Digital identities and the blockchain
In the recent years there have been a few attempts at creating digital identities using cryptography and the blockchain. We had BitID using the cryptography behind Bitcoin for secure website login, Synero creating a decentralized social network where everyone owned their own identity, and Passcard allowing you to put your information into a blockchain. All of these are attempting to solve similar problems - creating a decentralized system of identities. An interesting goal for sure, but the approaches they take might not be enough to be a game-changer.
Related post - "Governments - do your job. Give us unique digital signatures!"
When talking about online identities, we generally can put them into two categories - disposable and non-disposable. The first kind are cheap or free to create and don't carry a lot of value in themselves, such as email addresses, throwaway accounts and handles. We create them at a whim and throw them away once we're done. The second kind either cost a substantial enough amount of money to create, or they take a lot of time to grow, such as SSL certificates, personal social media accounts and similar accounts we tend to keep and grow for years.
All of BitID, Synero and Passcard accounts start as disposable identities, with the Synero network aiming for their users to keep their accounts long enough for them to become non-disposable. Even though the identities are essentially free to create, they can still be useful not verifying real-world identities, but for keeping a consistent online identity ("I am 1PiachuEVn6sh52Ez7o6Fymvw54qvQ4RBm and I log in with the same identity as last week").
While identities based on cryptography are certainly an interesting approach, there are some problems they have that traditional ways of logging into online accounts don't have.
First of all, there is the problem of keeping the private keys used for identity verification safe while at the same time being able to use them whenever one needs to log in. It's all well and good if you have your smart device handy, provided it doesn't get compromised, lost, stolen or otherwise becomes unavailable. You can keep your private keys in an online wallet like Blockchain.info, or perhaps some password-storing solution like LastPass, but then your security is usually dictated by the strength of your password.
Another problem with crypto-based identities is that they lack provisions for what happens if you forget your password or your account gets compromised. If your Gmail gets hacked, there are ways you can get it back. If you forget your Facebook password, you can reset it. With crypto-based identities, the problem gets harder. You could store your password mnemonic in a secure location and the protocol could allow for setting of some fail-safe recovery methods, but it is very unlikely casual users would be able to use these methods effectively.
When I heard about Passcard, I was sceptical about the usefulness of their approach to put your identity on the blockchain. Since the information is publicly available for anyone to see and there is no cost associated in copying the information verbatim, at best this serves as a name tag anyone can write on:
As discussed before, such identities aren't too useful without some central authority to verify them. At that point, the system stops being completely distributed.
One could also ponder a similar approach with the data encoded into the blockchain being encrypted first. This way copying the data wouldn't be too useful since you would still need some key to decrypt it. If you combined this method with identity verification you could achieve some pseudo-anonymous identity verification, but it wouldn't prevent your identity from being leaked after the first time you decrypt it.
Identity verification and online identities appear to be following the bandwagon of "lets put everything on the blockchain and see if it sticks". While some of the approaches might be useful for some use cases, it is very unlikely we will see mass consumer adoption of such technologies in the near future. There are too many use cases that still need to be resolved.
Related post - "Governments - do your job. Give us unique digital signatures!"
Value of disposable identities
When talking about online identities, we generally can put them into two categories - disposable and non-disposable. The first kind are cheap or free to create and don't carry a lot of value in themselves, such as email addresses, throwaway accounts and handles. We create them at a whim and throw them away once we're done. The second kind either cost a substantial enough amount of money to create, or they take a lot of time to grow, such as SSL certificates, personal social media accounts and similar accounts we tend to keep and grow for years.
All of BitID, Synero and Passcard accounts start as disposable identities, with the Synero network aiming for their users to keep their accounts long enough for them to become non-disposable. Even though the identities are essentially free to create, they can still be useful not verifying real-world identities, but for keeping a consistent online identity ("I am 1PiachuEVn6sh52Ez7o6Fymvw54qvQ4RBm and I log in with the same identity as last week").
Problems with crypto-based identities
While identities based on cryptography are certainly an interesting approach, there are some problems they have that traditional ways of logging into online accounts don't have.
First of all, there is the problem of keeping the private keys used for identity verification safe while at the same time being able to use them whenever one needs to log in. It's all well and good if you have your smart device handy, provided it doesn't get compromised, lost, stolen or otherwise becomes unavailable. You can keep your private keys in an online wallet like Blockchain.info, or perhaps some password-storing solution like LastPass, but then your security is usually dictated by the strength of your password.
Another problem with crypto-based identities is that they lack provisions for what happens if you forget your password or your account gets compromised. If your Gmail gets hacked, there are ways you can get it back. If you forget your Facebook password, you can reset it. With crypto-based identities, the problem gets harder. You could store your password mnemonic in a secure location and the protocol could allow for setting of some fail-safe recovery methods, but it is very unlikely casual users would be able to use these methods effectively.
Identities on the blockchain - no silver bullet
When I heard about Passcard, I was sceptical about the usefulness of their approach to put your identity on the blockchain. Since the information is publicly available for anyone to see and there is no cost associated in copying the information verbatim, at best this serves as a name tag anyone can write on:
As discussed before, such identities aren't too useful without some central authority to verify them. At that point, the system stops being completely distributed.
One could also ponder a similar approach with the data encoded into the blockchain being encrypted first. This way copying the data wouldn't be too useful since you would still need some key to decrypt it. If you combined this method with identity verification you could achieve some pseudo-anonymous identity verification, but it wouldn't prevent your identity from being leaked after the first time you decrypt it.
Conclusions
Identity verification and online identities appear to be following the bandwagon of "lets put everything on the blockchain and see if it sticks". While some of the approaches might be useful for some use cases, it is very unlikely we will see mass consumer adoption of such technologies in the near future. There are too many use cases that still need to be resolved.
0 Response to "Digital identities and the blockchain"
Posting Komentar