Biometrics and blockchains: Why identity matters (part 1)

This is the first of a three article series on identity and biometrics via blockchain technologies. In this first article, I’ll review the motivation behind using biometrics and blockchain for online identity management. In the second article, I’ll critique the capabilities and limitations of blockchain technologies. In the third and final article, I’ll discuss the requirements for a new idea – the Horcrux protocol – that will securely link your biometrics and online identity credentials via blockchain technologies.

Currently, we depend on governments to issue identity credentials in the form of specialized documents like passports, birth certificates, and driver’s licenses. These identity documents are physical representations of information kept by a central authority in protected digital storage, but they can be used independent of those centralized systems for identification. For example, you can open a bank account or travel on an airline by using only your driver’s license for identification. If lost or stolen, these documents can be used by identity thieves to wreak havoc on our lives. Replacing your documents can be an expensive, painful and arduous process. Many of us keep these documents in fire-proof safes, safe deposit boxes or similar protected containers to protect them from loss, theft or damage.

How would you replace your driver’s license if lost? Nominally, you walk into a government office like the Motor Vehicles Department, fill out a form and a clerk compares your face with the picture in their system. Your face is partial proof of identity in addition to knowledge of your personal information such as your home address. Your physical presence is also attestation of your identity.

Proving and securing your online identity is much more difficult. Can you open a bank account without visiting a branch in person? In most jurisdictions, the answer is no, because banks depend on physical identity credentials to prove you are who you claim to be. Banks depend on reliable proofs of identity to fulfill anti-money laundering (AML) requirements and enforce know-your-customer (KYC) compliance. You must appear in person to attest to your identity in the presence of another person. Furthermore, in some jurisdictions (e.g., Mexico and Brazil), banks use biometrics (e.g., single or two-digit fingerprint) at ATMs and are required to check all clients against national criminal databases.

In the near future, banks and other institutions will be able prove your identity online without requiring your physical presence or documents. Biometrics collected securely on mobile platforms will allow institutions to enroll new clients remotely, but linking your biometrics to an existing identity remains a formidable hurdle. For example, it is now possible to open a bank account online in the Netherlands and comply with national identity requirements via online enrollment. Ironically, the online enrollment process involves a video chat session that still requires you present a national ID or passport. Instead of the physical document, a trusted authority is needed to broker the enrollment transaction between the user and bank. Indeed, governments (and private companies outsourced to provide such services) are beginning to offer online identity services, but standards for establishing and referencing identity credentials in the digital world have only risen in the past decade.

Protocols like SAML, OAuth2 and OpenID Connect (OIDC – built with OAuth2) were first steps to brokering identity online via trusted identity services. These protocols introduce 3rd party identity providers (IdPs) that can hold your credentials and relieve service providers (SPs – that’s the website you need access to) from having to collect, store and manage identity credentials. Whenever you see “Login with Google” or “Login with Facebook”, that’s SAML and OIDC in action behind the scenes. These protocols can also share only those items in your credentials with service providers that you approve to share in order to preserve your privacy. For example, if a website requires you to be over 18 years of age, such protocols can be used only to confirm this (or not) without divulging your birth date, name or any other sensitive data. They can reliably provide some identity credentials, but only to the account associated with the identity at Google, Facebook, etc. These credentials are typically not tied to government identity credentials, so they cannot typically be used by banks and other financial institutions.

So, who should hold your definitive identity credentials? A company? A local government? Regional? National? An international entity? Any centralized service risks being a single point of failure in the case of fraud or cyber attack. The broad consensus of the identity community for the past few years has been that any such service should be decentralized, enforce information integrity, be resilient to attack, and that the individual user should be the ultimate owner and sovereign controller of their own identity credentials. Their conclusion is that blockchain technologies offer the only solution to satisfying all of these requirements. Around a dozen companies are currently working on digital identity solutions that exclusively use a blockchain to store identity credentials. Proposed methods, like Decentralized Identifiers (DIDs) and by the W3C Credentials Community Group, may be used in the future to secure your identity credentials via blockchain. DIDs are stored on a blockchain and “point” to off-chain objects called DID Descriptor Objects (DDOs). DDOs could represent many types of objects including verifiable claims for a given identity (e.g., proof-of-age). Such claims could be issued by enterprises like banks or government agencies, but remain in a citizen’s sovereign control after issuance. Your credentials will be independent of a central authority with added security benefits like integrity and non-repudiation inherent with blockchain technologies. Note: personally identifiable information (PII) should never be stored on a blockchain. A DID refers to an off-chain DDO that could contain encrypted PII.

But a critical question remains: how will you claim a given identity credential is yours on a blockchain? Blockchains are pseudo-anonymized and designed to be opaque to identity. Can blockchains be used to broker verifiable claims? How will you associate yourself with those claims and prevent others from claiming your credentials? One possible answer: blockchain authentication. Enterprises will play a critical role in the issuance of verifiable claims and verification of the identities associated with those claims. To be associated with a claim, you must either know something (e.g., a password), have something (e.g., a token) or be something (e.g., biometrics). But if the password of a blockchain credential is lost, it may be very difficult if not impossible to recover because there is no authority to appeal to for replacement. A token can be lost or stolen, so that leaves biometrics as the strongest candidate for identity credential management on blockchains.

In the next article, I’ll briefly explore the current myriad of blockchain-based identity projects and the limitations of blockchain technologies when used with biometrics for authentication.