I shared the stage with another disruptor in the identity space, Yasmin Ulrich, presenting on behalf of iampass. iampass’s solution is a palm vein scanner that authenticates your identity. In their own words, iampass is a “reliable biometric authentication based on palm vein pattern recognition combined with decentralized trust on IOTA.”
Even without knowing much about biometrics, it was immediately clear to me that iampass’s solution and Jolocom’s were extremely different, which gave me cause to wonder why these two very different companies had been paired together for this meetup in the first place. What stood out to me most was that:
- Jolocom’s protocol provides decentralized identity infrastructure, while iampass’s palm vein scanner acts as an authentication service accompanied by a physical piece of hardware;
- It wasn’t clear to me whether or not iampass stored user data, and on their website it appears that they are experimenting with centralized services while Jolocom’s solution is fully decentralized; and lastly,
- iampass uses IOTA Tangle while Jolocom is fully decentralized and uses a combination of IPFS and Ethereum.
And then Yasmin began her presentation and I immediately understood. Her first few slides and mine were virtually identical, making one thing decidedly clear: despite many approaches to solving the issue, the current ways digital identities are managed and interact with one another aren’t working.Despite many approaches to solving the issue, the current ways digital identities are managed and interact with one another aren’t working.
I have…how many accounts?
Think about the number of identities you own. For the purposes of writing this blog, I checked my own password manager and realized that I have 94 active accounts. This is in addition to the likely dozens (if not hundreds) of defunct accounts I still own but am no longer aware of, or that I registered to use once, but have since forgotten about. (Truth be told… I’m fairly certain I still have a Myspace page out there — somewhere (please, don’t try to find it).
Password managers provide a centralized stop gap solution but don’t tackle issues of ownership. And while I may use a password manager, a solution many others turn to is using a federated ID — that sexy little “log in with Facebook” or “log in with Google” button that is often times so terribly convenient.
So…should I log in with Facebook?
But what happens beyond the screen when when we log in with Google or Facebook? Two things come to mind that I find particularly alarming: the first being that we don’t have any control over the data exchange between Google and the service. Why does Airbnb need access to all of my Google contacts? The short answer is that it probably doesn’t — at least, not in any way that would benefit me.
The second thing that happens is that by providing our information and trust to a few federated services that dominant the market, we are concentrating a tremendous amount of power in those institutions. What happens to our data when we decide we no longer wish to use those federated IDs? What happens when those services get hacked? When we no longer trust them? What alternatives are we left with?
Statista reports that in the US alone, the number of data breaches from 2005–2018 reached 668 with over 22 million records exposed and that worldwide, identity theft is the most common type of data breach; in 2016, it accounted for 59% of all global incidents. At the same time, we hear stories — or are direct victims — of incidents like Facebook’s September 2018 data breach that affected 50 million users, or Equifax’s breach that affected almost three times that number one year earlier.
Well…what’s the alternative?
Coming from this status quo, over the past five years — and especially in the past two— we’ve since seen the rise of a number of different digital identity management solutions — from authentication devices like iampass’s to fully decentralized and open source universal identity layers like Jolocom’s. Even some of the large data giants like Microsoft are joining the decentralized identity conversation. And whether it’s with the primary goal of improving users’ privacy and security, or simply eager to make digital identity management easier, or have more altruistic goals of putting digital identity back into the hands of users, all are working to change the way we think about digital identities, how they work, how they’re accessed, and how they’re owned and controlled.
While I can’t speak to any of those other solutions, using a “login with Jolocom” (or whichever self-sovereign identity provider) button in place of that of a federated identity login would effectively allow users to be able to store all of their identifying information on their phones and ONLY on their phones.Using a “log in with Jolocom” button in place of that of a “log in with Facebook button” would effectively allow users to be able to store all of their identity information on their phones, and only pass on needed credentials to services.
Using a SmartWallet app, underlied by the Jolocom protocol, which acts as a universal identity layer for the web, would allow people to keep all of their usernames, emails, passwords, and also their licenses, IDs, membership cards and so on in one place. And the only information stored anywhere outside of their phones is a public key housed on a registry contract — we are blockchain agnostic, so though we use Ethereum, any other blockchain could be substituted here. Transactions between users and service providers would even take place off chain so that no record of transacting would appear publicly, and only the credential requested by the service would be shared. Need to be over 16 years old to rent a car? Just select your license in your SmartWallet and send the car sharing company the fact that you are over 16, rather than your birthdate itself. This is the principle of minimization in effect, one of the 10 key principles that underlies self-sovereign identity and depicted in the graphic below.
This is only the beginning
So 10 years ago in October 2008, Satoshi Nakamoto announced Bitcoin to the cryptography mailing list and released the white paper out into the world. At the same time, the world was devastated by the global market crashes and was struggling through one of its darkest hours in financial history. Did one make the other possible? Was it the fear of centralized banking that gave people reason to look towards Bitcoin as a solution? And in the same vein, I ask a similar question about the world of decentralized identity solutions: will the devastating impact of recent data breaches help us move closer towards a decentralized identity management solutions and eventually, a decentralized web?
As someone with almost 100 active logins and who relies on her password manager provider with her (digital) life and who is still likely storing personal data on some Myspace server somewhere, I certainly hope so. I hope that this is something that companies start to realize is the only direction for our digital futures, and I hope that this is something that we, as users of these services, start to demand for.