Trusted Identity

Decentralized Identity: An alternative to password-based authentication

Share this post:

Many experts say that a password-based login is an insecure approach to online interactions and that multi-factor schemes add friction that reduce user adoption and productivity. Obtaining assured authentication of a person’s identity while adhering to new data privacy laws and regulations presents a minefield of security and customer experiences issues that are costly and ineffective. Many companies have already realized that two factor authentication is an imperfect band-aid. So, are there more effective alternatives for online authentication?

Several organizations within the self-sovereign identity (SSI) community have joined together to collaborate on the validation of decentralized identity approaches to the critical password-based authentication problem. ATB Financial, Evernym, IBM, the Sovrin Foundation and Workday have come together in a joint multi-phase effort to conceive and incubate working examples of verifiable credentials (VC) for the purposes of awareness and education.

This article provides a recap of the first phase of our joint research endeavor where we focused on the presentment of verifiable credentials as an alternative to the universal frustrations of user IDs and passwords.

Transform digital identity into trusted identity with blockchain

Bootstrapping the adoption of decentralized identity

Until now, the SSI/VC community has been very focused on the principals of decentralized identity and the underlying blockchain and cryptography technologies necessary to support the vision of self-sovereign identity. Missing from the technology maturation process are real business validation stories that can create an innovation trigger. Innovation can be defined as the creative assembly of new and/or existing concepts that, when forged together, offer better solutions that meet new requirements or existing market needs. Such endeavors follow an iterative journey of trials and errors where lessons are learned and applied towards an eventual solution. Expectations are now on the rise for blockchain-based decentralized identity solutions. Through the prism of the Gartner Technology Hype Cycle, industry chatter surrounding the emerging technologies associated with decentralized identity suggests that media interest is ripe for breakthrough evidence of business applicability.

 

Our joint research project, called Job-Creds, explores the business applicability of the self-sovereign identity initiative using the domain of Employee Credential Lifecycle Management. The participants in this effort share a common interest in validating by example the self-sovereign identity vision. Our multi-phased project iterates on several scenarios involving the use of verifiable credentials in online authentication and authorization activities.

“The Sovrin Network is designed to support interoperable, secure and private identity management solutions.” Sovrin Foundation Executive Director Heather Dahl explained, “As a global public identity utility for identity, everyone can use and build on the Sovrin Network — and the only limit on innovation is imagination. We are pleased to see to see an outstanding group of forward-thinking enterprises join together to research and develop a secure alternative to password-based authentication.”

Tackling critical and costly challenges for businesses

Security experts have long recognized passwords as inadequate, but finally blockchain technology is offering some viable alternative authentication methods that businesses can explore to keep their data safe.

Interacting with the world around us using identity instruments is part of our daily lives, but today’s digital representations of our identity are far from secure. However, the world of self-sovereign identity now presents us with the ability to have a simpler, safer and more intuitive digital existence.

Today, you may log into a bank website to access their online services. These services would be protected by a userID and password for authorization. The bank is not going to let you sign in using a third-party credentials from your Google or Facebook accounts.

Imagine a tomorrow where you can log into the bank’s website by presenting a verifiable credential issued by the bank. You would have received this credential by proving to the bank that you have met the necessary policy criteria (for example government and employment credentials) to obtain a financial account.

Working for more secure trusted identity

Phase one of our collaboration demonstrates how verifiable credentials in combination with the Sovrin Network can be used to eliminate the rigidness of passwords, mitigate authentication and privacy risks, and also reduce costly call center password reset expenses.

Our research also uncovered something in the codebase of The Linux Foundation’s Hyperledger Indy that we were able to improve upon. It is commonplace in today’s business settings for an entity to outsource operational tasks to another entity. When the outsourced task pertains to the issuance of credentials, you need a mechanism for the issuer (data controller) to communicate with the verifier which public key shall be used to validate issued credentials by the issuer’s data processor. A result of this project was a well-defined delegation flow between a data controller and a data processor, such that a properly formatted and valid Indy Credential Definition document is agreed upon between the two entities and published to the Sovrin Network by the data controller. A goal of this transparency-preserving workflow is that the verifier need not be aware of the data processor relationship.

“This project has effectively demonstrated both the capabilities and power of the Sovrin Network in facilitating real-world user experiences and enabling organizations to interact with the user via a trusted network,” said Michael Brown, Director of Product Innovation at ATB Financial. “The end-to-end nature of this workflow demonstrates one of many ways in which organizations and individuals can streamline the flow of trusted credentials amongst parties, without the organizations needing to communicate directly.”

“This know your customer (KYC) proof-of-concept illustrates how self-sovereign identity and distributed ledger technology can be used to strengthen digital trust and privacy,” said Jon Ruggiero, Senior Vice President at Workday. “It shows how employment credentials, when owned and controlled by an individual, can reduce the time and friction it takes for them to open a new account at a financial institution.”

Building a bridge to tomorrow’s digital identity

Today the landscape of supporting open communities (network, code and standards) to achieve the SSI vision is beginning to mature at a rate whereby early adopters can begin to validate applicability and build that most important bridge across the technology adoption lifecycle chasm. The foundational infrastructure empowering this innovation trigger is rooted in standards, leverages the global Sovrin Network, and is ready today for your digital identity journey.

We look forward to sharing the results of our ongoing collaboration and if you are interested in incubating SSI/VC scenarios in a joint collaborative environment similar to the Job-Creds project, please reach out to me on LinkedIn.

Get Started with Verifiable Credentials

DE / CTO Trusted Identity, Blockchain Technologies - IBM Industry Platform

More Trusted Identity stories

The time is right to treat human data as personal property

Imagine for a moment you’re a typical suburban homeowner. On a sunny Saturday morning you decide to mow your lawn. You go to the garage and throw open the door, expecting to see your lawn mower where you always leave it. With a shock you see your lawn mower is gone. Someone has taken your […]

Continue reading

Brewing blockchain: Tracing ethically sourced coffee

A survey by the National Coffee Association finds that 64 percent of Americans, age 18 and over, drink coffee daily. After factoring in the less-caffeinated casual coffee drinker, this results in 400 million cups of coffee consumed daily in the United States. That may seem like a lot, until compared with most European countries who […]

Continue reading

How do we start tackling the existing identity problem?

Identity and control of personal identity is top of mind, given recent events as well as the European Union’s General Data Protection Regulation (GDPR). A lot of our identity is shared without our explicit consent, gets stored in locations we are unaware of, and when compromised creates tremendous setbacks. Almost everything we do in the […]

Continue reading