Posted by Larry Hamid · 1121 words
I have been asked how Bluink’s eID-Me differs from other “crypto” identity projects, specifically ones that are based on blockchain. Without knowing the precise details on how some of these emerging blockchain identity systems are (or will be) implemented, this post will look at high-level differences and similarities without trying to debate pros and cons.
eID-Me is not based on blockchain, or more generally, distributed ledger technology. Instead, eID-Me uses standards-based digital certificates to convey verifiable identity information. This implies one significant difference from blockchain which is that eID-Me issued identities are digitally signed by an authority (e.g., the Ontario Government). Blockchain by definition, requires no authority for an entity to exist on the ledger. Instead, it’s decentralized consensus that enables the blockchain to be valid and trusted. That being said, one should not confuse trusting the identity record with trusting the actual identity and what it represents (more on this later).
Identities that exist on the blockchain ledger are both decentralized and immutable (immutable means that they cannot be forged or altered). This follows directly from the fundamental properties of blockchain. eID-Me identities are also decentralized and immutable (excluding self-managed claims). There is no central database or ledger of eID-Me identities. Instead, an eID-Me identity is carried and secured on the owner’s smartphone. The immutability of an eID-Me identity stems from the fact that the private key used to sign the identity certificate is contained in tamper-proof hardware security modules and any attempt to alter the certificate or the information it references will invalidate the digital signature.
Another basic similarity between eID-Me and blockchain identity is that transactions are based on public key cryptography and require digital signatures using a private key that is only in the possession of the user. If a transaction is to end up on the blockchain, then there is the extra step of engaging miners to perform “proof of work”. For privacy reasons, eID-Me has no ledger or centralized transaction history. In the eID-Me ecosystem, it’s up to the Relying Party to retain transaction history for their own service if they need to do so. While transactions might be recorded on blockchain, privacy can be achieved by utilizing hashes instead of storing any plaintext details.
Now let’s dig a bit more into the topic of trusted identities. eID-Me has both issued and self-managed identity claims. Issued identity claims are pieces of information about you that have been verified by an authority (e.g., the Ontario Government). These would include your name, date of birth, social insurance number, driver’s licence, and so on. These claims are bound (not in clear text for privacy reasons) to the eID-Me identity certificate so their values can be verified and cannot be altered. On the other hand, self-managed claims are items that the user determines and self-asserts. These can include email addresses, usernames, credit card numbers, etc. Self-managed claims are not bound to the eID-Me identity certificate and they may or may not be truthful, but you can still verify that they came from the user by verifying the transaction signature. Some applications with KYC (Know Your Customer) requirements require a trusted identity with a high degree of identity proofing, and this is where the issued eID-Me identity claims matter.
One of the tenets of the blockchain model is that there is inherent trust in the ledger without any need for a central authority. Thus the integrity of an identity on the blockchain can be verified simply because it exists on the blockchain. But can you trust such an identity for a particular transaction? After all, it may solely consist of claims that the owner made up. More is needed for a blockchain identity to be useful in higher value transactions. Indeed, many of the blockchain identity schemes add proof that the identity claims have been vouched for by a third party. In other words, if you want to use a blockchain identity for anything of value, you will still need to trust some authority, and possibly many.
Another area where eID-Me and blockchain differ is in the method of payment and the way the ecosystem works. The cost of issuing an eID-Me identity will likely be paid for by credit card upon successful completion of the registration process. The costs beyond registration are really up to the service providers, but we anticipate that most transactions will be free since they will mainly consist of online logins or age verification. In contrast, obtaining a blockchain identity will most certainly be paid for by a crypto asset (a crypto currency of some kind), and it’s unclear what kind of exchange of crypto assets will be required to use a blockchain identity. Much depends on the ecosystem and the kind of marketplace that blockchain identities create or enable. For sure, if a transaction ends up on the blockchain, there is a real (and increasing) cost in terms of the electricity needed to perform the “proof of work”.
One area where it’s unclear how a blockchain identity can be used is in offline or face-to-face transactions. Using blockchain technology either requires accessing the ledger (even a local copy) or leveraging the decentralized services and applications that can perform your transaction. In contrast, an eID-Me identity transaction can occur directly between a user’s smartphone and a system, both of which can be completely offline. For example, at a point-of-sale system in a store, your age of majority and photograph can be confirmed via a local eID-Me identity transaction to allow you to purchase alcohol. In another example, you can transfer medical information in your eID-Me identity directly from your smartphone to a check-in system at a medical clinic. In both cases, the system can cryptographically verify that you own the claims and that your issued claims are trusted. I’m not saying it isn’t possible, but I have yet to see how such lightweight and offline scenarios would be addressed with blockchain identity.
On a final note, it’s worth mentioning that it's still early days for blockchain identity. It's emerging technology with an ecosystem that is very much in a state of flux and early adoption. As a result, it's difficult to assess how well a blockchain identity addresses the problems that digital identities are facing today. On the other hand, eID-Me is founded on protocols and industry standards that have been around for years. Bluink has decades of experience in identity and authentication technologies and we know that the capabilities of a smartphone (cryptography, biometrics, connectivity, and rich user interface) can be brought together to create a secure digital identity that outperforms any previous solution in terms of interoperability, privacy, and convenience.