Because the other thing a blockchain excels at is identity authentication and authorization. Ensuring that a user is who he says he is, and then authorizing him to do something, is a problem that every industry has to deal with. Over and over again, day after day, year after year.
Blockchain technology is both advanced and straightforward. By utilizing public key/private key cryptography, which has been around for decades, a blockchain can be deployed to create identification systems that are revolutionary in their simplicity. There have already been limited attempts to implement public key infrastructure (PKI) solutions for generalized authentication. What I believe is that blockchains can socialize the technology and make PKI popular. It’s already happening.
Here are a few critical ways that PKI solutions and blockchains will change how we use technology.
Fixing the Password Problem
Everyone can agree that passwords are fundamentally broken. We literally take a secret, then share that secret with a website, which uses it to authenticate us. To ensure that it can continue authenticating us, the website stores that password in a database. Despite best practices, we then use the exact same password on dozens if not hundreds of other websites across the Internet. The security of your password is only as strong as the weakest link—the most insecure website—across all those websites you’ve shared your password with.
Consider the Anthem Blue Cross hack. When the hacker gained access to their databases—and Anthem Blue Cross learned about it—the first thing they did was reach out to their Internet users telling them to change their passwords. That’s a fundamental indicator that the password system is broken.
What we really need is a new way to think about authentication. Instead of using the problematic password-based system of shared secrets exchanged and stored on insecure systems, authentication systems should be based on irrefutable verification of an identity using digital signatures based on public key cryptography.
In public key cryptography, we start with a secret, called a private key. For every private key, there is exactly one matching public key that can always be mathematically derived from the private key. However, knowledge of the public key cannot reveal the private key, so you can freely and safely hand out your public key without fear of compromise. It’s what we call a trapdoor function. You can move in one direction, but you can’t reverse it.
We then use this private and public key pair to generate a digital signature. By using some special math, we can combine the private key and its corresponding public key into a third value, called a digital signature. This digital signature can be handed to anyone who asks for it, and with knowledge of only the public key and the digital signature, the recipient can verify beyond a shadow of a doubt that whoever created the digital signature must have possessed the private key. In other words, a digital signature acts as proof that its creator is who he or she says they are.
While this technology has existed for decades and is used pervasively every time you visit your bank’s website or Facebook page to encrypt and secure communications, it has yet to be popularized for authentication.
While you don’t necessarily need a blockchain to enable this, what you do need is a trusted third party who can store the public keys that are bound to each real-world user identity. What makes blockchains so much more efficient than other solutions is that the data cannot be changed. By trusting that the data cannot be changed, we can trust that private key, making it an efficient, irrefutable password.
The key system works by relying on what’s known as a “hierarchical deterministic” or HD identity framework. You use one root private key—called the seed—to create unlimited public keys. You then create a new public key for each website you want to gain access to. If one of those is compromised, you don’t have to worry that anyone will gain access to the other websites, because you’ve used a unique public key each time.
Think of your private key as a skeleton key that gives you access to every account you have online. Now you need to keep track of only one key, instead of hundreds.
Application Capabilities Across Industry
“Capability” is used in the blockchain world to mean that the identity is capable of doing something. For example, if I walk into a bar, the bouncer at the door might ask to see my identification to determine if I am legally capable to drink alcohol. Unfortunately, because there is no better mechanism, I have to show him my license, which includes my age, height, eye color, address, identification number and whether or not I am an organ donor. There’s no reason to pass all this information over to prove that I am legally eligible to drink.
A capability token sent to a public key on a blockchain could be used to prove that an individual has the capability to drink. What’s needed is a way to validate that the public key was signed by the real-world identity. This might necessitate the creation of entirely new businesses where people are doing validations of identities. For example, the DMV could be one of the certified authorities. It could issue a digital token that says the person is allowed to drive, another token validating drinking age. When I walk into the bar, instead of passing over my entire life story, I pass over the digital signature that proves I have the capability to drink. That capability’s issuance can be traced through an entire chain, ensuring to the bar owner that it is valid.
Identity Solutions for Banks
At Gem, we’ve talked to a lot of banks and most of them have a number of use cases appropriate for blockchain technology. We hear about the obvious one, trading and settlement, on a regular basis. However, building a strong identity platform is a prerequisite to building a blockchain solution in a business. If you’re going to build a blockchain for improving settlement, you have to first be sure that all of the parties and actors using that network are allowed; and that requires an identity solution.
Here’s an example. Let’s say that a financial exchange has a large investment bank, XYZ I-Bank, as a customer. And John Smith at XYZ is the one authorized to make those trades. The exchange needs to be sure that John is the one who authorized an exchange. Right now, it uses an extensive identification process that includes the delivery of a physical token used to authenticate trades. This comes with significant cost. I believe that by having a trusted identity blockchain, this problem would become relatively minor because John Smith could be verified once, and that verification would travel with him as he trades on multiple exchanges and with multiple banks.
Also, due to regulatory conditions, banks are required by law to verify their customers’ identities according to Know Your Customer (KYC) laws. These procedures require extensive, repeated documentation. Blockchain solutions can tremendously advance the simplification and efficiency of KYC protocols, saving time and money and eliminating password problems while reducing the resources needed to manage the information collection process.
For example, blockchain technology would allow banks to share KYC information as long as they trust the first bank that collected it. So if a customer has an account at Bank of America and went through their KYC process, and they later opened an account at Chase, Bank of America could share the KYC data with Chase without putting the customer through the KYC all over again. Additionally, this means that banks wouldn't have to invest in expensive, flawed KYC collection software as long as they shared a KYC blockchain. If you take this further, blockchain technology would encourage the emergence of KYC collection companies that establish trust relationships with banks and do all the KYC collection up front, so banks never have to collect or store the data themselves. The customer would go through the process very rarely, rather than every time they sign up for a financial service. Storing KYC data is incredibly expensive and exposes banks to security risks because it makes them targets for identity thieves. Putting KYC management on a blockchain blows wide open the opportunity for more secure, less costly KYC management systems.
Blockchains help solve many general IT security issues, such as passwords and authorized identification for financial actions, but they also provide an environment where individuals are in control of their personal data. The amount of information that is presently shared with employers, potential partners and other entities is unnecessary. So long as there is a digital signature proving that an individual has the capability to do something, no other information should need to be saved.
Sophisticated identity frameworks will be a requirement for building secure blockchain networks. New opportunities for blockchain applications will develop alongside HD identity security. At Gem, we think they go hand in hand, and we’re excited about exploring this technology on our platform.