COVID Test and Decentralized Identity
Once a vaccine for COVID-19 becomes available for use in the United States, officials will start the process of delivering doses to states, counties and cities and will oversee their administration to citizens. This is an historically complex challenge: making sure that there are enough vaccines distributed in a quick, effective and, if possible, equitable way. The process is expected to take at least a year to complete. Because not all Americans will be vaccinated right away (some may actually simply refuse the vaccination), employers will need to obtain proof of vaccination or sufficient presence of COVID-19 antibodies before welcoming their employees back into the office.
One question instantly arises: How will employees show proof of COVID-19 immunity to their employers?
2 systems to discard at all costs: Passwords and centralized repositories
How would you feel if you were to go to your neighborhood lab to get a COVID test and you were told upon taking it that (1) the information you’ve shared during the check-in process (first and last name, physical and email addresses, phone number, SSN, allergies and current medications, among others), (2) the result of your test and (3) a means of payment you gave during the check-out process were stored in an insecure way, along with the information pertaining to millions of other users, and you have absolutely no say whatsoever about it and especially no access to your data? You will only receive an email seventy-two hours later with your COVID-19 test results. Of course, you can feel free to print the results out and show them to Uncle Rob and Auntie Connie who, because of their advanced age and their wise belief that COVID is not a hoax, want to make sure their relatives won’t infect them over Thanksgiving dinner. It’s their time to host…
To quickly summarize, the lab relies on a third party to store your data, and in 99.99 percent of the cases it is in a centralized repository. Since you cannot access any of it, who can? At the minimum, a lab employee who needs to input your test results and, whoever is in charge of keeping the data storage system up and running. In 99.99 percent of the cases, at least one of these two individuals accesses the system by leveraging a username and a password. And, if they are more sophisticated, they might also need a second factor of authentication. Maybe. What are the implications of this? 81 percent of data breaches are the result of password mismanagement. In the first eight months of 2020, nearly 16 billion records have been exposed, and 8.4 billion records in Q1 of 2020 alone. This represents a 273% increase compared to the first semester of 2019 during which 4.1 billion records were exposed (Source: Security Boulevard). Also here is the impact on the data breach landscape due to COVID-19: 80% of data breaches have occurred either because of stolen credentials or brute-force attacks. When you take a closer look at the companies that suffered data breaches, there were two common denominators: Password mismanagement and data stored unencrypted in a centralized database.
Finally, once a data breach has occurred and the data the lab sent is compromised, anyone with stolen credentials can simply change the information that pertains to you. You were COVID negative? From a click of a mouse, you’re now COVID positive. And that means you cannot return to work. Anyone with access to a centralized system can create, read, change and delete data. And, as a user, you have no recourse whatsoever. You may not even know that your data has been hacked.
Decentralized identity: The viable alternative
At 1Kosmos, we have gone beyond offering workforce and customers what is commonly referred to in the industry as a passwordless authentication solution that simply eliminates usernames and passwords. From day one, we knew this was far from being satisfactory. To that effect, we have focused our development efforts on providing users with the ability to create indisputable digital identities that are then leveraged for indisputable authentication. During each stage, advanced biometrics are involved. And we store the data that pertains to users’ digital identities encrypted in a private blockchain. A digital identity stored in the blockchain is called a decentralized identity.
Decentralized identity represents an unavoidable paradigm shift about the way users can access and share their personal information. In other words, decentralized identity gives individuals power back over their identity. And decentralized identity cannot be dissociated from the very essence of blockchain technology. Blockchain technology offers unique characteristics that solve problems of trust and make it a great fit for identity solutions:
- Blockchain is immutable. Once a data is written, it cannot be altered in any way.
- Blockchain is decentralized, which means that no central authority controls the data, so there is no single point of failure or someone who can override a transaction.
- Data stored in the blockchain is encrypted.
More concretely, how does it impact the security of the data that pertains to your identity, including the results of your COVID test? Today, if someone knows an SSN or a password, it is assumed that he or she is the individual represented by this information. Also, if a hacker has access to your personal information, then he can easily impersonate you. Decentralized identity is about leveraging modern cryptography to create a decentralized identifier (in compliance with the W3C guidelines) for verifiable, self-sovereign digital identity. The decentralized identifier is entirely under the control of the user and independent from any centralized registry, identity provider, or certificate authority. And the control of the identifier is proven using modern cryptography that includes cryptographic hash functions. In other words, no one else but you can access your COVID-19 test results and share them.
Lastly, to authenticate, the user can utilize a smartphone. In the process of creating a digital ID, a private key is stored inside the secure enclave of the user’s smartphone. To authenticate, the user proves control of the private key associated with a public key published in a decentralized identifier document stored in the blockchain, like COVID-19 test results. Then, if the test results are negative, the user can show the irrefutable proof that he or she is indeed negative for COVID-19.
To conclude: The future of identity is already here
Today, governments and corporations already can leverage the undeniable benefits of decentralized identity and at the same time eliminate risks associated with identity compromises. Even though companies like Microsoft and Mastercard are working on digital identity concepts, there is still an overall resistance. Why? Paradigm shifts represent drastic changes, and changes are scary to most. It means opening one’s mind to the use of new technologies that still have some bad rap, like blockchain. At the end of the day, user security is key to building trust. And without trust, there is no business.