Self-sovereign biometrics and the future of digital identity

Could we travel without passport or any documents? Our biometrics hold the key to efficient, safer and more secure travel in the future according to a 2018 World Economic Forum report.

biometric security retina scan

I've been doing a huge amount of reading here at the start of 2018 about the future of biometrics.  Last year, I wrote a 3-part series on blockchain & biometrics centered around the concept of self-sovereign identity.  I began talking about "owning your own data" back in 2011 (called it "fungible cloud"), but expected the idea to take over 10-15 years to even germinate.  Fortunately, I was wrong, because things are happening faster than I anticipated.

The future of travel: no passports, just biometrics

Whenever I travel, I keep my passport close at hand.  As few years ago, a colleague lost his passport to theft during a business trip.  He missed most of the conference, had to visit the local consulate, and needed a note from the local police to travel home.  Fortunately, he spoke the local language but it was still an immense hassle and a stressful experience.

Last month (January 2018), the World Economic Forum released a well-written and researched report "The Known Traveller: Unlocking the potential of digital identity for secure and seamless travel" [1] in which they recommend self-sovereign identity and biometrics as the integral solution to the identity problem: the disparate, centralized identity systems maintained by individual nation-states are inefficient, incompatible, lack privacy controls, and highly vulnerable to cyberattack.  The report states that the current system (passports, border control points, etc.) cannot handle the expected 50 percent increase in worldwide travel and meet security requirements.

The WEF report recommends a radical change in the global management of identity: a shift to self-sovereign identity in which persons hold and control their own identity data, including biometrics.  They cite organizations like the Decentralized Identity Foundation (DIF) and the Sovrin Trust Framework as leading examples of vendor-neutral, standards-based self-sovereign identity efforts that could lead us to the promised land.

But while the report presents an optimistic vision for the future of digital identity, several critical barriers remain to be solved around biometrics.  First, while the WEF report supports cloud-based storage of identity information, the necessary advanced security and privacy controls are not discussed or glossed over.  Given that biometric data already lives in cloud-based systems (e.g., Aadhaar), a migration plan is needed to move that information to individual storage "hubs" in the cloud owned by individuals.  Such hubs should be highly regulated, secure, and globally available to all persons.  The report mentions nothing about the economic incentives and other infrastructure needed to realize this vision.  Without a serious discussion regarding the security (via encryption, compartmentalization, and individual control and ownership) of private data in the cloud, I am pessimistic given the silos of vendor-locked data in our FAMGA world (FAMGA = Facebook, Apple, Microsoft, Google, Amazon).

Ester Dyson cited these and other concerns to speakers at the WEF in Davos.  Some took this as a negative critique, but I am encouraged that the dialogue has finally begun around self-sovereign identity has moved from the "wacky idea from the techies" stage to a serious discussion of how and when.  Gartner also published a report recently entitled "Blockchain: Evolving Decentralized Identity Design" in which they identify vendor-neutral efforts like Sovrin as a way forward to achieving a scalable and secure solution toward global digital identity management.

In 1991, my first PhD advisor, Dr. Mark Weiser, published a paper in Scientific American entitled "The Computer of the 21st Century" in which Mark and his team at Xerox PARC laid out their vision for ubiquitous computing, aka "ubicomp".  I had the pleasure of attending one of the early events at PARC while still a grad student.  I remember Mark saying that the idea of a "personal" computer and "personal" device was an anathema to the ubicomp vision because this ties your valuable data to a machine.  Rather, your data (and he stressed "YOUR DATA") should be available to you "anytime, anywhere" on the globe.  Mark passed away in 1999 before the term "cloud" was popularized, but he would be complaining about the lack of secure, private, ubiquitous, and interoperable cloud storage and compute for everyone.

Identity hubs: personal cloud storage for your digital identity

You probably already have lots of data in the cloud: your email, Google docs, Dropbox, pictures in iCloud, etc.  Your mobile phone already stores a large amount of your personal data, but it can be lost or stolen.  According to the original ubicomp vision, the personal device is not a precious gem, but more like a disposable pen or pencil.  It is already getting easier to migrate from an old phone to new phone given iCloud, GDrive and OneDrive services.  In the future, you will be able to use other people’s devices if your device is unavailable.  Your biometrics will help authenticate you on the borrowed device and access your data in the cloud.

Governments will issue digital passports, but where will you store it?  As members of the Decentralized Identity Foundation (DIF), Microsoft and Blockstack are working on protocols for generalizing personal storage across mobile devices, cloud storage vendors and even desktop NAS drives in your home (remember my “fungible cloud” idea?).   Governments, banks and other issuers will “push” your digital credentials back to your personal cloud storage (via your mobile device perhaps) where YOU will own the data.  Replication across several cloud storage providers will protect you from loss and make the information more available.  Microsoft calls the concept “identity hubs” and imagines blockchains as the social glue used to between your issued digital credentials and service providers.  As a self-sovereign identity, you access to the the digital document even though it lives in the cloud. 

Much of our data already lives in the cloud, but it needs to be better secured, made highly available and put under sovereign control of each individual.  We need open and interoperable standards for digital identity credentials; inter-cloud storage and replication; cryptographic key management and recovery.  We also need incentive models that encourage individuals to take interest and control of their data.  Our current cloud systems are non-interoperable silos that trap data under control of and for the benefit of a platform.  We have a long road ahead of us.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)