Technology is changing – non more so than the pervasive nature of the Internet with its connected data and devices. But how does the evolving Web 3.0 landscape affect identity – both for the individual in terms of data privacy but also in terms of integration with omnipresent devices like our mobile phones?
What is Web 3.0?
If we assume Web 2.0 was focused upon the big three of “mobile, social and cloud”, we can also assume Web 2.0 is still very much in full flight, powering everything we do from distributed working, online banking and retail, through to government interactions. However, not many technologies stay still forever – and the “web” is no exception. The definitions of Web 3.0 vary and many attribute the concept to Tim Berners-Lee the father of the Internet.
The main components of Web 3.0 are seemingly focused upon being:
- Open – with an increased use of open source software and standards, that promote peer review and transparency
- Trustless – with no dependency on a trusted third party that acts as a bridge between trusted and untrusted parties
- Permissionless – no requirements on a central governing body (either institutional or commercial) that authorizes individuals to perform actions
So what in turn do those Web 3.0 concepts result in? It seems they are driving us towards a new data driven network where decentralisation and user empowerment are fundamental forces.
What Problems Need Solving?
But this will generate new problems. Firstly with an increasing focus on individual empowerment – driven by a multitude of micro-components such as compliance (GDPR, CCPA), the age of the consumer, and digital transformation – how can a citizen or consumer represent themselves digitally in a secure way across an untrusted ecosystem of devices and data consumers? With less reliance (and considerably more suspicion) on large corporate entities acting as data storage bastions, where does digital identity data reside in this new trustless and highly distributed ecosystem? Well there are two avenues to think about – one the actual physical location and two who should control access to it?
From a location perspective, the one thing most adults will seemingly be in possession of in the next three years will be a smart phone. A highly connected, powerful small computer capable of communicating over HTTPS, run specialised applications, contain biometric sensors (pictorial, fingerprint and possibly iris scan technology) and contain specialised secure storage in the form of a secure element via an inbuilt (non-removal) SIM card or trusted execution environment. It may seem likely that this mobile storage “wallet” would be a gateway to a distributed network (can we dare to introduce the word blockchain here) which contains either encrypted versions of stored PII or pointers to transaction details embedded within smart contracts – that provide what would essentially be untrusted third parties scoped and time based access to persona based representations to PII and event data.
The Emergence of the Digital Wallet
The use of digital wallets (either on mobiles or desktops) for the likes of bitcoin and digital currency private key storage is becoming quite common. It would seem logical, if our main device of choice will migrate permanently from desktops, laptops and tablets to a mobile (likely connected to wearable augmented reality/virtual reality AR/VR devices) that this secure wallet will reside on the mobile too – in hardware enabled secure storage. Companies like WalliD.io based out of Portugal are investing in this way it seems.
But what should go inside this wallet? And how does it there?
What Goes in The Wallet (And How Did It Get There?)
So we move forward a few years – we do everything on a more embedded and connected mobile device (or set of interconnected devices). This device ecosystem essentially becomes a digital extension of the owner. So what needs to reside on the mobile to securely represent the owner? Well today we talk about identity proofing – the initial steps of the user on-boarding process to a relying party, where third party services will verify typically government issued documents – aka driving licenses and passports.
The documents will go through a collection/validation/verification style process (See NIST 800-63 series of documents on Identity Assurance Levels for more details) to prove that a physical identity exists with those verified claims.
So how to link the physical document to the device – and in-turn that the device owner is simultaneously the document owner? Vendors like 1Kosmos provide the ability to overlay the verified claims from national document issuers, with run time biometry – such as a photo with live-ness check done via the mobile. Combine the two and there is a semblance of biometric device binding, that is effectively saying that yes “Joe Blogs is a person as confirmed by his passport and that I’ve just taken a picture of Joe using his mobile camera and that matches the photo on this passport”.
That level of binding based on verifiable claims provides a level of static assurance of both the device owner and the provided attributes. Subsequent use of that “identity” would of course require authentication.
In the Web 3.0 miniature device world, I can’t see passwords delivering the best security nor usability experience. So bye bye passwords, hello passwordless. There are numerous approaches here and vendors like Hypr, Keyless.io and Transmit Security provide a range of combined approaches – that provide improved security and usability, leverage biometry and can integrate to a multitude of different use cases for both consumer and employee use cases.
But in reality passwordless is in itself not a thing – it’s just a means to an end.
What will verifiable claims, embedded within a mobile secure wallet accessed via passwordless and distributed biometry allow us to do?
(Not Too Distant) Future Use Cases
“The future is already here; it’s just not evenly distributed”. Whilst some immediate use cases spring to mind that I can very easily consume tomorrow as a citizen-Joe, think about the following that may emerge by 2025:
- Entirely mobile-only digital payments – releasing payment processing data via an NFC tap
- Releasing zero knowledge proofs regarding my PII to untrusted third parties – again via an NFC tap – classic “prove your age to the bouncer” scenario
- Physical workforce proof of presence check for secure gated access (if we ever return to workplaces of course) via the mobile device
- No central identity provider within social network interactions – PII is vaulted with non-traceable representations of that data created for specific time based events and tasks
- Single and multi-party secure communications – this is essentially here today – but disolvable communications will be default – with the source and destination being device related not identity related
And with it, mobile device theft will head towards zero, as the devices will be biometrically linked to a physical entity in a way which would make them inaccessible to hackers and malicious actors. Maybe this last one is just wishful thinking.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. A published author with over 20 years experience within the cyber and identity and access management sectors. His 2021 research diary focuses upon “How To Kill The Password”, “Next Generation Authorization Technology” and “Why We Are Not Prepared For Cyberwar”. For further information see here.