It is easy to argue that the Internet and Information Technologies are the home to most of the technological innovations of the XXI century. Medicine, physics, transportation, energy, all the fields have experienced huge advancements but nothing comparable to IT in one century. But “With great power comes great responsibility”, are we taking that responsibility?
In the 90s Internet was that thing you dialed into with a modem and, maybe using a web browser. The main use was to see what others created, we call that nowadays web 1.0
You did not need a user/password login for anything, there was little to no e-commerce, website were just windows to the physical stores and purchases where handled manually even if you sent send using the site (usually sent by email). Then the era of internet services came and “register” was everywhere, you had to remember lots of different logins and different passwords (remember not to re-use) for each online service you wanted to access.
And then a quiet tsunami of global identity platforms
Yahoo, Google, Facebook, Apple, Microsoft… they were so big that they become the Identity Providers for everyone. At a cost.
Taking as an example “Login with Facebook”, was in the news for the October 2021 outage we can see in their documentation that the price for the global ID is the user data. No privacy for the user, but the user got the benefit of not having to remember all that login data. A single identifier and password would work for everything.
What about security?
Security started as a password, then a longer passwords and more complex passwords. Sometimes so complex you had to note it in a post-it (!).
MFA methods come, the extra mile for security with a one-time pad generator key, a text message to your phone, or a USB Key. Authenticator applications on your phone are simply more advanced solutions of them. This is complementary to your user/password.
Apple, Google and Microsoft have something to say
They are supporting a new password-less sign-in standard created by FIDO Alliance and World Wide Web Consortium essentially they are willing to expand the “unlock with Smartphone” experience to the web. Not a bad idea, really, and we will have to see the implications of that technology if it differs from “login with XXX” in terms of privacy.
Wait, is not any “Blockchain to the rescue” option here?
Of course, there are, several of them to be honest. But I wouldn’t happily summarize all of them as just “Blockchain”.
In one hand we have SIWE, Sign In With Ethereum effort. The summary line at the EIP-4361 (an EIP is a proposal to enhance Ethereum capabilities) says “Standardizes off-chain authentication for Ethereum accounts to establish sessions”. It may seem contradictory using “off-chain” and “Ethereum” in the same sentence.
Here “Ethereum” here does not refer to the Blockchain network but to the account, the private key you hold, the public key that will identify you, and the message you’ll be requested to sign as proof of possession. It is, indeed, a cryptographic application built on top of what may become the following “account” standard. And it does not require previous registration or centralized management. We can call it a Decentralized Identity Provider, your Ethereum account will be your only account for everything.
The (still in-work) standard can be found here and albeit technical it is interesting reading.
The way it works is quite easy: when you want to login in service, that site creates a message as a challenge, you sign it with your Ethereum wallet and send it back to the service. If you were registered previously you will access, if not the service provider may ask you for some information to give you the service, like the Credit Card number for charges or proof of age in case it is required.
Closing the loop would be sending that information to the service provider in the form of W3C’s Verifiable Credentials, and that is where SSI (Self Sovereign Identity) comes into the scene.
SSI are bigger words
Of course, and it is not required for the login but it helps a lot if you are talking on Digital Identity.
The core of SSI is the ability of a user to control his data. The user will be his own data hub, he will decide which pieces are shared, to whom, with what purpose, and when the sharing ends.
In Europe, GDPR is very strict concerning this. Blockchain is a technology enabler to this. Obviously, because of the immutable nature of Blockchain networks the user data won’t be stored there but the activity may (if anonymity) be warranted and for sure the revocations: when a user requests a company to stop using some of his data.
Blockchain technologies are also useful to verify information. Something issued to a user and shared with a service provider has to be verified. PKI could be used but Blockchain networks, thanks to the smart contract works better for sharing the Public Keys that can verify a signed VC (that’s why it is called Verifiable Credential).
Is there any SSI standards?
Indeed yes, again in Europe, there are some government backed Blockchain initiatives: European Blockchain Services Infrastructure (EBSI), European Self-Sovereign Identity Framework (eSSIF) and the recently released eIDAS framework (electronic IDentification, Authentication and trust Services). This eIDAS 2 framework details all the capabilities that an Identity Wallet should have. Such a broad effort (in terms of number of beneficiary citizens and capabilities) is so ambitious that probably will become a standard de-facto, if other countries follow.
What are the benefits of using SSI?
Apart from the core SSI: control your data there are other benefits in using a Blockchain (and advanced cryptography) capable wallet.
- Login: as opposed to user/password + MFA or the FIDO alliance solution there’s the possibility of SIWE or similar kind of login. A wallet (typically in a Smartphone) would sign a login challenge. More on, the login could be anonymous and the wallet won’t leak any personal information.
- Browsing security: at the same time we can use the SmartContracts to store Public Keys of the issuers of VCs similar SmartContracts could be used to store the certificates/Public Keys of websites. A user could check those and request the site a signature of a verification message so he could be completely sure that the site he is visiting is authentic.
This suggested browsing security is performed using QWACs (Qualified Web Authentication Certificates) that has raised a significant amount of concerns form major web browsers vendors, leaded by the Mozilla manifest. They argue that the current system works and the changes are quite challenging. But the maybe forget that QWACs would release the world of the grip they have on root certificates.
- Document signature: As well as signing login challenges a user could sign a document with the same validity of a manual signature, the only restriction is the need of a proof of identity to establish a relationship between the national ID and the digital ID, if needed.
Closing the loop with Web 3.0
It is said that Web 3.0 is the web that the user owns. One of the applications is the Metaverse (or different metaverses) but also NFT trading (tightly linked to Metaverse), DeFi, and the seed for decentralization in the future. All of them will benefit, or better said, will require the security and traceability features of Blockchain technologies.
Do you remember all those Defi attacks that stole so many millions? That cannot be prevented as bugs in the software cannot be prevented. But it can be mitigated, and it has been already done using black lists in major exchanges all over the world. That means that the crypto money an attacker could steal is stored in some accounts. We may not know who the owner of the account is but the exchanges can prevent the cryptos to become fiat money (aka real world money). Or service providers could prevent any payment from that blacklist, therefore making the theft useless.
Again we get to the point where your Blockchain network account could your only account for everything.
Wait, for everything?
That sounds a bit scary. What If I lose it? Or my mobile phone is stolen while unlocked?
Do not worry, Blockchain and their associated technologies could solve it. If your device is stolen locking your account if as easy as taking your recovery passphrase, using a different device and lock the previously generated account. That is done registering the compromised account as “revoked” in a SmartContract.
Will you be locked out of all your services? No
The lock happens at account level, you are recording in the Blockchain network that your current account was compromised. Anyone giving you a service should check that revocation list as the first step of the service.
And you can generate a new account under your control, and tell the service providers your new account, without any extra effort as the new account would come under a Master account and you can prove that you owner both. HD Wallets (Hierarchical Deterministic Wallets) where designed with a strong cryptography base that offers both security and control.
At the end all these Blockchain technologies are working towards your safety and privacy, looking to make life easier for you. Good times are coming.
Santander Global T&O is a global company of Santander Group with more than 3,000 employees and based in Madrid, we work to make Santander an open platform for financial services.
Check out the positions we have open here to join this great team and Be Tech! with Santander.