We know that we spend a lot of time online, but it’s striking to see it in numbers.
The fact is: the average internet user now has a coherent and detailed digital identity, whether he wants it or not.
In brief, it’s the collection of information available about you online. All online accounts which contain usernames, purchasing behaviour, personal data, search activity, medical history, digital identifiers and more combine to provide an incredibly precise profile of each and every one of us.
To get a feeling for the importance of your digital identity, imagine that all of your online accounts are compromised overnight. What kind of information could a malicious actor learn about you?
If you, like me, have made the internet an integral part of your life, the answer is probably that a hacker could learn just about everything by invading your digital identity. Credit card numbers, personal beliefs, friends, family, jobs, music preferences, your current address…the list goes on.
Besides the obvious threat coming from hackers, there is the far more insidious danger which accompanies the forfeiture of ownership. When we use platforms like Facebook to connect with friends, or enter payment details to book a few nights at the Marriott, we are giving up ownership of small but important parts of our digital identity.
When the inevitable data breach happens, our personal data falls into the hands of malicious actors who then attempt to gain as much economic advantage as possible. Often this takes the form of identity theft, which typically accompanies a violation of our digital identity. According to Experian, 31% of data breach victims later experience identity theft. That’s a staggering amount.
Finally, it’s worth discussing the power central authorities have in contemporary identity management systems. You’ll be well aware that your identity is shaped by the legal jurisdiction you happen to be born into. In Germany for example, you cannot pick whatever name you wish for your child or yourself. Instead there is a government issued “approved names list” and you may only chose a name listed therein.
Much more importantly, government bodies have the power to revoke and issue documents that are crucial to your identity. Whether it’s your passport, your driving licence, or your social security number, central authorities can disavow your claim to any of these. Of course this seriously reduces your ability to participate in normal life.
In states that lack political stability, this can even mean that huge swaths of the population are unable to claim ownership over their identity – the UN estimates that 1.1 billion people are affected worldwide. This is unacceptable.
So just to recap. We now know:
Does this system seem broken to you?
Ok, first the bad news: There is no foolproof way of protecting your identity right now. At SelfKey we’re building a solution that will change that, but right now the best we can do is abide by certain best practices.
First, let’s look at how we can minimise the danger of being hacked.
I know you’re guilty of this, because everyone reuses passwords. On average we have over 90 online accounts so how can we be expected to remember nearly 100 different passwords? This is impossible.
Instead you have several options. The best in my opinion is to use a password manager like LastPass or 1Password. Not only do they save your passwords and autofill them for the corresponding website, but they will even generate a secure password for you. This is as close to ideal as we can get right now.
The big drawback is that you have all your credentials stored in one place, meaning that a malicious actor could access all of your accounts if he/she gets access to your password manager. The counter argument is that these services have sophisticated security measures in place to prevent this from happening. Two-factor authentication (2FA) and IP recognition are the two obvious ones but there are many more.
Whether you use a password manager or not, make sure to use unique and sophisticated passwords for all important accounts. When the next data breach happens, and your email + password combination is sold to the highest bidder, it would really suck if that same combination could unlock your online banking, paypal and other crucial online accounts.
Important online accounts allow users to set up two factor authentication. This approach typically relies on a secondary confirmation through the users mobile phone. In the past you might have received a confirmation text message, which contains a code that you have to enter in order to proceed with what your doing.
As this video shows however, it is possible to exploit vulnerabilities in cellular networks, which malicious actors can exploit to compromise online accounts.
Instead, the industry standard has become the Google Authenticator App, which generates a time-sensitive, five digit number, that users enter in order to proceed.
Regardless of the 2FA method you decide on, make sure to pick one. Only 10% of Google accounts use 2FA, meaning that most accounts are particularly vulnerable to attack.
The most commonly used password is: 123456
This kind of password is a particularly bad idea, because it is easy to hack. Employing “brute force attacks” malicious actors can automate scripts which quickly cycle through thousands of common passwords. 123456 will doubtlessly be among them, and your account will then be compromised.
The good news is, that every extra character added to your password increases the difficulty for hackers. A 6-character password containing only letters has 308,915,776 possible combinations. Trivial for specialised software to crack.
Compare that to an 8-character password combining upper and lower case letters, numbers and symbols, which has more than 6,000,000,000,000,000 combinations. As a result, guessing the right combination, even for specialised software, is almost impossible.
The lesson here, is that it’s always worth throwing in a few symbols and numbers to significantly reduce the chances of your password being cracked.
So to recap. You can significantly increase the security of your digital identity by following these three simple rules. By following these tips, you can minimise the chances of your online accounts falling into the hands of non-permissioned actors.
“But what about data breaches and giving up ownership over my digital identity?” you might ask.
If the internet plays a central role in your life, it is currently impossible to protect yourself from these events. That is why, at SelfKey, we are working on a solution!
At the SelfKey Foundation, we are developing a solution that would introduce a new, blockchain-powered identity management system. In order to protect our digital identities, we need to completely rethink the way we access platforms and the type of information they require.
As of 2019, the state of play is quite clear. Online platforms collect and store highly personal information without having the necessary infrastructure to keep that data safe. Often they are even required to do so by law – for example when the service is only available to individuals of a certain age.
Below we see a depiction of this, showing an individual who needs to prove his age in order to access a service. In order to pass the service’s KYC procedure he shows his ID, which contains much more information than just his age.
Now the service stores a copy of the ID to prove that it performed KYC on the client. In the event of a data breach however, a malicious actor now receives much more than just the name and age of the user.
Instead the hacker gets all the information required to commit identity theft.
What if a new identity management system worked differently? What if it utilised blockchain technology to ensure that identity owners, claims issuers and relying parties could interact quickly and securely?
A simplified version of this approach is shown here:
Through technological innovations like Decentralized Identifiers, we can more effectively use verifiable claims to prove aspects of ourselves without forfeiting information. A more detailed diagram can be seen here:
This new approach to digital identity turns the existing system on its head. Instead of forfeiting ownership of our personal data, we retain it and have it verified by a claims issuer. The claims issuer then provides an attestation, which can then be used to access the services of a relying party.
The full scope of this identity management system can be found in the whitepaper. To illustrate how it would work, let’s discuss a brief example.
Imagine you want to buy beer and need go to the liquor store. Currently, you would bring your ID to prove you are of drinking age, but that exposes a whole array of information that is not relevant for the transaction. You are forced into oversharing your personal data, which often proves detrimental in an online environment.
Using SelfKey’s digital identity system however, you would be able to prove your age without the need to overshare data. Instead you would receive an attestation from a claims issuer (the DMV perhaps), which could then be used to prove your age.
So instead of sharing your…
…just to get a beer, you instead only share your:
This approach makes it much easier to retain ownership over your digital identity. By removing the need to overshare data to access service providers, we remove the threat that comes from data breaches.
Pretty great right?
Of course, this description should only be used as a heuristic for how SelfKey’s identity management system will operate. For a full explanation of how we cryptography underpins this approach, make sure to check out our whitepaper.
At this point it is clear that current identity management systems are broken. Daily data breaches prove that our digital identity is not, and cannot be adequately safeguarded with the current approach.
As of 2019, we give up ownership over highly personal data whenever we access or register for an online account. According to international law, every individual has the right to personal identity – our digital identities are becoming equally important.
It’s time we started protecting it.