Can Blockchain Eliminate the Need for Passwords in Identity Management?

Written by Mark Hillyard

Blockchain has been around for some time now (at least in “IT years” – more on its history below). And it has been used as a way to record, encrypt, and validate transactions, mostly financial in nature. But what if that same technology could be leveraged in a way to validate identity as well? Rather than maintaining a safe full of usernames and passwords, we could simply store our identities on the chain and use that information to provide validation of who we are for any service or transaction. Let’s dive into the use of blockchain in identity management.

Security’s Most Common Attack Vector – Passwords

Social engineering, brute-forcing, password dictionaries, shoulder surfing, keystroke logging or keyloggers, and just straight up guessing are all ways that hackers of all levels—from script kiddies (unskilled individuals that uses scripts or programs developed by others to attack computer systems and networks and deface websites) to state-sponsored professionals—gain access to petabytes of confidential data every year. Despite continuous warnings from every corner of the technology industry, passwords remain the greatest vulnerability for every organization on the planet. We tried to force people to use complex passwords with various cases, numbers, and special characters. We came up with nonsensical phrases using dice rolls. And still, accounts are compromised at a terrifying rate. Why?

Here are the top 10 most common passwords of 2019:

123456

123456789

qwerty

password

1234567

12345678

12345

iloveyou

111111

123123

Unfortunately, that is not a joke. And considering humankind’s inability to come up with anything cleverer than “iloveyou” as a password for something like their banking website, it’s no wonder that security practitioners the world over are collectively exhausted with trying to drill the importance of password complexity into users’ heads. We as humans are just not willing, on the whole, to commit highly complex passwords to memory—or even, it seems, to a secure password safe.

The Rise of Multi-Factor Authentication in Security

The industry has moved to multi-factor authentication (“MFA”). This move has definitely been a massive improvement. Essentially, rather than just a username and password, we are presented with a secondary (in some cases, even a third or fourth) challenge for authentication. The MFA comes frequently in the form of a hardware or software “token”. In security parlance, this is known as “something you have”. MFA provides an additional layer of security for systems we access by forcing us not only to memorize a password, but to present additional evidence of our right to access these systems. Rather than making it easier on users, we added layers of complexity.

However, this approach is still not foolproof. Theft of a token, while not trivial, is still relatively straightforward. And it happens enough that securing MFA methods has become, itself, a full-time job for many security practitioners.

The most secure MFA token uses a public/private keypair, storing the private key on the token. Because the key is encrypted, it is considered, essentially, uncrackable. This token is generally regarded as sufficient authentication for even the most secure systems. The Department of Defense has used this technology for years, storing certificates on common access cards (CAC). Each keypair is generated by an approved certificate authority (CA). One side benefit is that the identity generated for each CAC is easily managed (issuing, renewal, and even revocation are all centrally administered).

The Problem with Centralized Identity Management

Shifting gears, a bit – the problem, it seems, is how identity itself is managed. While we have spent decades trying to come up with ways to better secure our Identity and Access Management (IAM) systems, with numerous technical and physical controls, the database still exists in one primary location. This creates an exceptionally valuable target for hackers. Although many, if not most, successful attacks and theft of identity and credentials still occur on an individual scale, the grand prize is always gaining privilege to the identity database.

In the case of a system like Active Directory, this gives an attacker the proverbial “keys to the kingdom”. In effect, not only can a threat actor leverage any identity within the system, he or she has the ability to create infinite identities—legitimately—and roam freely and undetected onto any device dependent on the identity database.

More globally, should an attacker gain access to a CA, even a private one, then masquerading any identity secured by that authority becomes nearly untraceable. It also provides the threat actor with the ability to create “black market” certificates, creating trusted, secure identities that can be used maliciously.

Consider what would happen if a public CA is compromised (it has happened), and that CA is responsible for maintaining the identity of a bank’s website. Not only would the attacker gain the ability to effectively steal that bank’s online identity, they could then reposition themselves as the bank, and gain access to customers attempting to log in and steal their information as well. This would be catastrophic for all victims involved. For the CA, itself, losing control of its database is likely to put it out of business. Moreover, all browsers and applications that trust that CA for identity of its consumers would need to immediately revoke that trust. This is no small effort. The damage to the bank is more obvious: loss of trust and possibly even regulatory sanctions to protect consumers. And, of course, consumers would be hit hardest – possibly losing control of their personal identity information in the frenzy.

Yet we have continued, since the first identity database was created, to use this fragile method to secure what may be our most valuable asset. So, why do we continue to centrally manage our identities? Let’s talk about a potential alternative – blockchain.

What is Blockchain?

Blockchain, sometimes referred to as Distributed Ledger Technology (DLT), makes the history of any digital asset unalterable and transparent through the use of decentralization and cryptographic hashing.

A simple analogy for understanding blockchain technology is a Google Doc. When we create a document and share it with a group of people, the document is distributed instead of copied or transferred. This creates a decentralized distribution chain that gives everyone access to the document at the same time. No one is locked out awaiting changes from another party, while all modifications to the document are being recorded in real-time, making changes completely transparent.

How Can Blockchain Eliminate Centralized Authentication and Passwords?

Because the use of centralized authorities is one of the biggest vulnerabilities in identity management, it would make sense that decentralizing that authority would be one useful solution. This is exactly what blockchain does. The ledger is maintained by a sea of systems, creating both transparency and data integrity to the entire chain. Each time a block is added, the entire chain is recalculated in real-time for all to see.

So, by storing one’s identity on a blockchain, that data becomes immutable, and no central authority exists from which to hack or steal. And, because the individual controls the block they add, they also control their own identity. This is known as self-sovereign identity, and it has been a topic of a great deal of discussion and controversy over the past few years.

The good news about this idea is that it truly does create a decentralized, highly trusted, incredibly secure way to store and share identity information. It also allows individuals the ability to control their own identity information, rather than needing to trust that their bank or favorite online store, or even the government, can keep it safe. The public data is maintained and secured by thousands, if not millions, of independent machines that each contribute validity to the blockchain.

The Challenges with Blockchain in Identity Management

The not-so-good news is that there are some big, as-yet unanswered questions about blockchain identity management. The biggest perhaps being that we don’t know how much identity is enough to provide authentication. That question leads, logically, to the question of how much identity is too much to maintain a reasonable amount of privacy for individuals. For example, if I must post my physical address to the block in order for my identity to be authentic, that may be dangerous to me, personally. It might also violate laws like GDPR.

Another challenge is keeping keys secure. Today, if I lose my wallet, I simply call up my credit card company, bank, and my state motor vehicles department to get replacements. With blockchain, there is no central authority (by design) that can help me recover control should I lose my key. This is a substantial risk. And it is something that must be addressed and resolved before this technology can be effective.

The last big rock to move is that of incentive. The reason that blockchains like Bitcoin and Ethereum have been successful is that there is financial incentive for the ocean of systems to maintain the blockchain. That is to say, each time a system discovers and adds a block, there is a small financial reward in the form of a fraction of a Bitcoin or whatever cryptocurrency that particular blockchain trades. In order for a blockchain to remain efficient, it must depend on all of these independent systems to continue their practice of mining for blocks and adding them to the chain. So, self-sovereign identity using blockchain will not be free.

Recent Blockchain and Self-Sovereign Identity Trends

However, the promise is very compelling. Several organizations have sprung up in recent years looking to create meaningful platforms and applications to support the concept of self-sovereign identity using blockchain for authentication. There are even instances of formerly centralized identity systems moving to blockchain.

One of the most interesting is the State of Illinois. In 2017, Illinois launched a pilot project to digitize birth certificates and place them on a permissioned (meaning only certain parties could validate or access it) blockchain. The concept is that this would speed the ability of parents, doctors, and eventually the child, to access and manage identity—quite literally from cradle to grave. Consider the potential of this information on a blockchain: when the child reaches 16, their driver license can be added; at 18, voting registration; and so on, until finally, when a person dies, their death certificate can be appended. And while the thought of publicly sharing all of this information may seem terrifying, we already do it on paper, and it is all stored in central locations that can be infiltrated by bad actors. Adding already public information to a blockchain makes it immutable, easily validated, and ultimately, impossible to steal. Considering the amount of so-called identity theft perpetrated in today’s digital landscape, this solution is very persuasive.

Blockchain and the Need for Passwords

So, how does this kind of advancement eliminate the need for passwords? Consider the fact that self-sovereign identity means that I store, in my own personal wallet, the key to my blockchain identity. When I need to validate that I am who I say I am, I simply present the block and match it to my key. Any organization that requires valid identification proof would be satisfied by this presentation because of the trust created by the blockchain. I needn’t maintain a slew of usernames and passwords for everything from buying a gadget online to selling my house. I simply present my digital wallet and my identity is confirmed without doubt.

The Future of Blockchain, Security, and IAM

There is a great deal of promise in blockchain, far beyond trading cryptocurrency for pizzas. Securing and decentralizing our own identities is one area where there is nearly limitless potential. There are still many hurdles to cross before this idea becomes a widespread reality; however, the result may be a way to regain control of our own personal identities, rather than renting them from every app, website, and platform, further exposing ourselves to theft, fraud, or at the very least, a lot of hassle. Managing our personal identity should not be something left to others. Blockchain provides a path forward to give that power back to us as individuals.

Originally published April 04 2020, updated April 04 2020