A consortium of Asian companies has agreed to create a blockchain-based service that might actually be useful. They want to use the blockchain to turn your phone into a mobile ID system.
Seven companies have signed the initiative: Korean telcos KT, SK Telecom, and LG Uplus, and banks KEB Hana Bank and Woori Bank, along with financial IT company Koscom, and Samsung.
The idea is to create a mobile ID management system that lets individuals control their own data and present it to institutions when they want to access something. Known as self-sovereign identity (SSI), it’s an alternative to having your identity managed by someone else.
Today, many people rely on the likes of Google or Facebook (whose business depends on selling access to information about you) to sign them into websites or apps. Billions more use government-backed ID systems like India’s Aadhaar, which has suffered from some devastating privacy setbacks. Even using your driver’s license or passport to prove your identity carries risks, because showing it to someone tells them more about you than might be necessary. Why show someone your driver’s license just to prove that you’re able to buy a six-pack of beer?
This initiative seems to present an alternative to that. In a statement (translated online), the consortium said:
When an individual has stored his or her information from an organization or company in a secure storage area of a smartphone, they can submit their desired data at any time for proof.
The consortium isn’t giving much away about the technology. We know it’s blockchain-based, and that it works by storing personal information on your phone. We also know that identity information is verified by the participating banks and possibly the telcos too, because they reported signing…
…contracts for mobile electronic certification business based on blockchain.
That makes sense. If people are going to hold their own ID information on the phone, someone needs to testify that it’s legitimate. Banks and telcos are an obvious choice, because of their strong know-your-client rules and control of your mobile phone accounts.
The consortium looks set to open up certification access to others. It added:
Participants expect that ICT companies and financial companies will be able to commercialize electronic certification services.
This could mean that people can use various forms of identity from different institutions:
We expect that it will be possible to prove simpler and more transparent identification both online and offline, and at the same time speed up the era of data self-sovereignty. Using mobile electronic certificates can greatly simplify the issuance and submission of various certificates.
Why use blockchain technology for this? Firstly, it encrypts the identity information. Secondly, it can call on one or more third parties to verify that the information is legitimate without transmitting personal information over a network. The bank or the telco could store the personal information – which they have anyway – and then give you an identifier token for your phone that you can use to prove that you’re you.
The blockchain is the glue that links the identifier token to the sensitive personal data stored at the bank and ensures that neither has been tampered with. We’re not sure that’s exactly how this will work, because information on the consortium’s forthcoming implementation is scant. However, this is what has underpinned other projects in the past like Verified.me, which is supported by the big five Canadian banks.
The consortium hopes that participating organisations will use this blockchain-based identity to grant access to everything from company recruitment systems through to digital banking, student certificates, and a myriad of online services.
What if the phone gets pwned?
The information is protected by Samsung’s Knox feature, which uses security enhancements for Android on top of trusted hardware. Knox has been certified for use by UK and US government departments, but researchers have discovered flaws its security. In 2016, researchers at Israeli company Viral Security Group found three bugs in Knox that allowed attackers to gain total control of the system. Google’s Project Zero found high-severity flaws in 2017.
There are potential technical flaws in any system, but given the way companies manage our existing identities online, these blockchain ID concepts carry considerable promise.