10th August 2018: Link to EEMA Identity Blog
Two buzzwords often heard in identity today are self-sovereign identity and distributed identity. The reason for considering new models for identity is, among other things, to avoid a single point of dependency and to put the user is in control of his or her identity and decide how much information to share with whom.
It’s a compelling story. Who wouldn’t like more control over who has access to their data? Unfortunately, while the story is easy to sell, implementing self-sovereign identity is a much harder problem. What are the implications of this model of identity, and where will the responsibilities lie?
A digital identity gives a person access to their email, bank account, property, digital money and more. The hard part is binding a physical person to a digital identity. Identity professionals spend a lot of time trying to figure out secure ways of doing this.
In his blog The characteristics of Blockchain can be very valuable to identity, Kim Cameron said that “you should not lose your identity if a country has a political melt-down”. I completely agree. But it can take much less than revolution and anarchy for something to go wrong—neither should someone lose their identity if they fail to backup or forget a private key.
Human beings are not reliable
Anyone who has ever known a human being for any length of time knows this. They forget passwords and credentials and do not create backups. New technology that relies on fallible people to keep credentials safe comes with undeniable risks. A good example of this are the 23% of all bitcoins that are now lost, thanks to lost passwords and hard drives that now lie in landfill.
It’s unwise to create an infrastructure where ownership of possessions depends solely on people’s memory. Raise your hand if you have NEVER used the “I forgot my password” function. Raise your hand if you have NEVER lost a car key or a house key or needed help to access a locked space. Not a lot of hands, right?
In these situations, we can call a locksmith or demand a new password. Whether physical or digital, we can depend on somebody being there to assist if we get locked out. Unless we implement recovery mechanisms, self-sovereign identity means that there is no one that can help.
With self-sovereign identity, each user has a private key, designed in such a way that a brute force attack is close to impossible. This is clearly a good thing, as it prevents others taking over your digital identity. But putting the only possible key to access the digital identity in the hands—and forgetful brains—of the users invites disaster. There is no back-door. There is nobody to call.
It’s not just forgetfulness we need to worry about, as people have accidents or illnesses which can affect their memory. And when they die, and assets are to be passed on, the private key needed to access your digital identity is lost forever. We need to consider a worst-case scenario, such as someone’s house burning down, traumatizing them into losing their memory—and the recovery codes, carefully noted down and put in a sealed envelope, are also gone.
We need identity custodians
Clearly, we need identity custodians: an entity we can trust and call upon if we have a problem. Somebody who is able to give a key back when it’s lost. Ideally, we should be able to choose which identity custodian to use and switch as often as wanted. We also need different custodians for holding identity data and holding a key in escrow, to ensure segregation of responsibilities, and to reduce risk of exposure.
However, there are several fundamental challenges with using custodians:
– First is access to a user’s private key, which must be high-friction. It should not be possible for a rogue employee of an identity custodian to get access to your private key. But it must be possible, with your involvement, to recover the key. High friction and convenience do not go hand-in-hand.
– How do you prove who you are… when you cannot prove who you are? The key recovery must handle the situation that you have forgotten the key entirely and have no possessions that can help.
– The third challenge is building a key recovery system in such a way that it is secure, cost-efficient and usable. No system will be 100% secure, but due to the importance of keeping private keys private, a high level of security is a must.
One way to build such a system would be to split the key into several parts and have these parts stored physically (for example as a printed document), to make it more resistant to digital attacks. The physical presence of the user would be required to ensure a biometric match. The correct key would be handed to the user after all the parts have been collected. Procedures on the part of the identity custodian are important here to ensure that only the user and not the custodian gets the parts needed to reconstruct the private key.
Clearly, creating a secure, cost-efficient and usable management of identities is not simple. Self-sovereign identity, often discussed as a straightforward identity system, actually requires clunky solutions and multiple custodians to support it. It’s important to keep this in mind when these buzzwords are thrown around.
Author: John Erik Setsaas is Identity Architect at Signicat and a member of the EEMA Board of Management