But IAM is different. Here, it makes perfect sense to employ a blockchain.
How? Let’s take a look.
Keeping users honest
The central promise of the blockchain is simple. Within a community of people who don’t necessarily trust each other, you can still reach consensus over certain facts without having to employ a central authority.
For example, the Bitcoin blockchain tracks how participants’ funds are being spent (in so-called transactions), and therefore prevents that the same amount of currency is spent twice with different recipients. You can’t buy a laptop and a refrigerator with the same 0.2 Bitcoin (BTC), just as you can’t buy them with the same traditional currency of $1,000. (In fact, we wouldn’t really advise you to pay for your laptop or your refrigerator in BTC at the moment…but that’s a different article altogether.)
In the case of USD, this double-spend is prevented by your bank as a central authority. They keep your accounts and will immediately deduct $1,000 as soon as you’ve spent them.
In Bitcoin, it works similarly, with the major difference that there is no third-party authority to keep tabs on you. Instead, it’s all on the blockchain and with a clever game-theoretical model, the so-called “consensus mechanism” prevents participants from cheating each other.
Rights and transactions
What do Bitcoin and other cryptocurrencies have to do with digital identities? On the surface, not much.
Although Bitcoin is not anonymous per se, it has often been used to obfuscate the identity of sellers and buyers on digital marketplaces, and even truly anonymous coins have been developed in the meantime.
However, cryptocurrencies are not the actual blockchain – they are merely the first well-known application of blockchain technology.
Blockchain technology can be generalized as a tool to administrate digital rights without the oversight of a central authority. One of these digital rights can be “I am allowed to spend these 2 BTC“, but it can just as well be “I can decide who is permitted to access this digital document“. In cryptocurrencies as well as in other blockchain use cases, your rights are exercised in the form of transactions:
- You spend 1 BTC – a transaction happens.
- You grant your employer access to your digitalized graduation certificate (but not your divorce certificate) – a transaction happens.
Not all of the digital information has to be stored on the blockchain – in fact, doing so poses serious scalability problems because identical copies of the blockchain live on all nodes in the blockchain network, and duplicating gigabytes and gigabytes of information is a colossal waste of storage space.
Instead, documents can also be stored in third-party databases, and just their hashes on the blockchain to make sure that the contents have not been tampered with. Only administrative information – who has granted or revoked which permission, for example – needs to be stored on the blockchain itself.
The networked nature of the blockchain not only enables decentralized administration; it also makes the blockchain very robust against attacks and natural disasters. This is one of the reasons why blockchain-based identity management has been proposed as a solution for refugees. In war, floods or fires, passports and banking documents can easily be destroyed, but a blockchain network lives on, just like the internet.
Taking care of the private key
All you need to know to exercise your digital rights is one crucial little piece of information: Your private key.
The private key is part of a public/private key pair, known from asymmetric and hybrid encryption and digital signature systems such as PGP and S/MIME. And just like in these systems, security and reliability of the blockchain almost entirely depends on one single fact: Do users keep their private keys safe and private?
For blockchain hardliners, trust in the blockchain is immediately eroded as soon as a third party starts managing participants’ private keys. However, in many use cases, third-party handling of private keys is the only way to provide reasonable usability.
In other words, how likely is it that someone loses all their traditional identification documents on their escape over the Mediterranean Sea – but manages to save the flash drive with their blockchain private key?
Or, to put in a more corporate context: What happens if your company’s IAM is powered by a blockchain, but one co-worker manages to lose their private key for good? Technologically, private keys can never be recovered, so your only choice would be to create a completely new user. The efficiency of a procedure like that is…debatable. At best.
Blockchain for corporate IAM?
In summary, two things are crucial when deciding if a blockchain is right for your IAM use case:
- Deciding whether or not trust is an issue in your organization. If all internal members can be trusted and no outside members need access to documents, using a blockchain is possible, but probably not necessary.
- Finding a solution that provides an acceptable compromise between security and usability, especially with regard to private key management.
Need help with this decision? Feel free to contact us and discuss the options for your company!
Dr Christina Czeschik is a writer and consultant specialized in information security, digital privacy, and Blockchain. Originally a doctor, she has slipped into the infosec pool by way of cryptoparties, and never quite been able to climb out again.