In case you hadn’t noticed, identity management is broken.
We have been looking for ways to prove that we are who we say we are quickly and safely for years, and it isn’t working. It’s one problem that the Cupertino, California-based blockchain technology startup ShoCard is hoping to solve.
Passwords are toxic, and two-factor authentication is a cumbersome bandage that doesn’t solve the underlying problem: Once we hand over our sensitive data to a third party, we no longer control it.
Some of the most prominent breaches in recent times show why that’s so dangerous. The 2015 attack on the Office of Personnel Management (OPM) saw thieves steal the intimate personal details of 21.5 million Americans. Last year’s Equifax hackers stole the personal information of nearly 150 million people — that’s half of the adult U.S. population. Among that data were peoples’ names, birthdates, home addresses, social security numbers and, in some cases, drivers’ license information. It was a disaster.
We rely on companies like this to store our data and then challenge us with it because there has been no way of proving ourselves without them. It’s an age-old system that worked in an analog world, but it is hopelessly inadequate in 2018. It just doesn’t scale.
Companies like Google and Facebook have tried to solve that problem by letting sites authenticate users using the accounts they have. But this method still leaves users lacking control and a breach of any of these larger companies can still compromise user’s identity at an even larger scale, pointed out ShoCard CEO Armin Ebrahimi.
“If your account at Facebook is locked down or compromised, then you lose that ID,” he said. “That's because the enterprise owns it.”
In any case, your local bank, traffic cop or bartender won’t take your Facebook ID as proof that you can withdraw cash, drive or buy a cocktail.
ShoCard offers an alternative: Use phones and decentralized networks instead. Instead of taking their chances with a company’s leaky servers, users can keep their data encrypted on their mobile devices. They can show portions of their identity to whoever needs it while keeping their data to themselves the rest of the time.
How can a third party be sure that the data on a user’s phone is legitimate? That’s where the blockchain comes in.
Individuals enter their credentials into the app, including everything from a scan of their drivers’ license to their passport and even their biometric data. Others can add data too with their permission, such as the digital equivalent of an airline boarding pass. The app then hashes these credentials and digitally signs them using the individual’s private keys and stores a digital fingerprint of the data (rather than the personal data itself) on the
