important to establish specially in financial services industries to be able to know that the person who just signed up is the real ‘John Smith’ who owns the pension (say) that your firm holds for him, and not just any John Smith with the same birthday, or some attacker who has been able to get hold of enough Personally Identifiable Information (PII).
Financial services call this requirement to identify the customer ‘Know your Customer’ (KYC). And meeting the need usually requires anything from providing household bills, to turning up in persion with a passport. The gov.uk/verify initiative is an attempt to provide a service from a set of identity providers who then verify that the digital credentials that they provide are attached to real people, to varying degrees of assurance depending on the checks being caried out. The government has sanctioned a set of these providers, e.g. Experian to be authoritative sources of these verified identities. It then uses these identies in its online services (e.g. for tax returns) via federation (SAML, OpenID).
The use of these sanctioned providers gives the customer a choice, and is slightly designed to remove the spectre of a ‘government identity’ scheme. Another benefit it gives the government is that if there ever is a compromise of one of the systems, a) it won’t be the government at fault, and b) users can use one of the competing companies.
Now start-ups are also coming into the market-place to provide this identity verification service. Tradle, for instance will allow you to scan your passport and/or other bits of real-world ID, and then take a photo of yourself using your web-cam. This capability was interesting for a project I have been working on, and a colleague mentioned their service so I took a look at their web-site to learn more. On their web-site the blurb about the verification service takes a real back-seat to the blurb about the use of block-chain. My first reaction to this is: “Eh?”
A little bit of digging has turned out a whole slew of similar companies and open source initiatives, see here: https://github.com/peacekeeper/blockchain-identity. Blockchain is used not just in identity. Most famously it is used in cryptocurrency, the most well-known of which is Bitcoin. There is a lot of buzz about the concept, and a lot of investing going on (e.g. http://www.blockchaintechnologies.com/blockchain-investments) as well as many companies including wired (http://www.wired.co.uk/article/wired-money-2016-startup-stage-bitcoin-blockchain). Forrester and Gartner are giving out verdicts of the nature that the technology is interesting but possibly overhyped at the moment.
So is blockchain an essential part of identity verification, or has blockchain just been added as a feature by these firms in order to attract investment? I will write more about blockchain in my next blog post and try to understand why we would use Blockchain, known for anonymity, for identity.