How will I know who You are? Digital identities as a cornerstone of digitization
Digital identities play in the communications and business transactions on the Internet a Central role. However, in practice it is not so easy, digital way to ensure that a User is really the Person who claims he or she to be. IT security expert Stefan Achleitner and Digital Identity expert Dr. André Kudra of the company esatus AG give us an Overview of the latest solutions and concepts for digital identities. Or practically: secure authentication.
Everyone knows the process from Check-In at the airport, showing his passport, it follows a comparison, whether passport-size photo, and face match, and the identity is established. A Verification of a claimed identity is, in the jargon also “authentication”. In the digital world, however, it is not quite so simple. We shed light on why the secure and reliable identification of digital identity is a cornerstone of the Functioning of a virtual world.
Table of contents of the article
- 1 What is a digital identity?
- 2 state deals with start-up problems
- 3 Legal and other problems
- 4 mechanisms for authentication
- 5 More security through Multi-factor authentication
- 6 Biometric Identification
- 7 self-sovereign identity (Self-Sovereign Identity – SSI)
- 8 tamper-proof and traceable thanks to Blockchain
- 9 Self-Sovereign Identity in the Detail
- 10 SeLF – Secure authentication made in Germany
- 10.1 Related Posts
What is a digital identity?
In the real world, the identity of a Person by a number of characteristics to determine. These are usually physical characteristics – such as the image of a face or a fingerprint, as well as personal data such as Name and date of birth. In the human-to-human interaction, this identification with family and friends happens in a split second. In the digital world attributes such as the combination of user name and password – something you know – or the use of a token – something that one has to determine an identity. In fact, this is only an approximation to a more secure authentication. Because the password you can type, intentionally or unintentionally, price, or pass an object. In comparison to the real world, it is virtually also comparatively easy – and often necessary– multiple digital identities to purchase.
Digital transactions and other transactions on the Internet will require the mutual verification of the identity of the Parties. But this is in practice not so easy.
Each user account that we use online, for example, a Facebook – or Microsoft Account, is a digital identity that is associated with a real Person. With the large number of portals and Online applications, you quickly lose the Overview. Moreover, security experts, it is recommended to use a password twice. So we are forced, so to speak, to us a variety of digital identities to create and remember this. This current Situation is not an optimal solution is obviously
State deals with start-up problems
Approaches to improve this jungle of digital identities, there are quite. As is to be introduced, for example, in Switzerland, starting in 2021, a state-certified and recognized digital identity, “E-ID” is called. With your authorities should be able to corridors and public services to be processed. The E-ID was the law of the vote on 7. March 2021 in the Swiss electorate through. But now, the Swiss Federal Council and the Swiss Parliament to revise the law proposal. In Essence, the E should be provided ID of state Agencies instead of private providers.
In the EU since the entry into force in 2014, and is valid as of 2016, the eIDAS regulation (electronic identification, authentication and trust services). It regulates the electronic identification and trust services for electronic transactions. The actual application of this from a technical to Wait very safe and secure digital identities according to eIDAS has achieved in the practical everyday life for everyone, however, still does not have high penetration.
Legal and other problems
Since it is very easy to create a digital identity, it is, unfortunately, also very easy to abuse. For example, an E-Mail within a few minutes, Account sign up, which can, in turn, to the creation of user accounts with sites such as Facebook use. In such a case, the connection of the virtual identity check of a real identity unlikely to.
Legally, an action that was carried out with a digital identity, for example, a sale on eBay is only valid if it was performed by the real account holder. This is also supported by a decision of the Federal court:
“Because even if the access data to the Internet platform eBay, the Identification is very important, because the user account is not transferable, and the assigned password to keep it a secret, it can not be concluded from this, in view of the in the year 2008 and also currently existing security standards on the Internet also have a eBay Account and reliably, under a registered member names, only the actual holder of appearance.”
From the decision of the Federal court of justice
The Problem with this, however, is to provide in case of doubt, the proof that a digital identity has been misused.
A current case, there is in Vienna: Sigrid Maurer, member of the Austrian national Council, received obscene messages from a Facebook Account of a local operator. After Mason published the news, as well as the name of the sender, followed by a court process in which Sigrid Maurer for violation of the local operator of guilty was spoken. Reason, the statement of the local operator, that not he, but a guest of the restaurant have sent the message from the publicly accessible Computer. The verdict was overturned in March 2019 and is currently being renegotiated.
This case demonstrates the weaknesses of digital identity in their current Form very clearly.
Mechanisms for authentication
Cases like the one described above clearly show how important is the issue of identity for a working and a reliable infrastructure. In order to determine that a person is really who he or she pretends to be, there is the process of authentication. The authenticity is checked for a given identity.
An identity is verified successfully, the user authorizes the use of the System in question. Here, the user is assigned a specific “role”, which is equipped with a series of Rights. These rights allow the user, certain activities in the System. “Higher” rights often require an additional authorization. Always two principles should apply:
- “Least Privilege”, only the rights for the work required have been allocated.
- “Segregation of Duties” – the entry and approval of a transaction are executed by different people
A User Erlang unauthorized manner the rights to which he or she actually don’t have access, it is called in the IT-security, or in the Hacker context of “Privilege Escalation”. Often attackers from gaining access to “simple” user accounts and then try your permissions on the Admin level. This can be due to a weak point in the System, but also due to the unlawful Acquisition of a virtual identity of a legitimate user.
More security through Multi-factor authentication
In virtual space there is for authentication, several variants. The most common is the use of a password or a Personal Identification Number (PIN) in combination with a user name. The use of passwords is not very practicable, studies show Up to 80% of the users use the same password for multiple Accounts. This presents an increased safety risk, as in the case of a theft of user data cyber receive criminal access to multiple accounts.
A password or a PIN is an already weak ability of a user to authenticate, and the authenticity of his claimed identity can prove it. Especially in the case of the use of passwords unique weaknesses exist. Is used in addition to a password or a PIN is an additional component for authentication, it is called Multi-factor authentication (MFA). Two factors come exactly is Two-factor authentication (2FA) is the speech. These two factors can be, for example, a password (“I know”), and an App on the Smartphone (“I have”). On the App you have to approve the Login attempt, then, in addition, in order to get access to the user account. In this example, would not be sufficient only for a component (password or access to the Smartphone App), a successful authentication to perform. This increases the level of protection against abuse significantly. Therefore more and more popular Online services now on mandatory 2FA.
Another component that can be used for authentication, biometric characteristics such as fingerprint or facial recognition. To be able to biometric data for the identification of a device, you must comply with this equipment, however, special Hardware, such as a built-in fingerprint scanner. Since biometric data for the unique ID of the rule and relatively tamper-proof and offers a biometrics – depending on the application area, often as the sole factor sufficient security. Common is now on appropriately equipped Smartphones that the “important” Apps like Online-Banking or an authenticator App can be opened by biometric confirmation.
Self-sovereign identity (Self-Sovereign Identity – SSI)
Self-sovereign identity, or in English, “Self-Sovereign Identity” short-SSI, is a concept to provide individuals and organizations with full control and ownership of analog and virtual identities. The following Video introduces the concept in about four minutes:
The basic idea is that A user receives information about its address, a Training certificate, and membership in a club, an employee ID card, as one of the organizations confirmed, digital, and cryptographically secure “Verifiable Credential”. This saves you or he is in a “Digital Wallet”, an electronic wallet on their Smartphone.
A basic building block, for example, in the permission management, then, is that in the case of an authentication or authorization process only the necessary data and attributes from reliable sources are provided. In the business context, it may be sufficient for access to the internal knowledge management System, as employees of the company to be disclosed. To access the customer database, but it requires that you identify yourself as a member of the sales team. In the application process can be made via a Credential information to a University degree of a Person, the qualifications for a specific role to prove. The control over the entire identity but always remains with the owner – this is a basic principle of SSI.
Tamper-proof and traceable thanks to Blockchain
As a basic technology of the Self-Sovereign Identity on the Blockchain is used. Due to their decentralized organization, as well as the integrity and traceability of the Blockchain is an ideal platform to implement Self-Sovereign Identity and practice. Particularly important is the fact that the “right to be unaffected Forget”, because NO personal data is stored on the Blockchain is.
A correctly-implemented Self-Sovereign Identity is, therefore, absolute conform to the relevant data protection provisions, including the EU-DSGVO. Only digital identifiers – so-called DIDs – for organizations, schemes, and definitions for Credentials, and delete marks for the issued Credentials will be stored on the Blockchain. The latter correspond to lists in a Public Key Infrastructure (PKI) with the usual certificate revocation.
Therefore, the model of self-sovereign identity, no external Central authority, which manages the identities. The authenticity of an identity or an Attribute of an identity, is ensured by the fact that it was issued by a trusted authority – for example, a University or authority.
To verify an identity or an attribute from a Verifiable Credential by using the Blockchain to be. For this purpose, the Issuer of the claim of identity do not need to be online. This process is preceded by a request to the identity of the owner, whether he wants to make the Information ready. These so-called “Proof Request” answered the owner of its Wallet App on the Smartphone.
Self-Sovereign Identity in the Detail
As shown in the following picture, is the claim of an identity or an attribute of an Exhibitor (engl. The Issuer) to the holder issued. This created and verifiable claim is recorded in the Blockchain.
The principle of “Self-Sovereign Identity” (SSI).
A holder may, in turn, claims that are managed in a Wallet, to any interested parties (a controller, engl. “Verifier”) to explain. This process is called “Credential Proof”. An auditor can check the desired attributes by using the Blockchain – that is, the exhibitors to identify and, thus, authenticity, and relevance to verify the current validity validate the Credential is not revoked.
This architecture of the Self-Sovereign Identity has the advantage that an owner has full control over his identity, and determines which attributes will be shared that identity with a third party, without a Central authority-dependent.
A public platform for the use of Self-Sovereign Identity, the Sovrin Network. This is an Open-Source project by a global network, about any Person or organization to manage their digital identities and control. Details about Sovrin can be found here.
SeLF – Secure authentication made in Germany
In Germany, there is a thriving Community of innovative companies in the Blockchain and Distributed Ledger technologies dedicate. Some focus heavily on SSI, the Germany now has a particularly high level of attention. The esatus AG, Frankfurt am Main has discovered due to their history in the area of Identity & Access Management (IAM), the topic of SSI in 2015 as a future issue. According to numerous publications and conference presentations, and has launched in 2019, the technical development of a SSI-based IAM system for organizations of any industry and size. Your product “SeLF” (https://self-ssi.com) is commercially available and already in the case of different customers in productive use.
By credential-based access mechanisms (Credential-based Access Control, CrBAC) transformed SeLF facts Credentials in decisions on whether or not access is allowed. With SeLF no need to worry about the modification of already existing solutions, or the replacement thereof, consists in the Integration of the SSI technology. SeLF allows you to integrate SSI technology in growing IT infrastructure, without existing IT applications, directory services or management systems need to be adapted.
For the connection of applications SeLF about widespread IAM provides protocols, authentication, and authorization objects – for example, SAML, OpenID Connect, or LDAP. Credentials are stored on the mobile device of the employee in a Wallet App (available for Android and iOS). With these Apps you can authenticate a User on the SeLF, whereby the validity of the Credentials with a number of “Hyper Ledger Indy-network” (https://www.hyperledger.org/use/hyperledger-indy), such as Sovrin or IDunion is matched. In the Sovrin network, a secure and reliable authentication by more than 50 internationally distributed nodes is guaranteed points.