Shortcomings of our present-day identity infrastructure

Issues in the current centralized identity infrastructure and a proposal for future ways of working

Since the advent of the Internet, the collection, management, and ownership of digital identities and both personal and machine data has been organized hierarchically into centralized silos, concentrated in the hands of companies such as Google, Microsoft, and Facebook. These tech giants developed login systems, which both simplified and monitored almost all important web traffic in the decades since.

The net effect of this centralization is that the email addresses, domains, and username/password pairs used to conduct transactions and networked communication, are not owned by the entities that conduct these actions or the owners of networked devices. They can be compromised, frozen, or revoked at will by the centralizing parties.

This disconnect poses a very real security challenge because it places the onus on third-parties to verify the identities of who or what is conducting the transaction and the data transmitted in those transactions.

Similarly, the serial numbers, IP addresses, MAC addresses, git signatures, namespaces, addressing systems, and other "identifiers" used to network and identify non-human identities are not tied intrinsically enough to their twinned hardware and software. Because the identity of devices and algorithms is too easily changed, intercepted, or spoofed, it is essentially impossible to guarantee mission-critical total confidence in the "ownership" and integrity of the data accessed through this networked identity system for non-human entities.

Furthermore, the centralized storage of human identities and non-human addressing systems creates an increasingly valuable and appealing target for bad actors of all kinds, since it scales vulnerability and probability of attack. Seemingly every other week, headlines reveal some hacker has gained access to a centralized server resulting in the theft of millions of financial records, medical records, or identities.

Fig. 1

Fig. 1 - The centralized nature of the current identity infrastructure opens up the possibility of data theft with a single click. The accumulation of private keys at a central point of failure (the web hosting company), makes it possible for anyone with access to that repository of keys to compromise the security of the connections to those websites in a way that is virtually undetectable.

Driven by massive rewards, a black market for information incentivizes rapid innovation in criminal techniques: phishing, identity theft, spyware, malware, keyloggers, javascript attacks, spoofing, trading in credentials from low-trust consumer platforms, and a growing list of techniques proliferate new attack surfaces. An information-security game of cat-and-mouse drives the budgets required to combat these techniques, and the costs associated with the consequences of data breaches, ever higher.

One notable response from regulators has been the introduction of new data protection laws, designed alongside additional layers on the authentication process to raise assurance levels that the entity being authenticated is who/what they claim to be. However, increasing the complexity of the authentication procedure considerably decreases usability and stifles innovation. As a mitigation paradigm, it is wholly unsuitable to the complex, interconnected, fast-flowing, dynamic, and data-rich digital world being built by the 4th Industrial Revolution.

The current identity infrastructure is therefore undermined by the centralization that on the one hand, disconnects the true owner from the data itself, and on the other, obscures the authenticity of data transactions and the credentials of the parties to it.

The need for an alternative approach is clear and a solution that solves the key failings in the current ad-hoc scenario is emerging through a new way of thinking about both human and non-human identity, and who controls it.

Fig. 2

Fig. 2 - In a decentralized infrastructure there is no single central point of failure. Private keys are managed and owned at the node level, which represent both the human and non-human entities engaged in transaction and communication.