KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Blockchain, Identity and Privacy: Three words that buzz, fade and mature.
The blockchain is currently one of the most-hyped technologies. In this panel, we will explore how security and privacy can be enhanced by blockchain technology and outline the challenges ahead. Further, we discuss If and when blockchain-based identity projects reach critical mass in terms of user adoption, they could help get more decentralized services off the ground.
Blockchain, Identity and Privacy: Three words that buzz, fade and mature.
The blockchain is currently one of the most-hyped technologies. In this panel, we will explore how security and privacy can be enhanced by blockchain technology and outline the challenges ahead. Further, we discuss If and when blockchain-based identity projects reach critical mass in terms of user adoption, they could help get more decentralized services off the ground.
My name is Ruben. I work at consensus, which is a big company in the, the space. We built all kind of applications and tools around the, the ecosystem. And I'm one of the founders from Newport, which is the identity solution within consensus.
And yeah, we are working a lot with the industry to, I dunno, establish standards and interoperability between us of like, how can we establish a world of self where GDPR and other things are taken care of and still achieve the ability that you can use this technology to achieve better trust. And like the interaction would, I think was just mentioned enabling people to interact in this web 3.0.
Great, thank you. Amit Mattel, I'm a co-founder of trusted key. Trusted key is a digital identity platform that enables our vision is to enable users to take control over their digital identity in today's world, where they can manage that identity who gets access to it, how it's used. We use blockchain as a way of, you know, in a very, very specific way, which is to maintain a certificate revocation list, which we think is the appropriate use of blockchain. We don't store identity on it. And initially we are very, very focused on enterprise scenarios because those are the company.
What we found is those are the companies who see most interested in moving and actually doing implementations in the identity front. Hello, my name is Maria Dahan. I am the founder and CEO of the world identity network. And before launching this initiative last year, I was with the world bank and I was coordinating the identification for development agenda.
So the way I came to realize the potential of the blockchain is exactly that is how do we give more power to individuals and previously working with governments and launching such a big agenda that was helping governments to establish national ID systems. I could not help, but notice the damage that this could potentially create, like what happened in India with the, our system or some other very high profile security and privacy breaches.
So I hope this panel will help us realize what are the benefits, but also the dangers of the blockchain technology, like any other technology that can be used for good and for evil in, how do we keep in mind those who are marginalized today, those who lack any form of identity. And as a matter of fact, cannot log into any authentication system or use any of these fancy systems. How do do we make sure that we onboard them as well into the digital economy?
Well, I think like Mariana, I'm also quite concerned with some of the potential ethical implications and marginalization as these global technologies continue to be centralized. My name is Mark Stephen Meadows. I'm the CEO of Botanic technologies and we provide our customers the tools to build multimodal authenticated bots. So these are conversational systems. We have some customers here in Seattle, we have, for example, on Skype, deploy a system where there's a character with a face and it can see you and you can see it and you can talk to it and it can talk to you.
And we began developing these systems in 2011 when I founded the company and discovered Bitcoin. And then as we went through the proclivities of a startup, we went through the Ethereum ICO and we thought, wait a minute. There's so much work to do within these conversational systems. What have we provided a marketplace by which other bot developers that we knew and other people working in the space of AI were able to do exactly what you was mentioning.
It's how do we recognize the problems that AI is confronting us with and how do we begin to build a system by which people that are contributing data to those systems can be compensated. So that there's actually a means of, of curating that data. And so we started seed token.io, and we now have about 600 partners that are stacked up and about 15,000 developers.
And, and we are just a new economy now is sparking, but I think I'm up here because for me identity, isn't just something that's about a person it's also about perhaps a system that might represent us like a bot or something that might work with an IOT system. Well, thank you. I won't introduce myself cuz I've already been introduced, but I think we can start off the conversation. I think what Mariana was talking about is very important. We cuz we're, we're already using block pass and various services and like globally.
So what we're finding is obviously not everybody has a passport, not everybody has a national ID. So there are part, you know, you know, they're parts of the world, you know, huge populations that in the world and developing countries mainly that are unbanked, they don't have access to financial services because they can't prove their identity. Right? So this is a huge, huge obstacle to overcome in the UN and various other organizations are working in all, all kinds of different, different applications to, to deal with this identity issue, biometric whatnot.
There's the sort of web three C sort of standard D I D there's, but that's not gonna solve this problem. And the just decentralized identity foundation is working on D I D supposedly to, but this is not gonna be solved by solve this problem with sort of identity and developing countries. So what we at block path want to do is work towards that. And obviously we need to work with all kinds of partners to integrate technologies that facilitate this. And I wanted to know if the other members of the panel have any ideas on how we can solve this problem.
So I personally know a couple of members of this panel who have their ideas, just getting back to your comment about what the United nations and other big development agencies are doing. Well, I've spent a big chunk of my career in this space. And I think that today, these large organizations need to be better informed, but just like anyone else about what works and what doesn't.
And today, unfortunately, not too many pilots are being done on the ground in the countries, working with the governments and the civil society. There, there are a lot of very exciting pilots happening in the Silicon valley and maybe here in Seattle. But I think there are still very few that are being done in these communities.
However, everyone wants to save the world and everyone says what they develop works for refugees or, you know, for people in vulnerable situations. Still none of these companies of very few have actually been to a refugee camp and tested those solutions or even better co-created and co-developed them with those people.
And I, I know a couple of such startups that are doing great work in this space. And I wanted to run an idea by you. Do you think biometrics are really important and needed? It is something I've been struggling myself for, for a while at the world bank. We we've been looking into this and working with governments to see if this is really a solution, but now I'm hearing that for privacy reasons, there must not be such a strong link between the person it's biometrics and anything the person wants to do with its identity to access services, to assert their rights.
So there are a couple of companies that today work endorsing this self sovereign identity concept, asserting their identities without revealing they biometrics. So I know someone who may say something about this, I dunno when you understand. So I think at this point using biometrics to secure the access to a key on the phone is I think the right way. I think that's where we are. And that's what like face ID and other things are doing. It's not the, the biometrics are not leaving the phone.
I think there are some ideas we have been talking about where you get enrolled and what, what apple does. You have this template on your phone? And it just compares something. It might be an interesting thing to have biometric template in form of a verified reclaim. So someone has done that work and gives this to you. And the moment when I go somewhere, I could, I could share this template and then get authenticated similar to a show, a photo when I enter with my face a bar or something else. So that that's a very local transaction.
It doesn't need to be stored anywhere else besides just very local communication about that thing. I think that's the only place where I'd see biometrics at this point. Let me just add a couple of things. I think a core issue around identity, especially digital identity is this issue of durability. And so let me explain what I mean there in the us inadvertently people use the social, social security number as a form of identity. It was never intended to be that there's illusion, that it's a secret, which is kind of absurd, cause everyone knows it.
Anyone you do any sort of official transaction with everybody in your bank knows it, but a big challenge with social security numbers as a form of identity is it's durable. If it gets compromised with, you know, air codes in any way, you can't really change it, it's stuck with you for life. Okay?
So, so that has already been a sort of, you know, no pun intended durable problem in, in the us with identity. Now, when you create a digital identity, which is different than a sort of a transaction where you hand someone, a physical document, get it back. That digital identity is also durable. In other words, once it gets compromised, it can be used misused multiple, multiple times. And so security around that identity becomes much, much more important. And the security around your passport or your driver's license cause your password driver's license.
You mean you can do things like replace them or, you know, when you know, their verification is only transactional with biometrics, in some ways it kind of compounds the problem because if you use biometrics to secure your digital identity, it depends how the biometrics are used. You know, because one of the fundamental things is that your retinal scan and your fingerprints cannot be changed.
You know, I mean maybe they can be changed in a James V movie, but for most people, you know, that's inaccessible kind of mechanics, which means that if you use your biometrics in some sort of durable store, especially in the shared store, I think that is a incredibly terrible idea. It's a horrible idea. And yet there are companies who are proposing doing exactly that as a tactical way of unlocking a local store, you might get away with it. I think that might be a good thing, but you know, as a global thing, I think it's a incredibly bad idea. Yeah.
I'd like to, I'd like to add to that and really underscore it. I think that durable identification that can be compromised is, is toxic.
And so, you know, Roen what you were saying earlier about, let's make sure it's on a local device is valuable and excuse me, I, I trust apple with my face and I trust apple with my thumbprint, but I don't ever let it out anywhere else because that's a password that could be hacked. Okay.
So I mean, I think what you're saying there makes complete sense. Now I look at this as a system by which we need to recognize that there's publicity and there's privacy and you know, that I've spent time in four different war zones. So I appreciate what you're saying and the needs and the abilities of the people that are, there are quite different than those of us are here in the room today.
And I think that one way we can consider these systems is a recognizing that durable identity or something that is biometric, regardless of whether it's self-sovereign or not, should certainly be given highest respect. But then let's also look at the publicity that we have with things like Facebook, where our identities are absorbed by these systems, the value or personal data is sucked up into those things. And that's where my AI background comes in. Cause I'm like, wait, I just gave my identity to that system. And now it's like making an AI that tells me what to feel later. Okay.
So what I wanna try to do is to clean this up a little bit. It's like a house and outside there's the public street and everyone's moving back and forth. I'm cool with that being public. Then I've got my front yard and I'm okay with the kids next door, maybe playing there a little bit. It's kind of, kind of public. Then there's my front doorstep. And if somebody's there, then I expect to interact with them. By the time they come in the door, I wanna make sure I know who they are and what our relationship is. If I find them in my bed, I'm a little bit like, wait, you're not my wife.
Like, okay. So there's, there's these levels that we have between privacy and publicity and what is durable should be at the bed in the middle. And that should always be something that cannot be copied as far as I'm concerned. Now I mentioned the issue of apple, cuz I do trust that company, but I think that these are luxuries that most people around the world don't have. And so it's our responsibility in this room to figure out how do we protect these different layers of essentially a fungible or, or anti federated identity. Does that make sense?
Yeah, just go ahead. Quick question. So I've so the persistent identifiers bind metrics SN the way I've heard it described before is it's okay to have publicly accessible identifiers, but the authenticators should be private. So would you maybe talk about why it's okay in the Scandinavian countries to have your identifiers fully public and how come it works there, but it doesn't work in the us and related to identifiers versus authenticators. Hopefully that's not too Cool. Don't wanna answer that question.
Well, I mean, I think for one, the Scandinavian countries generally are much more evolved in their sense that collaboration is a thing that provides freedom. And here in the United States, we have values that say the independence is what provides freedom and those things absolutely at odds with each other. That's why I here in the states, we have so more traffic jams and they don't. So we can take a look at this data Providence model that you brought up as being just another, you know, example. Yeah. I think also like I know that in Sweden, this bank ID is a very popular method.
I think the difference there is you have a system where you can actually prove something. It's not just a number. So I think if you combine this, what, like if you have an identifier and you have the private key to in the moment can prove that you are the person or the identity who's actually want to perform this action. It's a very different thing rather than a number in the dark web. Everybody can see, I think at the end, I mean we were looking, we were thinking still in very limited way, thinking us thinking Scandinavia, if you, we were talking about unbanked populations.
I mean, there, there are, these populations are all over the world. So in the Philippines in Africa, you know, you name it. And I told you before about a company called TNG, which is a Hong Kong based startup that has raised like a hundred million or something like that. And they're developed this wallet E cash wallet, which is they're targeting developed populations, UN sorry, undeveloped unbanked populations. And they're finding it difficult to, to do it identification.
And really, really, when we are talking about it with, without biometric, there's no other way at this, at the current, in the current situation to do and current currently to do identification, but this is very much biometric on local devices and we're already using on a daily basis. Every time you like turn on your phone, you're using biometric, right? You're using fingerprint. So there's the reality of that. These people need these services, they need financial services and they can't get it without, without being able to have an identity. And they don't have passports.
They don't have social security numbers, they don't even have national IDs. So I think it's, you know, we have to face the reality of the situation and, and I, I think that's really important to, as we sort of work together as a technological community towards achieving these services, identity services.
Yeah, no, I, I just want to emphasize this. And so as someone who worked in the development space for so many years, I can totally agree with that, but I can also disagree with it now, I think at the beginning of it, and I had the privilege or the responsibility to, to be there early, when we were talking about digital ID for development and encouraging countries like India and others on their journey. I think we did not think long term enough. I think as development experts, we of course wanted to alleviate poverty. That was our mission.
Number one, as a development agency and provide services and prevent hunger and, and maybe actual deaths of maternal deaths, children, deaths whose birth were not registered. So they could not access immunization, et cetera.
I mean, all of that holds true, but I think more than five years now down the road, we need to start thinking long term as a global community and think, okay, is there a system that technology allows us to build today that will help us prevent damages? That, that our system, for example, is starting to cause and exhibiting these flows, design flows that today we, we, we can no longer encourage, at least that's what I think. Yeah. I agree. I think for us, it's like we get often the question like, Hey, well refugees. And so I personally like what we are doing is still so early.
I think we should test it with us first, before we go to the most population. So I think there's a lot of things we need to learn about privacy and like many other aspects.
But yeah, I think that's as an additional comment, I think we go from one extreme to the other. When we talk about refugees and, and people like, you know, in, in the developed world, there's a lot of people in between that aren't getting, even in their, they're not refugees and they're not getting financial services because they don't have this. They don't have an iden identification. They don't have IDs, they don't have passports.
So these, this is what like sort of an emerging financial services are trying to deal with is that these populations, and one of the things that as provided financial service to these, these populations is mobile, mobile technology, mobile money. So using the phone, using your phone, your local device, as it means, if identification is as, as long as it's secure is can provide so much to these populations to delay that sort of implementation. Cuz we're worried about security I think is, is, is problematic.
I think we need, but obviously there's technology being developed that can, that goes beyond biometrics is zero knowledge, proof technology, which could potentially used in authentication and identification. So we could talk about this for ours, but I, a point you brought up, which is really important, I believe. And I wanted to ask when we, especially when we talk about biometrics device based was a server based biometrics to device, which I'm a, I'm, I'm a fan of, but the point that was made to me, very starkly was biometrics.
When device doesn't prove the person, it proves the device because if I can add somebody else's fingerprint to my device, then that person can pose as me and I have no way as a service provider of knowing that. So when we, I think collectively us in the room cannot imagine our device ever being out of our possession. And therefore we all feel like if I'm trusting the device, that's good enough.
But when we start talking about refugee populations, populations where power imbalances exist and I've had this conversation with exactly the kind of you're talking to where we made, we make assumptions all the time. And the point that was brought to me was how do you know that that person isn't being forced at gunpoint to register somebody else's fingerprint or there's power imbalances that are, you know, corrupting the system and, and that becomes sort of the search for perfect becomes the obstacle to actually getting anything done.
So the question that I always come back to is how do we figure out a solution that can scale and grade and adapt according to different use cases? Cause we always get into the black and white solution of either do one way or the other way. So yeah.
So I agree with the sentiment that, you know, perfect is the enemy of the good and very often, especially in the technology world, you wanna design this solution that encompasses every possible scenario and that prevents you from, you know, moving, I think in identity in particular, there's this conflation and confusion between multiple separate concepts that when tied together makes it a kind of a rats nest. So there is a, you know, I think the fundamental thing is the fundamental a, as it were, is this idea of a unique identifier, which you can associate with a person. Okay.
Now that identify does not, does not need to be a secret. Okay.
In fact, it's better if it's not a secret, but just needs to be something that uniquely identify someone. Okay. And so its purpose is mostly to detect duplications is that thing being used multiple times, but also to establish existence, you know, this person was born, this person has access to these kind of services next above that is this idea of verification.
Now, how do you verify that your identity is associated with that identifier? That's one, this one question. And the second is how do you verify that that identity has the rights to do certain actions okay. Which are two separate things. Okay. Access to capability and, and, and ownership of identity establishing those things. Okay. The third concept is, do you want to do this in a way, which is centralized or distributed?
Again, part of the conversation we're having today is around what a mechanism by which you can make it distributed. Okay. So centralized historically centralized was kind of your only option. If you go back to the thing I was saying about social security number, that's kind of a delayed identity mechanism. You give somebody a number you can make up a number, you know, and typically it was like a week later or month later, they said, Hey, wait a second. That number is, is bogus. So there's this kind of this implied, you know?
And so the scenarios where you could use that mechanism were limited. The, there were scenarios that were tolerance of delayed identification, like for example, tax purposes or employment verification. But once you end up with a central repository that creates a whole host of other issues, okay. In basically every implementation of a central repository identity, the first thing that happens is, is abuse and corruption. Okay. And even if you have benign, you know, goals and good goals, it becomes a fantastic target for compromise. Okay. It doesn't mean it's you can't achieve your goals.
It just means that it has a huge number of liabilities. And it's only now that we have technology that that is capable of making these verification systems distributed, which is where mobile and blockchain and all that you know comes in. Okay. And so the reason why there's so much interest around the combination of mobility and blockchain is you can now finally have identity that can be dis that can be verified in a distributed setting without a central depository.
Now all these things compose, but I think in general, we do ourselves a massive disservice in talking about all this stuff together without like separating out what these concepts are. Sorry, just add on, on, in particular, the question I think today we have, this is you can add a fingerprint on, I think there are multiple things happening at the moment at the same time, like face ad doesn't allow you anymore to have multiple faces. So there's a few things where people are working on biometrics, like sorry, behavior biometrics.
So I think there's a lot of work at the moment happening to secure the one individual to the device. I think the second thing, what we see already now that I know a few years ago, you might have given your little brother your ID card to go to a bar.
Now, I don't know how often you give your little brother the phone with your pin to go somewhere for the evening. And I think by, by doing something which is more valuable for the individual, he's not anymore, or they, that person will not be anymore as comfortable to just give access to everybody. And in terms of like a gun at your, at your head to do something, we have systems today pretty much in place of like notarized notarization of like, oh, you wanna sell your house? You cannot just click one button and your house is sold. So you go and have a third party doing.
And I think that we are replicating the same concepts, but we make it way more efficient. And I think that will alleviate some of the concerns. If I may, I, I totally agree that technology itself will not solve the problem. We still need humans at work and processes to be revised. One question though, that popped up in my head when you were talking about the multiple sources of identity and the way we try today to combine and federate everything and, and try to have a unique identity, which is pretty much what India tried to do.
So the question, of course now in the hint side, we can look and say, Hey, they were design flows, but that was also a little bit the thinking back in time to, to streamline processes and, and gain more efficiency. So I dunno what the panel thinks in terms of, you know, going forward. And is there really a need to have everything in one place and just one way to identify a person? Yes. Yeah.
I think that it's important for us to recognize that technology should probably just be forgotten altogether in these things cuz so many of these systems are about how do we, I mean, this, this idea of whether it's a paired key or you know, a hash that is really this in a way stuff that is replicating things we've been doing for thousands of years anyway. So I agree with you Maria, as much as I'd like to get into fist fight, if you're on the panel.
I, I think what you're saying is totally sensible. Let's recognize that the technology is introduced because it's the technology allowed us to basically almost like a mist spray our identities across the planet via things like Facebook and then Cambridge Analytica allows some of that stuff to that aerosol to be liquidated a bit. And then suddenly we're like, oh, that wasn't supposed to happen the way that I thought. So now we're confronted with the technology that has to address the problem that the technology introduced. So blockchain's handy.
However, I think as we all know, as something that is as dramatically public, as that, as it rubs in the face of things that, that like privacy we wanna retain, it seems to me as though education is what's most important. I watch Facebook. Like it's an oligopoly, it's like this Neo feudal empire, that's moving into Africa and saying, Hey, we'll give you free internet. If you use Facebook. That to me looks like the kind of thing that we need to be protecting against because suddenly all of those, people's all of their identity and all their data gets sucked up into that system.
And so therefore we have to educate so that, that way we can, can handle the knives that we've built, if that Makes. So let's take let's let's take one, one more question from the audience in one quick answer and then, then we gotta move on. Really eager too. Yeah. Short question, Raj. Okay. Short answer. A couple of quick clarifications with iOS 12 apple does allow you to actually enroll two phases.
And so to NATS question, I think the issue isn't with client side biometrics, particularly put with the biometric security model that someone chooses to implement from a security perspective, as long as there is signaling associated with which template is being used for online authentication, you can resolve that particular issue of coercion. And I think I'll point you back to the sex case CD cartoon, which is the crypto nerd imagination of I'm gonna, you know, build a $2 trillion computer to crack this 40 96 with RSA code.
When you could just truck, the guy and use a $5 wrench attack to, to co you know, technology is not the answer to all of these things. Sometimes there have to be if the potential for caution is, is possible, then there are other measures that have to be taken beyond what technology can supply. I think the biometric models that are available and can be implemented are good enough. They have not made it out. The manufacturers right now have chosen to, to implement convenience over pure security model, but it is possible to get there with good security models. Great. Thank you.
I, my view is that ultimately, okay, technology can't solve all these issues, but technology is part of the problem that has made the world more dangerous. So in the internet of things in all this data online and technology is gonna be part of the solution. It's part of solving the problem.
So, and that's why, but it has to be from the user side. It has to be user-centric because right.
You know, that, that is the standard that we should try to work towards is this user-centric user controlled identity and identity data. And that there's also a huge, another issue. Economic issue is huge economic gaps between, you know, the developed and developing world. And these people are still gonna have not gonna have services while we debate what technology to use and, and delay. If we delaying implementation of various technologies, they already have mobile phones. They already have fingerprint scanners on their phones. They're they're out there.
So that's, this is one platform that can actually bring services. I mean like mobile financial service services to many, many, Many people. Okay. So I'll give you a quick question and one quick answer and then the next guy has to go up. Speaker 10 00:32:48 All right. This is not a quick question.
So, but yeah, I know. Right. Okay.
So I, I feel like we're talking at two levels, right? At one level, it's like, how many faces can we fit in face, face ID at the other level, you've got governments who have, you know, hundreds of thousands of refugees at their door who are literally have no other thing, except that they're they're bags of bones and meat, like all the rest of us. Why is it that it has to be all or nothing? So if you do have to use a biometric to de de-duplicate all the bags of meat right, then, then why does it also have to be the authentication me mechanism?
Why does it also have to be how they get to their rations of grain? Like do those things have to be coupled or not? Thanks for the rhetorical question.
No, I think it's a great question. In fact, I think that's the biggest challenge. The development agencies are struggling right now and they are turning to blockchain for some answers, right? The risk of not, I'm not saying overthinking it, but at least thinking through and not going with the fat is that these people have less understanding than us, the tech community about the risks and implications and all they want is just to eat, right? So they are ready to give out the Iris scans and fingerprints and everything, and they are Syrian refugees.
And that database is sitting with a UN agency that is poorly managed most of the time, not all the time, but look at the Rohingya refugees example, right? If that database central database that was compromised already, by the way, would fall into the wrong hands of those who are actually persecuting the Rohingya.
And, and this is already happening. The government got hold of some of that data. Then you run into issues of ethnic cleaning. You wanted to do your best and provide food and shelter for these people. And eventually you cause more harm than good.
That's why I think as someone who worked in, in a development agency for more than 10 years, and I continue working with the UN right now is to try to get them to speed as much as possible, both on the opportunities and the fashion words and everything fancy that's happening in the Silicon valley, but also the risks and the challenges that I think sometimes can get overlooked. And we need more awareness and we need more support for these agencies who are on the front lines to be more agile and more aware. That's My take. Yeah. Great.
Well, thank you. We're eight minutes over. So thanks to the panel.
