Identity and access management (IAM) offers a good example of how security policy decisions trigger the law of unintended consequences. With the soundest of intentions, the majority of the digital world insists on strong IAM policies. These typically involve pairing a user name and password to authenticate user identity and authorize access digital assets like applications or data. There are several big problems with traditional IAM, however.
One difficulty is that user name and password pairs can get lost, forgotten, stolen or shared without permission. Multifactor authentication (MFA) can strengthen the control and go further to verify the identity of the user. However, the addition of MFA can affect user experience and cause its own complications—applications to maintain, support inquiries and so forth. Similarly, cumbersome password resets deprecate user experience and create support overhead as well as their own accidental pathways to fraud and identity theft.
The other serious problem with IAM is its tendency to create large stores of valuable personal information (PII) that must then be rigorously defended. IAM makes the holders of PII into protectors of PII. That’s a situation that few people are happy about. The problem compounds on itself given how many entities hold PII in parallel.
The average person’s PII is stored by their employer, bank, phone company, insurance company, healthcare provider, the government, credit rating agencies, credit card companies and on and on. From a hacker’s perspective, it’s ideal. The hacker gets multiple shots at stealing your PII. At some point, he or she is going to succeed.
A lot of smart minds are at work today rethinking how IAM is done. ShoCard, for example, has devised a way to use Blockchain to create an identity management solution that puts the ID data in the hands of the user rather than the entity controlling access. Instead of a user name and password pair linked to PII in a central identity store, ShoCard uses Blockchain to store an immutable, verifiable identity signature for the user. There is no PII on the Blockchain. A one-way hash makes it essentially impossible to reverse engineer a user’s identity from the Blockchain data.
The user stores his or her PII in encrypted form on a mobile device. When logging in to a system with ShoCard, the user sends a PIN or biometric data to the Blockchain ledger, which validates the user’s identity. There are several advantages to this approach compared to traditional IAM. The ShoCard identity verification is portable. It can be used for Single Sign On (SSO) or extended across multiple entities like the bank, hospital and so forth. These entities never have to maintain stores of PII. This alleviates a big security headache and legal/compliance liability for them. The user feels more secure as well.