Security Experts:

IBM and SecureKey Announce Blockchain-Based Identity Verification

The blockchain promise took a step closer to fruition today with IBM and SecureKey making a joint announcement of a blockchain-based digital identity network.

Built on the Linux Foundation's open source Hyperledger Fabric v1.0 and the IBM Blockchain service, a new digital identity and attribute sharing network will go live in Canada later in 2017.

SecureKey Technologies is a Toronto-based identity and authentication provider. It had already decided that it didn't want to use a central broker-based system to hold identities, because that would be a huge target for hackers. Nor did it want to be in the position of handing out too much personal data to everyone who demanded it. 

"Right now, I would argue a driver's license shares too much," explains Greg Wolfond, founder and CEO of SecureKey. "A girl goes to a bar, and she has to share her name, address and weight with the bouncer. That's crazy. All he needs to know is that she's over 21. How to make this work electronically we couldn’t solve well until we saw it on Hyperledger."

The new service, currently consumer-centric, will work with the trust people have in their bank. It will start in Canada, but both IBM and SecureKey intend to take it global. Leading Canadian banks, including BMO, CIBC, Desjardins, RBC, Scotiabank and TD, joined the digital identity ecosystem in October, 2016, and collectively invested $27M in SecureKey.

The result is a bank-verified identity that can be used via a mobile app provided by the bank. Users will be able to control what identifying information they share from the blockchain stored trusted credentials to the organizations of their choice, and for those organizations to quickly validate the user's identity to arrange new services. For example, once the users have proven their identity with their bank and a credit agency, they can grant permission to share only specified data with a utility to create a new account.

"What IBM is building with SecureKey and members of the digital identity ecosystem in Canada, including major banks, telecom companies and government agencies, will help tackle the toughest challenges surrounding identity," said Marie Wieck, general manager, IBM Blockchain. "This method is an entirely different approach to identity verification, and together with SecureKey, we have a head start on putting it on the blockchain. This is a prime example of the type of innovation permissioned blockchain networks can accelerate."

Personal data is one of the most highly regulated areas of computing. European laws, which will apply to European data regardless of the nationality of the data-holding organization, have two particularly difficult concepts: firstly, that only the required amount of personal data is held, and secondly, that users have a right to have that data removed.

The ability to provide only the required data for identification in each different circumstance goes a long way to satisfy the first problem. The second is, under normal circumstances, more difficult. The blockchain was originally designed to be immutable, with the effect that Europe's 'right-to-be-forgotten' could not be applied. 

IBM claims to have solved this problem. Jerry Cuomo, IBM's vice-president of blockchain technologies, said that IBM has solved this problem while still adhering to Blockchain immutability. "We do have a patent pending, so I don't want to go into too much detail," he said. "But we solved it without deleting from the blockchain, which is pretty cool."

The system solves some, but not all, of the identity problems described and solved by the Global Identity Foundation's Identity 3 project. The big advantage is that it provides only the necessary elements of personal identity to prove personal identity in each instance. This is similar to Identity 3. Where it differs, however, is that the totality of the personal data is still under the control of a single organization. A basic principle of Identity 3 is 'anonymity at the root of identity'; and this clashes with the concept of bank-based verification. 

It also ultimately limits the global potential of the system: individual governments will still be able to access the data. This will be of limited importance to most users where it is their own government able to access their data; but (unless solved) would prevent the expansion of the system across national borders. To expand globally, IBM and SecureKey may be forced to offer localized versions in different countries. 

Identity 3's anonymity at the root of identity split across multiple verifiers solves this issue. At a technical level, Chinese Identity 3 identities could be trusted within the US, and American Identity 3 identities could be trusted in China. This is unlikely to happen with a Canada-based blockchain system.

Despite these limitations, the SecureKey IBM Blockchain solution offers huge potential. For the moment it is described as a 'consumer' solution. Over time we can expect it to expand. "You have to solve for individual identity first but then it is very applicable to businesses," Wolfond told SecurityWeek. "We are already engaging in a few projects to bring business use to life."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.