The promise of managing identity on the blockchain
By Ron Miller for Techcrunch
Blockchain, the secure distributed ledger technology first created to track bitcoin ownership, has taken on a number of new roles in recent years tracking anything of value from diamonds to real estate deeds to contracts. The blockchain offers the promise of a trusted record that can reduce fraud. Some industry experts say that over the coming years, it could be used to control identity information in a more secure fashion.
As we have seen, just last week with the massive Equifax hack, our personal information is highly vulnerable in online databases in their current form. The fact is that whenever we have to identify ourselves, we are forced to present a variety of information to prove we are who we say we are, whether that’s to register for an online service, to cross a border or even prove you are old enough to drink at a bar.
The argument goes that if our identity were on the blockchain, it would give us more control over this information, and with proper applications allow us to present just the minimum amount of information a given party needs to identify us. That could be your date of birth at a bar, your credit score at a bank or a unique identifier to access an online service.
It’s unclear if the blockchain can be that identity panacea that some have suggested, but there are a range of opinions on the matter.
Yes, it’s happening
Of the experts we contacted, only one was fully enthusiastic about blockchain as an identity tool. Jerry Cuomo, IBM Fellow and VP of blockchain technologies, sees blockchain already having a big impact as people demand more control of their identities. He says that we are constantly being asked to share personal information to access places or information or to do business with companies — and that each of these actions puts us at risk for identity theft. He believes the solution to this problem could lie on the blockchain.
“Imagine a world where you are in direct control of your personal information; a world where you can limit and control how much information you share while retaining the ability to transact in the world. This is self-sovereign identity, and it is already here. Blockchain is the underlying technology paving the path to self-sovereign identity through decentralized networks. It ensures privacy and trust, where transactions are secure, authenticated and verifiable and endorsed by relevant, permissioned participants,” Cuomo explained. In fact , he says that he’s already seeing businesses and governments beginning to establish and use these networks to meet citizen demand and deliver the promise of self-sovereign identity.
No, probably not
It sounds pretty good to hear Cuomo describe it, yet not everyone is enthusiastic as he is, seeing many obstacles to using the blockchain for identity purposes. Steve Wilson, an analyst at Constellation Research, who has studied the blockchain extensively has serious reservations about it as an identity management system.
“Identity is not going to move to the blockchain in any big way (not as we know it). Blockchains were designed to solve problems quite different from identity management (IDM). We need to remember that the classic blockchain is an elaborate system that allows total strangers to nevertheless exchange real value reliably. It works without identity and without trust. So it’s simply illogical to think such a mechanism could have anything to offer identity,” Wilson explained.
He adds, “The public blockchains deliberately and proudly shirk third parties, but in most cases, your identity is nothing without a third party who vouches for you in some way. Blockchain is great for some things, but it’s not magic, and it just wasn’t designed for the IDM problem space.”
Eve Maler, who works at identity management firm ForgeRock, which landed an $88 million investment last week, also finds the possibility highly unlikely for a variety of practical reasons. “Identity will not move to the blockchain if this means personal data will be put on a public permissionless blockchain (distributed ledger technology in its purest form), as this is now widely considered bad practice,” she said.
She added, “The “distributed nodes” element of the technology is valuable for architectures where trust in a central authority is difficult or undesirable to establish, but can be challenging where it is desirable to record sensitive information because of the increased attack surface (every node has a copy of everything) and resulting increased privacy considerations.”
Then there are those who fall somewhere in the middle. They aren’t ready to write it off, but they see a lot of obstacles along the way to implementing it, or see it as a part of a broader ecosystem of identity tools, rather than a full replacement to what we have now.
Charles Race, president of worldwide field operations at cloud identity firm Okta, which went public this year, thinks it’s possible blockchain will emerge. He envisions a similar set of use cases as Cuomo, but sees a lot of obstacles that stand in the way of using the blockchain to implement identity management (not exactly the same as PAM) broadly moving forward.“
broadly moving forward.
“A trusted entity will need to establish some legal and enforceable rules and policies for how it all works, they’ll need to make it easy for the average person to use securely, and they’ll need to convince a critical mass of people and service providers to adopt and trust the ID — all while finding an economically viable business model. Some institutions are uniquely positioned to solve all of these chicken-and-egg issues at once and bring this big idea to life — first among them are our citizen-facing government agencies,” Race explained. But he adds, “The trouble with this idea is that a universal ID poses risks to privacy and hence [could] encounter significant political opposition.”
Andre Durand, CEO at Ping Identity, an identity management firm that was sold for a reported $600 million to Vista Equity Partners last year, says it’s not likely to happen as a full replacement over the next five years, but it could begin to play a role in identity. “What is much more likely is that the things Distributed Ledger Technology is uniquely designed for, keeping accurate records in a distributed system, will become part of the identity management ecosystem and help improve aspects of it,” he says.
Ian Glazer, an identity industry expert says it really about choosing the right tool for the job, but he doesn’t necessarily see there ever being one answer that fits every identity scenario including blockchain.
“To ask if identity will move to blockchain is not the right question. Better to ask will use cases emerge that blockchain-related technologies are uniquely qualified to solve. Likely there will be some. But just like relational databases, LDAP and object databases, no one storage/retrieval mechanism has proven to be the single “right” tool for the job,” Glazer told TechCrunch.
Like any emerging technology, there are going to be a range of opinions on its viability. Using the blockchain as an identity management system is no different. It will probably begin to take on some role over the next five years because the promise is just so great, but how extensive that will be depends on how the industry solves some of the outstanding issues.