Mark van Rijmenam posed some questions on LinkedIn today around Identity and Blockchain. This is an interesting and important topic and my reply would be a bit long so I thought a blog post would be better.
Specifically he asked,
– What is identity?
– What are the current problems with identity?
– Should we put identity on the Blockchain and if so, why and how should it be done?
– What are the advantages / disadvantages of doing so?
– What are the challenges of putting identity on the Blockchain?
– What are some interesting use cases of identity on the Blockchain?
My first thought was that identity is not limited to people. Especially with the rise of IoT and it’s convergence with Blockchain, asset identity may be even more important than human identity in some use cases. Machine to machine communication may include instructions or payments and establishing trusted identity is fundamental to accurate execution.
The core problem throughout almost all identity is trust. Blockchain addresses the Trusted Third Party issue for everything once it is in the Blockchain. But even it can not provide complete trust when mapping real life identity to the digital Blockchain identity. That is, I can steal your password or cert. I can program my parking meter to say it has a serial number the same as your parking meter, etc. Authentication is NOT guaranteed by any Blockchain for physical identity.
To illustrate this a bit more, bitcoin does not have a physical IRL existence outside of its digital existence. A bitcoin is created and exists only in the digital world. So the Blockchain provides the trust acceptable to all that it exists and there is no other existence. No interactions outside of the blockchain are possible with a bitcoin. The blockchain provides trust on the digital identity of the bitcoin owner, but can not provide the trust that I am the physical owner of that digital identity. At least not inherently.
So the question is who or what provides the trust to map real life to digital identity. And that starts with the trust in real life. Driver’s licenses and passports can be faked, even by governments, the supposed trusted party. Fingerprints and iris scans are pretty good, but not infallible. DNA might seem to be perfect, but maybe I can steal a drop your blood and use it in the identity sensor at authentication time. I’m skeptical that real life identity can ever be 100% trusted, but several mechanisms provide enough trust to operate on. Most of the above can be trusted for most activity, car VIN numbers and titles are trustable enough for me to buy your used car, etc. Fraud does occur there, but most people will never experience it.
One interesting approach is being provided by Sovrin. One component of their methodology is Reputation Enhancement, which can, in effect, provide some quantification of the level of trust that should be assigned to any identity. The more trusted claims you have (in Sovrin lingo), the higher your trust level. Or, having a US passport and a state driver’s license is more trusted than if I only have a state driver’s license. There are several other parts to Sovrin and I encourage people to explore their approach. It is based on distributed ledger technology, i.e., Blockchain.
Hyperledger separates identity management from the Blockchain. Once the identity is authenticated it is used in the Blockchain. But by abstracting identity management from the Blockchain proper many authentication schemes can be implemented. LDAP is expected to be utilized in many business use cases where organizations already have implemented it to their satisfaction. That often includes two-factor authentication, guaranteed encryption, etc. A facial recognition scheme could be implemented if desired.
To sum up my perspective then, Blockchain can guarantee an identity once it is in the blockchain, or digital existence. Blockchain can provide a significant and sometimes quantifiable level of trust to the real life to digital mapping. But Blockchain can not provide a guarantee on the actual physical identity of a person or asset / object. There will always be some way to fake that and hence some level of uncertainty.