Digital Identity Management and Ethereum
Asserting one’s identity has always been challenging, but doing so in the digital world has proved to be extremely difficult. So, the question becomes: How do we handle digital identity in the world of Ethereum?
Before you can manage your digital identity, you need to understand the process. The process of asserting an identity is fairly simple, but executing it well is the problem. Some entity, normally a person, submits a claim to be the owner of an identity by providing a unique identifier for the identity. In simple applications, you type your username to claim to be a certain user. This is called the identification step.
But you can’t just provide any identity. You have to prove that you own that identity by providing additional information. In other words, you have to make additional claims against the identity, The most common way to do this in many applications is to provide a password. This is the authentication step. You are asking the application to authenticate that you are who you claim to be.
The application then compares the information you provided (password) with stored information to see whether you provided the correct password. If you did enter the password that matches, the authentication system accepts your claim that you own the identity and authorizes you to access the application.
More secure applications use techniques other than, or in addition to, passwords, such as smart cards, tokens, or biometrics. Regardless of the techniques used, a trusted authority has to intervene to determine whether an identity claim is valid.
Ethereum apps provide a unique opportunity to help manage identities. Each Ethereum user account has a unique address and is associated with a unique pair of keys. These keys allow the owner to access any blockchain resources associated with the account. A unique identity can be one of the resources associated with an account and is identified by the account’s address.
Establishing an identity would require some interaction with a governing authority to verify that you are, in the physical world, who you claim to be. This step is similar to providing a picture ID and is necessary to keep people from creating multiple false IDs. After you establish an identity, you can make additional claims against that identity and provide additional information, such as name, address, and biometric information.
These claims are stored as part of your identity and provide authentication in a similar way that passwords do. But using Ethereum is far safer. You don’t have to trust any entity to protect your private information and only you can access your blockchain data because you control the keys.
Managing digital identities as individuals and devices
Identities don’t have to be limited to people. Each Ethereum account can represent an identity, and that identity can refer to a device. If you’re wondering why your toaster needs an identity, think of all the smart devices on the market today. If you have the budget, it isn’t hard to have your house lights, refrigerator, stove, heating, air conditioner, entertainment center, and many other electronic devices on your home network. Getting all these devices to talk to one another and play nice can be challenging.
Giving each device a unique identity is a great first step. Just like people, devices have descriptive attributes that describe their state. Devices have names, functional categories, locations, and permissions.
As a simple example, your printer could detect that it needs more ink and automatically order more. The printer’s identity would be robust enough to tell the vendor where to send the ink and how the order will be paid. A real person would have to install the ink cartridges, but that might be changing as well.
The explosion of Internet-connected devices, called the Internet of Things (IoT), has raised many questions about securing and managing these devices. Although no comprehensive solution exists, proposing a straightforward way to manage these devices as individuals is a good start. And as more and more IoT devices become more autonomous, having a verifiable identity allows them to operate with minimal oversight or human interaction.
Reducing fraud and identity theft in a world of digital identities
Ethereum solutions for managing digital identity can help dramatically reduce fraud and identity theft. The offline world has a few globally accepted identifications standards. Most people have a driver’s license and many have a passport. These two forms of ID are issued by government agencies and are accepted as proof of identity in most situations.
However, these forms of ID do not have a digital counterpart. If an Ethereum standard for identity management were to be globally accepted, you would be able to present your digital identity upon demand. Having your identification information stored in a blockchain is much more secure. You are the only one that has access to your identification attributes because you control your own keys. You wouldn’t have to re-enter identification information and a separate user account for every website and remote system you access.
In addition to the reduction in data duplication, any changes to your identity claims would be stored in an immutable block. That makes it virtually impossible to use someone else’s identity without leaving a clear audit trail leading right to the attacker.
Examining the ERC-725 standard and how it affects digital identities
Fabian Vogelsteller, the creator of the ERC-20 Ethereum token standard, has proposed ERC-725, an Ethereum identity standard. ERC-725 is a smart contract interface that defines how to define, configure, and use identities in Ethereum. Developers can implement the interface in their own smart contracts to manage digital identities in Ethereum.
Defining the standard as a smart contract interface allows competing implementations to share the same core functionality and ultimately be compatible with one another. Therefore, an ERC-725 identity should be usable in a wide range of applications.
ERC-725 isn’t the only effort to standardize digital identity management in Ethereum. The uPort initiative defines multiple simple layers, as opposed to the monolithic approach embraced in ERC-725. The developers of uPort state that their protocol is more granular and easier to customize due to its layered functional approach. The layered approach makes it easier to customize specific aspects of the uPort implementation to suit an organization’s specific needs.