Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

IBM and SecureKey Announce Blockchain-Based Identity Verification

The blockchain promise took a step closer to fruition today with IBM and SecureKey making a joint announcement of a blockchain-based digital identity network.

Built on the Linux Foundation’s open source Hyperledger Fabric v1.0 and the IBM Blockchain service, a new digital identity and attribute sharing network will go live in Canada later in 2017.

The blockchain promise took a step closer to fruition today with IBM and SecureKey making a joint announcement of a blockchain-based digital identity network.

Built on the Linux Foundation’s open source Hyperledger Fabric v1.0 and the IBM Blockchain service, a new digital identity and attribute sharing network will go live in Canada later in 2017.

SecureKey Technologies is a Toronto-based identity and authentication provider. It had already decided that it didn’t want to use a central broker-based system to hold identities, because that would be a huge target for hackers. Nor did it want to be in the position of handing out too much personal data to everyone who demanded it. 

“Right now, I would argue a driver’s license shares too much,” explains Greg Wolfond, founder and CEO of SecureKey. “A girl goes to a bar, and she has to share her name, address and weight with the bouncer. That’s crazy. All he needs to know is that she’s over 21. How to make this work electronically we couldn’t solve well until we saw it on Hyperledger.”

The new service, currently consumer-centric, will work with the trust people have in their bank. It will start in Canada, but both IBM and SecureKey intend to take it global. Leading Canadian banks, including BMO, CIBC, Desjardins, RBC, Scotiabank and TD, joined the digital identity ecosystem in October, 2016, and collectively invested $27M in SecureKey.

The result is a bank-verified identity that can be used via a mobile app provided by the bank. Users will be able to control what identifying information they share from the blockchain stored trusted credentials to the organizations of their choice, and for those organizations to quickly validate the user’s identity to arrange new services. For example, once the users have proven their identity with their bank and a credit agency, they can grant permission to share only specified data with a utility to create a new account.

“What IBM is building with SecureKey and members of the digital identity ecosystem in Canada, including major banks, telecom companies and government agencies, will help tackle the toughest challenges surrounding identity,” said Marie Wieck, general manager, IBM Blockchain. “This method is an entirely different approach to identity verification, and together with SecureKey, we have a head start on putting it on the blockchain. This is a prime example of the type of innovation permissioned blockchain networks can accelerate.”

Advertisement. Scroll to continue reading.

Personal data is one of the most highly regulated areas of computing. European laws, which will apply to European data regardless of the nationality of the data-holding organization, have two particularly difficult concepts: firstly, that only the required amount of personal data is held, and secondly, that users have a right to have that data removed.

The ability to provide only the required data for identification in each different circumstance goes a long way to satisfy the first problem. The second is, under normal circumstances, more difficult. The blockchain was originally designed to be immutable, with the effect that Europe’s ‘right-to-be-forgotten’ could not be applied. 

IBM claims to have solved this problem. Jerry Cuomo, IBM’s vice-president of blockchain technologies, said that IBM has solved this problem while still adhering to Blockchain immutability. “We do have a patent pending, so I don’t want to go into too much detail,” he said. “But we solved it without deleting from the blockchain, which is pretty cool.”

The system solves some, but not all, of the identity problems described and solved by the Global Identity Foundation’s Identity 3 project. The big advantage is that it provides only the necessary elements of personal identity to prove personal identity in each instance. This is similar to Identity 3. Where it differs, however, is that the totality of the personal data is still under the control of a single organization. A basic principle of Identity 3 is ‘anonymity at the root of identity’; and this clashes with the concept of bank-based verification. 

It also ultimately limits the global potential of the system: individual governments will still be able to access the data. This will be of limited importance to most users where it is their own government able to access their data; but (unless solved) would prevent the expansion of the system across national borders. To expand globally, IBM and SecureKey may be forced to offer localized versions in different countries. 

Identity 3’s anonymity at the root of identity split across multiple verifiers solves this issue. At a technical level, Chinese Identity 3 identities could be trusted within the US, and American Identity 3 identities could be trusted in China. This is unlikely to happen with a Canada-based blockchain system.

Despite these limitations, the SecureKey IBM Blockchain solution offers huge potential. For the moment it is described as a ‘consumer’ solution. Over time we can expect it to expand. “You have to solve for individual identity first but then it is very applicable to businesses,” Wolfond told SecurityWeek. “We are already engaging in a few projects to bring business use to life.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.