Dan Elitzer is a member of the IDEO coLAB, a shared platform to discover and act on the potential of new technologies, with current focuses on blockchain, digital identity, and IoT.
In this op-ed, Elitzer fleshes out a framework for how a digital identity system should function based on work performed by the IDEO coLAB team.
How do you identify yourself? Is it your name? Your email address? Phone number? Drivers license? Facebook account?
- When you’re distributing digital tokens representing voting rights for community projects, how do you ensure there’s a real person behind each account?
- How can a university issue digital diplomas that graduates can prove are authentic and belong to them?
- In the event of an emergency, is there a way to automatically give doctors access to your relevant medical history, while keeping it secure and private at other times?
You can probably think of some fairly straightforward answers to those questions. But when you go to implement them, you quickly find that the solution either makes fraud trivial or introduces a level of friction that users won’t tolerate.
• • •
To help guide discussion at the workshop, we developed a simple framework of the core functions of an identity system. During a concurrent project, the IDEO coLAB team made a few iterations. It’s not perfect, but we’ve found it useful for organizing our thinking and analyzing where blockchains and other emerging technology might be applicable:
Whether it’s the US government assigning Social Security Numbers or Google letting you select an email address, there needs to be a way to create new identities and assign identifiers.
Identity data needs to be stored somewhere. Usually this is a private database with administrator-controlled access, but technologies like IPFS and Blockstack are examples of new models for data storage and retrieval.
Individuals need to prove they are who they say they are when attempting to assert their identity. This is done using one or more factors of authentication: something you know (a password), something you have (a mobile phone), or something you are (photo or fingerprint). For example, think of what happens when you present your drivers license at a bar or airport. The person inspecting it looks at your photo, then at you, to make sure you’re the person represented on the card.
Once they’ve authenticated themselves, individuals are authorized to perform certain tasks. Whether it’s being able to access the transaction history for your bank account or being able to enter a bar, identity systems get utility from enabling you to take actions and interact with people or businesses based on knowing who you are or certain information about you.
Stolen wallet or forgotten password? Individuals need a way to regain access to their identity data, should they lose it.
(Note: This is often the part of the process where the usability vs security tradeoff is most stark — protecting an account with a random 32-character password and fingerprint isn’t much good if “recovery” can be done using your zip code and the last four digits of your social security number. Conversely, asking the average user to print a recovery key when they create their account is absurd.)
Users or administrators need to be able to add, remove, or edit attributes associated with an identity. Pieces of our identity information change over time: an address gets changed, a new degree is earned, a drivers license expires, etc. Digital identities need to evolve along with the people they represent.
How can someone check that your identity data is accurate?
In the context of regulated industries such as financial services or health care, identity data and the process by which it is recorded and accessed needs to be auditable by relevant government institutions. For user-controlled identity systems like PGP, code is open source and trusted parties that host data (e.g., Keybase) ideally go to great lengths to enable public auditing.
• • •
From our experience, these are the core components of any identity system. Each presents its own unique challenges for system design and opportunities for creating better user experiences. How will the system be used? How might it be hacked or exploited? Is a universal digital identity system possible or desirable…and by whom?
We look forward to sharing more about what we’re thinking and doing in this space over the coming months. If you’re interested in learning more, visit our website and sign up for our newsletter.
Graphics by Reid Williams, whose collaboration on this framework has been invaluable. Thanks to Ted Ko, Reid Williams, and Piper Loyd.
This article originally appeared on Medium, and has been republished with the author's permission.