Thoughts on digital identity

Few years ago I have moved to a new apartment. This simple operation had a number of implications I haven’t foreseen. Address change implied ID change. And then events started snowballing: I had to change my driving license, my data in banks, my data in e-commerce and a lot more.

Updating all of these took me over a year. From time to time I figured out I have forgotten to update one more place with my data. Moreover I had to visit a number of places in person. It wasn’t possible to change the data online. All these visits had one thing in common – someone has verified my new ID (and whether my photo matches my appearance). It unveils two problems we’ve been dealing with for many years already. First, it is digital identity management. Second, it is authentication process and trust between companies and agencies.

A look back

Digital identity and authentication process have been an issue since the beginning of Internet. Fortunately at that time we already have had public key cryptography available.

Asymmetric cryptography is relatively young. It is officially dated 1976 when Martin Hellman and Whitfield Diffie published New Directions in Cryptography. Their solution was revolutionary in terms of distribution of encryption keys. The key has been divided into two parts: private (secret) key and public key which could (or even should) be passed to another person. The problem of trusted key exchange channel no longer existed with this approach. There were however new issues.

Firstly, you need to broadcast your public key as much as possible. You need that in order to enable others to encrypt communication to you and to validate your signature. Usually you send your key by email or publish it on your website or on key server. Such a key server can be used to search for your key using your name or your email.

Secondly, you need to figure out the ways to confirm your identity. Otherwise recipient would never know you are. Key signing parties were invented to solve this problem. These were real life meetings were people confirmed others’ identities. They did this by digitally signing others’ keys using own private keys. Having received message signed by such a key you could see who has confirmed the identity of a sender.

There are number of legal solutions in Poland that involve asymmetric cryptography. There are two of them I will briefly describe: electronic signature based on a qualified certificate and trusted profile ("profil zaufany" in Polish).

Electronic signature based on a qualified certificate was introduced in Poland in 2001. Within the law such electronic signature is equivalent to handwriting signature. Anything (documents and contracts) signed with such a signature is legally binding. The certificate includes owner’s data – data which is verified during the issuing process. This verification is held at dedicated offices or at notary. The certificate is issued by qualified certification agencies to individuals and it is a paid service.

Trusted profile is a solution introduced in Poland in 2011 by public administration. It allows to submit legally binding applications and requests to public agencies by Internet. You can apply for trusted profile in three ways:

  • in person, in the agency confirming own identity;
  • using external identity supplier (currently supported by some banks and Social Insurance Institution – ZUS);
  • using electronic signature based on a qualified certificate.

Unfortunately the number of applications of trusted profile is limited to the offering on ePUAP – public services internet platform. It is not planned to make the platform available for commercial services in the near future. Historically ePUAP has a bad track of long downtimes and poor performance. It is a factor to be taken into the consideration when designing future solutions.

There is relatively new authentication method used in financial services in Poland – verification transfer. This method is used by banks or lending companies when opening new account or requesting a loan or a deposit. This method verifies whether data you have provided in the submission form matches data in the transfer origination account. This method relies on the fact that your data was already verified by your bank and just limited subset of data is verified.

Introduction of verification transfer in Poland unveiled how different are identity verification processes across banks and how much banks do not trust each other. For example the largest Polish bank, PKO BP temporarily suspended participation in using it – until the process was fixed. At the moment the method is used in more secure way than at the moment of introduction. Verification transfer is the integral part of the account creation process. A new account cannot be created based on account created using verification transfer unless it was confirmed in person later on. This is still not a perfect method but rather workaround with existing solutions. And it still has problems.

Network of trust

One of the reasons why you still need to verify your identity in person multiple times is a lack of trust between various organizations. It seems this issue could be at least partially resolved using concepts derived from blockchain.

Let’s assume that you have accounts opened in three different companies – bank, telco and energy company. And you want to open a new bank account. Currently in Poland you need to go to bank’s branch or you can do it online (for some banks) using verification transfer. As already mentioned before the latter method is not perfect. I want to propose a new method which requires some level of cooperation between companies (please note, that verification transfer requires it as well).

Various organizations are connected to the closed, identity verification network. They have a reputation within this network. The reputation is implied by the credibility of their client authentication processes. The reputation is the result of some initial value and following history of participation in the network – answers quality and engagement level in customer identity verification process.

Your new bank asks the network who can verify your identity. Based on the answers the bank can judge whether your presence in the network is enough to reach the trust threshold – enough participants in the network can confirm your identity. If there are not enough participants ready to verify you, you won’t be able to create an account within this process.

Randomly chosen organizations send you a notification to confirm your identity in their systems. This confirmation could be done using mobile application or via internet website. You would need to login to the system and provide the authorization to the provided operation (in particular with use of multifactor authentication). If you perform this operation in the suitable number of service provider systems or applications (suitable to reach the trust threshold – during the process you don’t know how many confirmations you need to provide) the account could be opened.

eID_eng__.png

Full history of queries and confirmations is stored in immutable ledger. Every network participant is obliged to report any abuse.

The idea described above does not eliminate identity verification process done in person but it certainly does reduce it.

Digital identity platform

There are already ideas and projects in place to use blockchain features for creating a credible digital identity. Everyone could create own identity and put it on blockchain. It is up to this person with whom she will share these data. Those could be personal data, those could be health data, those could be finance data, those could be any data. Moreover each data could be signed by any person that has access to them. Just like with key signing described above, it provides a way of building data credibility. The more people with high reputation sign the data, the more data is credible. It would have the most significant meaning in case of identification data.

A recovery in case of loss (device, key or password) is also an important feature. You could use a network of trust for that purpose. You would basically define a group of trusted people that could confirm your identity. When they altogether (or some subset of them) confirm your request, the access to your private key could be recovered. Well known secret sharing algorithms would be used in this protocol.

Summary

Ideas presented in the text above are just ideas. They are not detailed concepts yet. I am also aware of the simplifications I made in their descriptions. My goal however was just to present the concept that I think will come to life in a few years. It depends only on us how much we’re going to influence implementation of this concept.

 

digital identity, eID, blockchain
Paweł Kot

Paweł joined ITMAGINATION in November 2016 after leaving PZU Group where he held the role of IT Architecture Director. In ITMAGINATION he focuses not only on insurance but on the whole financial industry acting as Enterprise Architect and Product Manager responsible for the product portfolio for FSI clients.

Would you like to learn more? Contact us.