Identity Management on a Blockchain? Definitely, Maybe.

September 12, 2017

For a recent TechCrunch article, Ron Miller posed a question to a number of identity management (IdM) experts, including Ping CEO Andre Durand. Ron asked, "Will identity move to the Blockchain in the next 5 years?"


To paraphrase their responses, Steve Wilson said something like, "It doesn't even make sense," while Ian Glazer's comment was more along the lines of, "It's just another arrow in the quiver." I think it's fair to say that the responses were less than a wholehearted endorsement. However, the exception was Jerry Cuomo, who seems very bullish on the value of distributed ledger technologies (DLTs) for IdM.


In an internal conversation at Ping on the subject, I argued:


The fundamental value proposition of DLTs like Blockchain is disintermediation (i.e., removing from participants engaged in transactions the dependence on a third party for the record keeping of those transactions). It's not immediately apparent how such disintermediation can be reconciled with application to identity, as so many identity use cases actually demand the participation of a third party--this actor asserting some attributes of the user (e.g., a government asserting citizenship, or an enterprise asserting employment). However, putting those assertions 'on' a DLT might provide privacy advantages compared to traditional web SSO through a different sort of disintermediation--that of deemphasizing the run-time participation of that third party in users accessing applications. Arguably a better fit for DLTs and identity is in the IoT space, where the different parties (e.g., manufacturer, customer, platform, etc.) that might be authoritative over different aspects of a device's data or lifecycle might benefit from a distributed trust model.


The Relevance of DLTs to Identity

This was essentially just an abstract (albeit very wordy) of the two blogs where I explored the topic of the relevance of DLTs to identity.


In the same email thread I mentioned above, my colleague Jeremy Miller expressed what seems to me to be the fundamental disconnects between DLTs and IdM very well:


Identity isn't like finance, where the records are the primary source of truth. The essential aspects of identity are rooted in our societal structures and relationships which are very dynamic and significantly personal. The most important aspects of our identity are also ultimately validated by other people: our driver's license, the HR department, or even by us when we confirm our email address or provide our social security number. People make mistakes and all identity management must allow for correcting these and supporting the deeply dynamic and personal privacy required at each step of the way.


Part of Ian Glazer's answer to Ron's question included:


But just like relational databases, LDAP and object databases, no one storage/retrieval mechanism has proven to be the single "right" tool for the job.


This hints at what seems to me to be the appropriate next effort for the identity and access management (IAM) community on the topic. If blockchains or DLTs are just another 'storage/retrieval mechanism' for identity attributes, then what are the identity use cases for which blockchain is a better storage/retrieval mechanism than the alternatives?


A Look at Distributed Token Validation API (DTVA)

As a concrete example of this sort of exercise, Ping continues to drive Distributed Token Validation API (DTVA), as described here by my colleague David Waite. DTVAs goals are modest compared to the premise of self-sovereign identity, merely allowing an IdP and its constituent SPs to efficiently share user session information (and not identity attributes). But it highlights both the technical requirements (low latency to consensus, importance of fair ordering, etc.) and trust model (SP's potentially adversarial interests as to a user's session management) of a real identity use case to DLTs. It was the technical requirements that motivated DTVA to initially build on the Hashgraph from Swirlds and not some other less-efficient DLT technology like Blockchain.


Perhaps the next question Ron poses to the IdM community should be, "What parts of IdM *could* fit on a blockchain?"




Stay up-to-date on important identity security news and requirements, subscribe to our weekly blog.