Identity recognition framework under blockchain technology

Dan Elitzer is a member of IDEO coLAB, a shared platform for discovering and implementing new technologies, currently focusing on blockchain, digital identity, and the Internet of Things.

In this article, Elitzer adds a digital identity operational framework based on the research work of the IDEO coLAB team.

How do you identify yourself? By your name? Email address? Phone number? Driver’s license? Facebook account?

Last summer, IDEO coLAB brought together 25 students from Boston-area universities, including Harvard, MIT, Tufts, and RISD, to design enterprise models to explore the future of trust, transactions, and reputation. Before the research was conducted, I didn't think much about the concept of "identity proof" or "authentication system". However, after running iteratively, these abstract concepts began to take shape and become more tangible. Throughout the summer, we saw the entire team working on challenges related to identity verification:

●When you distribute digital tokens that represent voting rights on community projects, how do you ensure there is a real person behind each account?

●How can universities issue authentic digital certificates that graduates can prove are their own?

●When encountering an emergency, is there a way for doctors to automatically obtain relevant medical records while ensuring the security and privacy of medical records?

You might think the answers to these questions are fairly simple, but when you actually implement them, you’ll quickly discover that your solution is either prone to fraud or introduces some friction that users can’t tolerate.

Our exploration of digital identity continued into the fall of last year. In October, IDEO coLAB co-hosted a workshop with MIT’s Digital Currency Project, where students and professionals discussed the role blockchain technology can play in solving identity verification challenges in the financial services and healthcare industries.

To help guide the workshop discussion, we developed a simple framework for the core functions of identity systems. In parallel, IDEO coLAB went through several iterations in another project. While not perfect, we found it helpful in organizing our thinking and analyzing the potential applications of blockchain and other emerging technologies.

Issued

Whether it's a Social Security number assigned by the U.S. government or an email address that Google lets you choose, new identities and identifiers need to be created.

storage

Identity data needs to be stored somewhere. Usually it’s a private database with administrators controlling access, but technologies like IPFS and Blockstack are new models for data storage and retrieval.

verify

Individuals need to prove their identity. This can be done using one or more authentication factors: a password, a phone, a photo, or a fingerprint. For example, think about what happens when you show your driver's license at a bar or airport. The person checking your ID looks at the photo on it, then looks at you to confirm that you are the person in the photo.

Authorization

Once authenticated, an individual is authorized to perform a specific task. Whether it's access to a bank account transaction history or the ability to enter a bar, the identity system responds by allowing you to take actions to interact with a business or person based on knowing who you are or specific information about you.

recover

Wallet stolen or password forgotten? In the event of loss, you need a way to regain access to your identity data.

(Note: This is often the most obvious part of the usability vs. security tradeoff. Protecting an account with a 32-character random password is not going to work well if 'recovery' can be done with a zip code or the last four digits of a Social Security number. Conversely, requiring every user to print out a recovery key when they create an account is equally ridiculous.)

Upgrade Update

Users or administrators need to be able to add, delete, or edit attributes associated with an identity. Our identity information changes over time: addresses change, education changes, driver's licenses expire, and so on. So digital identities need to change as people change.

audit

How can others check that your identity data is correct?

In regulated industry contexts, such as financial services or healthcare, identity data and the processes by which it is recorded and accessed are audited by relevant government agencies. For user-controlled identity systems, such as PGP, where the code is open source, trusted data custodians make every effort to use public audits.

In our experience, all of the above are core components of every identity system. Each presents its own unique system design challenges, as well as opportunities to create better user experiences. How is the system used? Can it be hacked or exploited? Is a universal digital identity system possible or desirable? If so, who would create such a system?

We will continue to use this framework at IDEO coLAB as a starting point for our research into the future of digital identity. For example, our machine shop authentication system has been working as a prototype for a week. Identity can also be associated with objects, not just people, so we will expand on this topic in the context of the 'IoT + Blockchain Fellowship' this summer.

We look forward to sharing more about our thoughts and work in this space in the coming months.