Is democratized ID the answer to the Equifax breach?
Security professionals have long argued against the use of static identifiers like passwords and Social Security numbers, while consumers have long questioned why a handful of bureaus can claim to be the ultimate judges of their identities.
While the Equifax data breach announced last week will reinvigorate the discussion about identity, the reality is the system is as vulnerable as ever, particularly in the health care industry, according to Julie Conroy, a research director at Aite Group.
"This breach will unquestionably add fuel to that fire," Conroy said. "In the highly regulated spaces that rely on [personally identifiable information] it's difficult to make fundamental changes overnight, particularly when regulation mandates the verification of the traditional data elements."
It's possible that the compromised data was not only accessed but poisoned with fake identities and malware. Even if this system can be fixed, consumers may be willing to help build something that's more appropriate to the modern age.
"The Equifax hack shows that universal identifiers like Social Security numbers are 20th-century solutions that were designed for the age of paper," said Phil Windley, chairman of the Sovrin Foundation and a professor at Brigham Young University. "They're designed for industrialized nation states with large bureaucracies. Universal identifiers aren't good in a digital age. In fact they're dangerous."
Sovrin is a nonprofit established to govern a self-sovereign identity network. It uses distributed ledger technology powered by Plenum and Evernym to manage a global group of interconnected nodes, which it hopes will eventually be run by public and private sector organizations.
The concept is to decentralize control over ID attributes, moving them away from a large location where the data is a single target for crooks. To form a Sovrin identity, organizations or people move into the network by what it calls a "trust anchor," such as a bank, identity provider or other preexisting relationship. Once an initial Sovrin identity record is established, the ID owner can add items that only the owner can see, manage and share.
"If you put each person in charge of their own identity, it's as hard or harder to hack a single identity as it is to hack 143 million," Windley said.
He likened the concept to a bartender checking a patron's driver's license before serving a drink. The bartender can see only the information printed on the license, and this is sufficient to provide proof of age. The license doesn't give the bartender access to the DMV's entire database, so driving records and other motorists aren't at risk of exposure.
Similarly, a Sovrin identity owner gives only basic information such as date of birth to another Sovrin participant, the "relying party," which can check that record on the blockchain and create a consent record. That record is largely unusable in another context. All ID information is separated into attributes, such as birth date, name, street or frequent-flier numbers.
Sovrin is not a direct response to the Equifax breach, but the nature of the breach should spur people to find ways to make identity more dynamic and less financially attractive to saboteurs, Windley said.
"The data that's exposed in these breaches isn't that valuable by itself," he said. "Nobody goes to a large amount of effort to steal one person's identity. But 143 million? That's another matter."
This identity initiative will need willing participants to be successful. The state of Illinois is among Sovrin and Evernym's early adopters, using the identity to digitize birth certificates in a recently announced pilot. The state hopes the digitized birth certificates can be the basis for a broader set of identity tools that grow with the individual, and can be accessed only from a distributed ledger with the person's (or parent's) consent.
Attempts to move beyond static ID to accommodate digital transactions aren't new. And there are other companies, such as Civic, that are trying to create a network of participating companies in a digital ID protection scheme.
The frightening scope of the Equifax breach should give the decentralized ID movement a shot in the arm, but it remains to be seen if the effects will be long-lasting, according to Al Pascual, a senior vice president and research director at Javelin Strategy & Research.
"Relying on an amalgam of personally identifiable information has become such a ubiquitous approach to establishing identity, from the smallest businesses through the largest organizations … that it will take more than just one headline-grabbing event to create solid momentum," Pascual said. "Consumers have to demand a change and businesses need to work together to support these types of initiatives."