Why Microsoft is building a Bitcoin-based ID verification system
Credit to Author: Lucas Mearian| Date: Tue, 14 May 2019 03:00:00 -0700
After more than a year in development, Microsoft has chosen Bitcoin as the blockchain platform for a decentralized identification (DID) verification system that will allow users to have secure access to an online persona via an encrypted database hub.
The implications of the new ID network could include the elimination of passwords. A company would be able to verify the background of a new employee and onboard them with the click of a single virtual button, or a banking customer could verify their identity for a loan without exposing personally identifiable information – again with a click of a button.
“We believe every person needs a decentralized, digital identity they own and control, backed by self-owned identifiers that enable secure, privacy preserving interactions,” Alex Simons, vice president of program management for Microsoft’s Identity Division, wrote in a Monday blog. “This self-owned identity must seamlessly integrate into their lives and put them at the center of everything they do in the digital world.”
A blockchain-based ID system relies on a digital wallet that serves as a repository for all kinds of personal and financial data – info that can only be shared after a specific request and only with the permission of the owner who holds the public key. (On a typical Bitcoin network, digital wallets store bitcoin currency.)
There are multiple vendors in the DID space that are either in the early research-and-development stage or are testing their products in pilot projects, according to Homan Farahmand, a senior research director with Gartner. Microsoft is by far the largest.
Microsoft’s Project ION (Identity Overlay Network) is an open-source, Layer 2 network that runs on top of the Bitcoin blockchain, an approach the company said will greatly improve the throughput of a DID system “to achieve tens of thousands of operations per second.”
One of Bitcoin’s inherent problems is its slow transactional performance and its inability to scale due to computer processing overhead; each node (computer) on a Bitcoin network gets a copy of the ledger in near-real time and a consensus mechanism requires nodes to verify the authenticity of new entries by solving a complex mathematical problem.
By using the Sidetree protocol (a Layer 2 network) to offload storage and processing overhead to an adjacent network, the main blockchain is freed from requirements. On Microsoft’s Bitcoin platform, only a user’s hashed ID is rooted on the blockchain, while actual identity data is encrypted and stored in an off-chain ID Hub that Microsoft can’t see.
Like other decentralized identity design patterns, ION establishes a decentralized storage for identity metadata – in this case, using an Interplanetary File System (IPFS) – a trust anchor mechanism (Bitcoin blockchain), and a protocol for decentralized public key management, which is the Sidetree protocol, according to Matthew Brisse, a vice president of research at Gartner.
A Microsoft spokesperson declined to comment on possible uses for the decentralized identity network, and Brisse cautioned that ION is still in a very early stage of development.
“The current announcement is for an early preview of the concept. Once there is a robust testnet, the assurance level of these identities must be determined to find the best use case,” Brisse said via email. “However, you can imagine some kind of linking between these identities and lower assurance public cloud services for identity verification and authentication at [a] minimum. As always, the real test is after these identities are exposed in public to see how they can withstand all sort of attacks.”
An overview of the ION platform, which shows Bitcoin as the target chain and a “sidetree” Layer 2 network for offloading consensus processing.
Bitcoin is not alone in exploring Layer 2 technology for increasing performance. Ethereum, another of the world’s most popular blockchain platforms, has been exploring Layer 2 protocols as well.
Other decentralized identity networks include the Sovrin Network and SecureKey’s Verified.Me, which was recently launched in Canada.
At a minimum, the industry is a few years away from discovering which DID network ,if any, will prevail, according to Brisse.
“A more practical vision is a network of decentralized identity networks with appropriate interoperability protocol that allow[s] identities generated on one network to traverse [any] services that are enabled on other identity networks,” Brisse said.
As it’s based on Bitcoin, Microsoft’s ION will be a public, permission-less network anyone can use to create DIDs and manage their Public Key Infrastructure (PKI) state, Daniel Buchner, a program manager with Microsoft’s Identity Division explained. Unlike a permissioned blockchain – more typically aimed at business use cases – no one administers a public blockchain. The users on the network verify new blocks of data entered through a consensus mechanism.
Unlike monetary units and asset tokens, IDs are not intended to be exchanged and traded, which enables ION to achieve far greater scale without relying on additional Layer 2 consensus schemes, trusted validator lists, or special protocol tokens, Buchner explained.
All nodes of the network are able to arrive at the same PKI state for an identifier by applying deterministic protocol rules to chronologically ordered batches of operations anchored on the blockchain, which ION nodes replicate and store via an Interplanetary File System (IPFS). That type of content address system is similar to the internet’s HTTP location-based system.
Microsoft’s DID network is not yet live. The software giant is still in “rapid development” of the ION code and expects to test it on the Bitcoin mainnet, a functioning blockhain for public use.
“There are many aspects of the protocol left to implement before it is ready for testing on Bitcoin mainnet. On low-powered consumer reference hardware we’ve observed tens of thousands of DID operations per second,” Simons wrote. “As with our previous announcements, we’re sharing our work as early as possible — rough edges and all — to start a conversation with the community and encourage collaboration.”
Over the past two years, Microsoft has been exploring how to use Blockchain and other distributed ledger technologies to create new types of digital identities designed to enhance personal privacy, security and control.
In developing ION, Microsoft has been working with the Decentralized Identity Foundation (DIF), a non-profit consortium whose members include other tech vendors such as IBM, NEC and RSA, as well as blockchain startups and large vertical industry firms such as Aetna and WeBank (China’s first online-only bank).
Between now and its launch, which will take months, Microsoft is asking open-source developers and members of the “identity community” to run through its code and help it log any bugs.
“In the coming months, we’ll work with open source contributors and members of identity community to prepare for a public launch of the ION network on Bitcoin mainnet,” Bushner wrote. “During this time, the project’s code will evolve rapidly and is best suited for use by experienced developers. If you’re not an experienced developer but would still like to interact with an ION node, we deployed an early preview build of ION on Azure.”