IBM or Microsoft's vision for ID verification & device authentication?
IBM or Microsoft's vision for ID verification & device authentication?

Whenever a new technology emerges, it naturally sets off a race between companies to be the dominant player. And so it is with blockchain, the nascent technology underpinning the digital currency Bitcoin. IBM and Microsoft are now working to become the dominant commercial blockchain-as-a-service (BaaS) platform.

In pursuit of this goal, Microsoft has been adding blockchain modules to its cloud platform Azure since 2015 while IBM launched the first commercial application of blockchain a few months ago. Both are similar in that they are based on open-source code and operate in the cloud, but on closer inspection it's clear they have two different visions for the technology.

Of the two, the code underlying Microsoft's deployment is more public. As such, it has a larger developer base and more potential for interoperability but when potential issues are found in the code, they quickly become public knowledge. The underlying code in IBM's BaaS offering is more restrictive, which makes for a smaller developer base and reduced interoperability potential, but issues are not as openly disclosed.

Who will win this race is an open question, but there are two areas of vulnerability that both of these systems share: identity and security. Ironically, with all the promise of blockchain, it is not by nature more inherently secure at the access point (digital device) or with onboarding the consumer's identity.

Ending fraud as we know it?

With its innovative open, distributed architecture, blockchain holds tremendous promise in increasing efficiency and reducing certain types of fraud in transactions involving multiple parties. Both IBM and Microsoft's versions of blockchain leverage these strengths in their respective deployments.

But the vulnerability in both systems is the one that continues to bedevil all payment system providers—how do you know the person involved in the transaction is the one authorised to perform it?

Just as with account opening processes today, ie financial account or credit card opening, there must be thorough processes for Know Your Customer (KYC) protocols. Identity verification at time of account opening includes use of a mix of credit data, documentary evidence, Knowledge Based Authentication (KBA), social media data, phone carrier data, and device intelligence.

Once identity is established, the accepted security protocol for confirming someone's claimed identity is through the use of multi-factor authentication (MFA). Before someone is authorised, they must present two or more attributes—either something they know (for example, a password), something in their possession (in the world of blockchain this could be their private key and their device), or something intrinsic to their person (such as a fingerprint). Once a combination of these attributes is presented and verified, the person is cleared to use the service.

Without identity verification and multi-factor authentication in place, blockchain technology does not prevent an unauthorised person from gaining access to the ledger.

Using the device that is accessing the blockchain as a unique attribute for MFA purposes will become a critical best practice. Technology that can create a permanent device ID for a user's devices can authenticate if the user is trusted or a potential fraud risk.

To protect against security threats and malicious attacks, this same technology can check the device, before granting access to the blockchain, to see if it is “clean”—free of malware, isn't being spoofed, isn't interacting via a malicious app, has not been blacklisted, hasn't been rooted or jailbroken, and perform many other layers of risk analysis.

Best of all, this method will make accessing the blockchain “frictionless” and enhance the user experience while bolstering security inherent in this fledgling technology.

While IBM and Microsoft have two different visions in creating commercial blockchain applications, one hopes they can agree to incorporate elements of these security best practices into their respective offerings.

Contributed by By Mike Lynch, Chief Strategy Officer, InAuth

Michael Lynch is InAuth's Chief Strategy Officer and is responsible for developing and leading the company's new products strategy. Prior to joining InAuth, Lynch served as a Senior Vice President for Bank of America.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.