4-part series on Digital Identity. Part 3 = JoQPublic says this is about the trade-off between privacy & convenience.

Do you do passwords properly (long & complex & frequently changed)? Or do you think life is too short, so you entrust your identity to some service that becomes your gateway to the Internet? Do you find it a bit disturbing that these services know your most intimate secrets, but you are too busy to focus on this?

If so you are one of 8 billion people who wrestle with the trade-off between security and productivity. Welcome to the world of Digital Identity, which is trying to find a solution for you.

When on-boarding with a bank, a password is not an option. This is when you need to undergo an identity verification process via whatever vendor your chosen bank uses

The (distant) future of Identity on the Blockchain

Blockchain technology can meet two fundamental needs:

  • Trustless and decentralized. Your Identity is not under the control of any institution (either Government or commercial).
  • Immutable. Nobody can change a record; they can only append a new record.

In this vision of the future, the human is sovereign and controls Identity through granularity – you can have my driver’s license but not my passport or medical records and you can only have it for this one transaction. This could enable the Doc Searl’s vision of Vendor Relationship Management (VRM).

Meanwhile back in today’s reality, we have regulation and the Bitcoin driver. So far, regulation has mostly focussed on healthcare (ie HIPAA), because people care more about privacy of medical information than other information. The  Bitcoin driver is that we will care more about our other data when we realise that money is actually “just” data. Bitcoin is a digital bearer bond (ie it is data). If a hacker accesses your crypto wallet, they have your money; now do you care about privacy?

Decentralized systems are private by default. Is it possible to guarantee privacy even with centralised systems? Some say it is possible using a form of cryptography. The service provider only stores the cryptographic keys, not the underlying data. I am still sceptical – what if the cryptographic keys are hacked/stolen?

Biometric security + AI

All the identity verification vendors talk about biometric security, which translate to a simple question to consumers –  “which body part do you want to use to identify you?”

  • Finger. This one scares me. It is hackable, by simply recording somebody’s fingerprint and putting that on thin film. I can change my password if I am hacked, but I cannot change my finger.
  • Voice. This has a nice old-fashioned ring to it. Voice recognition is like the banker who recognized your voice. The technology has been brewing for a while and seems ready for prime time. Voice is probably better for high value transactions than getting a coffee or paying for a subscription. Talking to my phone in the line for my coffee seems too much like the movie Her.
  • Face. This also has a nice old-fashioned ring to it. People who know you recognize your face. Face changes with age, which is why analog identity such as passports need regular renewal. AI can solve this problem as it can identify what you will look like x years into the future.
  • Typing rhythm. BioPassword seemed so simple and elegant but failed to get traction. Maybe mobile changed typing rhythm and created new rhythms around swipe.

There may be something new that emerges out of smart watches, such as pulse recognition, but that hits the universality problem ie not many people have smart watches.

The Indian Ardhaar system is technically smart. It takes 13 biometrics. It also uses low cost, robust/proven technology. This is not a laboratory experiment. It is a mass market deployment where every fraction of a penny counts. All they have  to store is the Unique 12 digit number, not all the biometric data.

Standards

Digital Identity is a) complex b) very valuable. So we need to rely on standards organizations such as:

iBeta

NIST.

FIDO Alliance. This is membership based entity that promotes a hardware cryptographic device called Universal Second Factor (U2F), which generates a new key pair for every service that you connect to, without relying on biometrics. The U2F protocol does not identify a user, it merely proves that someone has the device with control over a registered key.

FIDO is device based authentication, which is not new but past solutions had major issues:

  • Magnetic strip card. You see this on your conventional credit card. These are fading out because they is so easy to hack.
  • Chip & PIN Cards. These are more secure than magnetic strip cards, but they may be vulnerable to power-analysis attacks.
  • Proximity card or RFID. These cards transmit stored information via RF (Radio Frequency). It is used more for identifying products (for example in a supply chain) than for people. For people there are privacy issues. For example, a Passport with RFID tags could be used by governments to remotely identify citizens of a given country by physical location (and in the wrong authoritarian hands that is dangerous).

OpenID Connect. Authentication is not the same as Identification. You still need to identify yourself – for example, key in a 12-digit number if you are Indian. That is a pain point for new services that want to entice you in. You won’t key in a long identifier for a service you don’t know much about. That is why we need Identity Portability, which is the focus of OpenID Connect. OpenID Connect aims to prevent popular services such as Facebook, LinkedIn, Twitter or Google from owning your identity.

The privacy challenge

Digital Identity is such a thorny problem, fraught with technical, legal, societal and political issues, because your Personally Identifiable Information (PII) aka your digital exhaust (the trails you leave on the Internet) will define how you live your life (whether you get financing, get a job, get citizenship and so on).

This is what can change society and business at a fundamental level. There is a reason why Microsoft worked so hard to get Passport established – the upside is massive. There is also a reason why any company that gets close to this prize – whether it is Facebook or Apple or Microsoft – eventually gets consumer pushback.

As Ethereum’s Vitalik Buterin points out:

“10 years from now it may be harder to change identity providers than it is to change countries”

If you want to think deeply about the consumer view on Identity, please visit Kaliya Hamlin’s Identity Woman.

If investors see regulators, enterprises and consumers liking a solution they will beat a path to your door in order to invest. That is our focus in the 4th and concluding Part 4 post next week entitled; the investor says this is a big opportunity.

Some subjects are too complex for our short attention spans. For those subjects we do 4 posts one week apart,each one short enough not to lose your attention but in aggregate doing justice to the complexity of the subject. Stay tuned by subscribing.

Daily Fintech’s original insight is made available to you for US$143 a year (which equates to $2.75 per week). $2.75 buys you a coffee (maybe), or the cost of a week’s subscription to the global Fintech blog – caffeine for the mind that could be worth $ millions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.