Some say that in the real (physical) world, to prove one’s identity is an unambiguous process. For example, when you show up at an airport’s TSA security check, you’re required to show a government-issued credential such as a driver’s license or a passport, and the TSA agent can see that you are who you say you are. If you’re going to check into a hotel room, you show your ID and a credit card, then the hotel’s employee is able to physically see that you are who you claim to be. Oh, is that so…?

To prove one’s physical identity is highly ambiguous

Have you ever heard of perfect counterfeit driver’s license holograms that easily pass TSA? And what about fake (also called synthetic) identities created with kids’ social security numbers, which are then used to open real bank accounts and issue real credit cards? Then, those fake identities and credit cards are used online to extend the scope of the fraud. Actually, the verification process gets even more opaque in the digital world, because businesses must find a way to verify that you are who you say are, even though you are not physically present to show your ID or documentation. So, organizations must find a way to make sure that your digital identity matches your real-world identity.

What does it mean to digitize an identity?

By definition, a digital identity is “the compilation of information about an individual that exists in digital form,” and that is grouped into two categories: Digital attributes and digital activities. Digital attributes include a date of birth, medical history, identity numbers (SSN, driver’s license), government-issued identities (passport, driver’s license), bank details, login credentials (username and passwords), email address, biometrics (fingerprint, eye scan, 3D face map) as well as badges and tokens. Digital activity includes likes, comments, shares, and photos on social media, purchase history, forum posts, search queries, signed petitions, geotagging, downloading apps, and cell phone usage. The use of these attributes, either as stand-alone or in a combination, can be used to identify an individual digitally.

What attributes should be used to build a digital ID?

As soon as I read the list of attributes that compose each one of these two categories, the first word that came to mind was privacy. The second one was ethics. That certainly doesn’t reflect much confidence in what’s being proposed… Let’s face it, there is no way I want anything that pertains to my private digital life to be leveraged to establish whether I am worthy of opening a bank account or booking a trip online. Should the fact that I signed a digital petition against fracking in Western Texas ten years ago prevent me from accessing certain services on the Internet? This may sound a bit extreme, but who knows what policies will be in place in the near future, especially since social media companies and search engines already sell my information to the highest bidder without my consent.

How should an acceptable digital ID be constructed?

An acceptable digital identity is a compilation of attributes that make the individual’s ID proofing process indisputable. What does this entail? First, the process must solely involve digital attributes to mitigate risks inherent to privacy and/or ethical breach. Second, the process should be based on the triangulation of a claim (the individual’s ID photo, address, last name, etc.) with a multitude of company or government-issued documents (driver’s license, passport, etc.) as well as sources of truth (government databases, passport’s issuing country, passport chip, credit cards, bank account, etc.), including advanced biometricslike a liveness test. This ID proofing process eliminates the use of login credentials. Usernames and passwords are no longer needed. The motivation for this is simple: 81% of data breaches are caused by poor password management. Therefore, any system that leverages passwords and weak 2FA such as SMS and Email cannot assure the integrity of an individual’s identity.

How to store digital ID data?

Most organizations store user identity information in centralized databases, oftentimes supported by legacy software, that operate with numerous single points of failure. Large, centralized systems containing the personally identifiable information (PII) of millions of user accounts stored unencrypted are high targets for hackers. Actually, data breaches mainly target PII: 97 percent of all breaches in 2018. Regulatory legislation and enterprise efforts to increase cybersecurity don’t seem to cut it, since 2.8 billion consumer data records were exposed at an estimated cost of more than $654 billion in 2018, actually making 2018 the second-most active year for data breaches on record.
The only alternative to centralized systems is decentralized systems. The user data is stored encrypted in the Blockchain, which virtually eradicates the risk of cyberattacks. A Blockchain network is an infrastructure that puts control in the hand of the end user. So, the user remains in control of a private key that protects his or her personal and financial information at all times and, when his or her data is about to be shared with a third party, he or she consents to send only the information that is pertinent to be shared. With a Blockchain network, most domestic and international guidelines on transparency, privacy rights, and data security are being respected and followed. Cryptocurrencies use blockchain technology to keep transactions safe and private. These are the exact attributes that we need to apply to identity – safety, and privacy.

To conclude: It’s all about asking oneself the right question

If an organization cannot answer for sure that an employee, a customer, or a citizen who accesses its systems, applications, and/or website is who he or she says he or she is, then the identification and therefore authentication system is broken. The organization cannot trust whether this individual truly is an employee, a customer, or an existing citizen, along with his or her intentions. There is a solution that triggers the unequivocal answer, “I am sure!” And it involves indisputable ID-proofing, along with the use of advanced biometrics for authentication. On the employee, customer, or citizen side, the question that needs to be answered without hesitation is, “Can I trust this organization?” To store user data encrypted in the Blockchain is the assurance that those employees, customers, and citizens will not find their personal and financial information for sale on the Dark Web.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More