Last month, I spoke with several analysts investigating how blockchain could be applied to identity and access management. Blockchain - a distributed, mathematically vetted ledger - already powers cryptocurrencies, but is also spawning ideas unrelated to payments (see Blockchain for Identity Management: It's Years Away).
For all blockchain's hype, the launch of the first-ever blockchain in early 2009 with bitcoin was truly nothing short of revolutionary. Satoshi Nakamoto, the pseudonym for bitcoin's creator, developed a way to run a truly decentralized, secure database that offers a financial incentive to anyone who participates in the ecosystem. That's because anyone who allows their systems to "mine" bitcoin - referring to the computationally intensive process of cryptographically verifying entries to the ledger that is bitcoin's blockchain - might receive bitcoins as a reward.
It's still very early days for blockchain and identity and access management.
Distributed ledger technology also holds great promise for IAM. But it's complicated. Bitcoin's blockchain is primarily aimed at stopping people from spending the same bitcoin twice, which is accomplished through public key cryptography and the aforementioned mining. But IAM has many moving parts, and while ledger technology is mostly reliable, there are many other components and business issues that need solving before blockchain becomes identity-practical.
The analysts I spoke with largely feel it's still very early days for blockchain and IAM. But there are a variety of projects and trials underway around the world that they're watching closely. The results could eventually provide a path for creating something lacking - but sorely needed - for the internet: a protocol, or layer, for identity.
Here are six of the in-progress projects that hold promise.
The Linux Foundation is home to Hyperledger, a multipronged open-source project that is developing tools and frameworks for blockchains for applications such as smart contracts, asset ownership and supply chains. Hyperledger's Indy project covers decentralized identity. The idea is to use a blockchain for storing identities that could potentially be used across different services but also leave a person in control of their information - a concept referred to as self-sovereign identity.
Civic of San Francisco is another company developing a self-sovereign ID system that would let consumers selectively share information with companies. Civic's identity platform has a mobile app through which users can enter their personal information, which gets stored in encrypted format. The company is working on partnerships to bring on "validators," or entities such as governments and banks, that can validate an individual's identity information and then leave their stamp of attestation in the blockchain.
Civic, in a white paper, envisions that validators and service providers who need identity information will execute smart contracts, with validators paid in a native cryptocurrency dubbed Civic. Users benefit by not having their identity information collected by a multitude of service providers and thus face a lower risk of identity theft.
Sovrin is a non-profit foundation that is managing the development of one of the first self-sovereign identity networks. One of the key differences between Sovrin and bitcoin centers is who is allowed to participate in the distributed network. With bitcoin, anyone can mine transactions, but in Sovrin, only trusted entities are allowed to write to the ledger. The open source code used by nodes to run the ledger, called Plenum, comes from Evernym, detailed below.
Sovrin's code is based on Hyperledger Indy, but the projects are distinct. Sovrin is tackling one of the complicated tasks for blockchain-based identity projects, which is establishing frameworks and governance that will inspire confidence for broader use.
Evernym of Herriman, Utah, is one of the many private companies developing products and services around self-sovereign ID. Because IAM using blockchain is such a huge undertaking with many potential stakeholders, no entity can tackle it alone. So Evernym's Plenum code, which forms the basis for Sovrin, is open source.
Real-world trials are underway. Last September, Evernym announced a blockchain pilot with the state of Illinois. The state is one of the first to have launched a group, Illinois Blockchain Initiative, that is looking at government uses of distributed ledger applications. The pilot focuses on storing birth registration data in a ledger with a decentralized identifier. Doing so allows third parties, with proper access credentials, to access the data and use it for authentication. The thinking is that storing data in this way would be a vast security improvement over proprietary, centralized databases.
Spain's national blockchain project, Alastria, will use a semi-public ethereum-based blockchain that requires permission to access. The impetus behind Alastria is to develop self-sovereign identities that can interact with applications or smart contracts developed by Alastria's members.
To make that happen, Alastria's network uses Quorum, a protocol for consensus-based blockchains. No flavor of cryptocurrency will be incorporated into the system even though ethereum has a native currency. To ensure blockchains don't get jammed with spammy transactions, often some value - either a token or a fraction of a cryptocurrency coin - needs to be burned. "Proof of burning" typically refers to a miner demonstrating that it has sent some coins to a verifiably unspendable address. The thinking behind burning is that it requires computational effort and thus isn't "free."
Quorum's approach is that as transactions get executed, proof of burning will be required, but not cost any cryptocurrency, according to Alastria's documentation on Github. Alastria hopes to have a newer version of its test network running by March.
uPort, based in Brooklyn, New York, has developed a smartphone app that embodies the principles of self-sovereign identity. Its system works with the ethereum blockchain, which is not only designed for virtual currency transfers but also decentralized applications or smart contracts.
uPort has a trial running with the city of Zug in Switzerland to create digital identities that can be used for government services. Once someone creates a uPort ID, they must go to a physical, city office to verify their information, using real identity documents. The verified digital ID - stored on the Ethereum blockchain - can then be used for proof-of-residency or e-voting. In a blog post, uPort explains the on-boarding process in detail.