In what might be described as a somewhat low-key statement, Microsoft this week once again started bigging up the blockchain. Alex Simons, vice-president of program management at Microsoft's Identity Division, has announced an early preview of a decentralised identity (DID) network called ION (Identity Overlay Network) which runs over the top of the Bitcoin blockchain. This is, Simons says, "based on an emerging set of open standards that we’ve developed working with many of our partners in the Decentralised Identity Foundation." The main thrust of the news being that the new approach "greatly improves the throughput of DID systems to achieve tens-of-thousands of operations per second."
This is the latest move towards a future of decentralised identities where everyone has a digital identity backed by "self-owned identifiers" to enable secure, privacy preserving interactions. The Microsoft vision of this future has revolved largely around 'Identity Hubs' for encrypted storage of personal data with blockchains and distributed ledgers anchor their identifiers. It has, until now, been slow performance that has been holding them back apparently. But is there more keeping this blockchain-shaped identity nirvana from materialising any time soon?
SC Media UK has been asking if we actually need an immutable, decentralised identity system and if we do is one built on the bitcoin blockchain the best bet? "The proposal for DID is not simplistic with many elements in play but the foundation is built on blockchain which quite simply is the most appropriate technology to make it happen" Professor Kevin Curran, senior IEEE member and professor of cyber-security at Ulster University insists.
It can cope with the myriad of untrusted parties while also asserting the identity of individuals with the highest assurance of truth. Curran says, adding "of course, there remain the usual caveats about scalability and the consensus protocol but this is a proposal which does make sense to implement via blockchain."
Dr Guy Bunker, CTO at Clearswift, isn't necessarily convinced. "Having a decentralised ID system where there were guarantees that the individual purporting to be a specific person can be ‘proven’ would help reduce fraud, with a tie into banking, employment, government services etc" he agrees. However, this is providing that all these sectors sign up to use the service offered, Bunker warns. "There have been a number of such initiatives in the past but none have gained the ubiquity required to really make a difference" he says.
And what are the practical benefits that such a system would bring to the average enterprise? "I see DID as a great defence against Phishing attacks, how can a hacker steal your identity, when you fully control who can use it and for what purposes," Jason Revill, the UK&I security consulting lead at Avanade UK, told SC Media UK. "The authentication mechanisms for granting access are bound to be tied to biometrics that are tied to the identity owner so the credential will be incredibly difficult to steal," Revill continues, "we can never say never with todays advanced threat actors, but it will certainly go a long way to securing against todays common attack vectors."
Jitendra Thethi, AVP of technology and innovation at Altran, who told SC Media UK that while such a decentralised identity system based on blockchain would make sense for the identification of IoT devices and physical assets, it "would be less relevant for human identity systems, and of course there are constraints around GDPR; rights for removal of data would be difficult to meet."
And then there's the not so small matter of the consensus problem to overcome. For any blockchain to be secure, an adversary must not be able to overwhelm the consensus process. "This means that an adversary cannot create a lot of 'mining' nodes and take over 50 percent or more of the new block creation," Professor Curran explains, concluding "there have been mining pools which have reached this size, but the community responded, and these have shrunk. However, the '51-percent attack' remains a shadow on blockchain currencies..."