Out of the U.K.'s regulatory sandbox: A blockchain password alternative
One of the indirect offshoots of Brexit is a government program that's designed to keep the U.K. relevant by lending a hand to new companies.
The program, FCA Innovate, may have a global effect by nurturing companies that aim to retire static authentication modes such as usernames and passwords.
"We're all seeing these breaches coming out on a daily basis it seems," said Alastair Johnson, co-founder of Nuggets, a two-year-old company that has been working on its identity system and plans to launch in the first quarter of 2018. "The existing model of personal data being kept in silos is untenable and merchants and banks will be looking for a new model going forward."
Nuggets developed a blockchain-based system that uses biometrics for payment, login and ID verification with banks and merchants, without storing or sharing personal data. This process makes passwords obsolete, contends Johnson, adding any merchant or bank can access Nuggets through an API and consumers can access the system through an app. The blockchain — a distributed ledger system originally developed for bitcoin — has "zero knowledge storage," encryption, privacy and security, according to Johnson.
U.K. regulators chose the London-based Nuggets to participate in its program, designed to encourage innovation in fintech and other disciplines. The company performed testing in a regulatory sandbox, which loosens some regulations to give startups a chance to test their technology. About 90% of the companies that go into the Financial Conduct Authority's sandbox achieve wider launch after the six-month testing period.
"They worked with us on the testing, and that was an important part of getting us ready," Johnson said.
Nuggets combines blockchain encryption with biometric verification such as a selfie. Users download the Nuggets app and create a private key to access their own data, and then add initial payment information. This account information is established on a blockchain, with only the user having access to the information.
"The retailers are the ones that are in the battleground of the breach problem," Johnson said. "They don't want to keep customer data just to perform a transaction."
Nuggets charges a transaction fee to retailers, and also provides incentives in the form of a virtual currency called Nuggets Tokens. Users accrue Nuggets Tokens for using the system, and participating merchants accept these tokens for products and services. Users can also receive tokens from merchants for deciding to share parts of their personal data—such as an email address—with the sharing remaining under consumers' control with a "right to be forgotten."
This makes data sharing a two-way street between merchants and consumers, according to Johnson. "The consumer can take advantage of the value of their personal information, rather than giving it to another party," Johnson said.
Nuggets is in pilot with retailers and banks, though the company did not divulge users. Selfie pay, or facial recognition biometrics, has gained traction with card networks, banks and others as an identity factor in addition to passwords or device fingerprinting. Blockchain's decentralized model operates as a security tool because it's harder to hack data that's not in a centralized silo.
Blockchain security programs have potential, but there is lot of work involved, according to Kristina Yee, a senior analyst at Aite Group, adding it's more expensive than cloud or mobile-push authentication methods that are advancing as dynamic ways to protect digital commerce.
"The user clicks on a link and answers 'yes or no' and he or she is logged in," Yee said. "In contrast, using blockchain for authentication is complex and expensive and requires a centralized trusted authority to manage it and police it. Blockchain was designed specifically for a decentralized, trustless P-to-P payment system, like paying in cash, so the idea of adding identity to it requires a lot of retrofitting and some kind central/trusted authority to dictate the rules and policies of any such system."
Nuggets is an interesting system, Yee said, given its model of storing information in separate "nuggets" as a protector, though the model requires coordination across a large network of financial institutions and merchants. "It prevents any one entity from having the keys to the kingdom."