In case you hadn’t noticed, identity management is broken.
We have been looking for ways to prove that we are who we say we are quickly and safely for years, and it isn’t working. It’s one problem that the Cupertino, California-based blockchain technology startup ShoCard is hoping to solve.
Passwords are toxic, and two-factor authentication is a cumbersome bandage that doesn’t solve the underlying problem: Once we hand over our sensitive data to a third party, we no longer control it.
Some of the most prominent breaches in recent times show why that’s so dangerous. The 2015 attack on the Office of Personnel Management (OPM) saw thieves steal the intimate personal details of 21.5 million Americans. Last year’s Equifax hackers stole the personal information of nearly 150 million people — that’s half of the adult U.S. population. Among that data were peoples’ names, birthdates, home addresses, social security numbers and, in some cases, drivers’ license information. It was a disaster.
We rely on companies like this to store our data and then challenge us with it because there has been no way of proving ourselves without them. It’s an age-old system that worked in an analog world, but it is hopelessly inadequate in 2018. It just doesn’t scale.
Companies like Google and Facebook have tried to solve that problem by letting sites authenticate users using the accounts they have. But this method still leaves users lacking control and a breach of any of these larger companies can still compromise user’s identity at an even larger scale, pointed out ShoCard CEO Armin Ebrahimi.
“If your account at Facebook is locked down or compromised, then you lose that ID,” he said. “That's because the enterprise owns it.”
In any case, your local bank, traffic cop or bartender won’t take your Facebook ID as proof that you can withdraw cash, drive or buy a cocktail.
ShoCard offers an alternative: Use phones and decentralized networks instead. Instead of taking their chances with a company’s leaky servers, users can keep their data encrypted on their mobile devices. They can show portions of their identity to whoever needs it while keeping their data to themselves the rest of the time.
How can a third party be sure that the data on a user’s phone is legitimate? That’s where the blockchain comes in.
Individuals enter their credentials into the app, including everything from a scan of their drivers’ license to their passport and even their biometric data. Others can add data too with their permission, such as the digital equivalent of an airline boarding pass. The app then hashes these credentials and digitally signs them using the individual’s private keys and stores a digital fingerprint of the data (rather than the personal data itself) on the blockchain.
When third parties want to authenticate a user, they request the data, along with a code and the user’s public key from the ShoCard app. They then verify it against the digital certificate on the blockchain to prove that the user owns it.
Low-friction interactions are essential, said Ebrahimi. Online services can display a barcode for the user to scan from a website. Proximity services such as an airport gate could have a Bluetooth device handy to connect with the user’s phone, or an app that can scan data from it. He envisions a time when users can authenticate themselves to enter an airport lounge without breaking stride.
Ebrahimi highlighted another benefit for users. They only give a third party the data that it needs from them. The bank might get their name and address. The airline gate might just get a name and passport number. The local bartender just finds out their age.
While users get convenience, Ebrahimi expects that third parties will enjoy lower fraud rates and customer interaction costs.
“Authentication is a very lengthy and expensive process, and very fraud-prone,” he pointed out.
Call centers authenticating users on the phone lose money for every minute they spend asking security questions such as a user’s birthdate and address.
“These are also facts that hackers can get hold of,” Ebrahimi added.
Using ShoCard, a call center agent would take the user’s account number and then ping the app to verify it against the hashed digest on the blockchain, ensuring that it isn’t fake.
Cracking the ID management problem is a tall order, but ShoCard is in a unique position. Ebrahimi has 30 years of experience in Silicon Valley, and the company already has $5.4 million in combined funding from AME Cloud Ventures, led by Yahoo! founder Jerry Yang, and Morado Ventures. In May, it hopes to raise another $20 million with its initial coin offering (ICO).