Agent-Based Digital Identity Architecture

Problems — Analysis — Solution — Adoption

Problems Plaguing the Web

The Internet lacks an identity layer for establishing and validating user identity. PKI, HTTPS and SSL/TLS1.3 have secured online transactions for decades while user identity, security, privacy, and ease-of-use have been neglected. The Internet is supported by a patchwork of browser-based identity schemes. Browsers can be shared by multiple users on different devices from different locations using different IP addresses yielding various impersonation risks. These identity schemes do not support user-to-user collaboration via their IP addresses. User-asserted identifiers, online passwords, and second factors do not prove who users are. Passwords are easy but frustrating to use given countless passwords and online profiles must be managed. Users tend to specify and reuse weak passwords making them vulnerable to compromise. Biometric authenticators and tokens harden user-provider bindings but using them for peer-to-peer bindings is challenging. Unsurprisingly, impersonation and service provider breaches continue to rise.

Issue Analysis

The above problems are addressed by the following:

Decentralizing Identity: Shifting responsibility for digital identity from providers to users simplifies maintenance for users while off-loading providers and dispersing the attack surface (i.e. risk).

Verifiable Control: Users must be strongly bound to their identifying data using passwords and biometrics.

Ease-of-Use: Digital identities should be intuitive and easy to use to facilitate technology adoption,

Collaboration: Users need to be able to reliably collaborate with both service providers and other users.

Cryptography: The most recent version of TLS (1.3) relies upon the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) protocol to secure transactions implying ECDHE can be relied upon to reliably secure collaboration among users.

Identity-Proofing: Identity-proofing should be conducted using qualified personnel in accordance with established policies, requirements and procedures.

Solution Synopsis

The proposed architecture is comprised of identity agents deploying digital identities to owners revealing just enough information to satisfy transactional needs for the purpose of mutually identifying, authenticating, and securing messages, transactions, and private information.

Solution: Better than your Wallet

Technology Adoption

The architecture‘s critical features are specified in four US patents, one patent application, and eleven conference papers and journal publications. A progressive roadmap anchored by focused initial projects is planned. To facilitate technology adoption, ease-of-use, privacy, and security are baked into the solution. A proof-of-concept prototype has been developed to validate the solution. The architecture is comprised of identity agents deploying digital identities that “look and feel” like credentials in one’s wallet; have three (3) long-term elliptic curve key-pairs; and are verifiably owner-controlled (self-sovereign). Public copies of digital identities are distributed using ephemeral (short-term) keys exchanged using the ECDHE protocol.

Applying AI

It is expected that identity agents will be able to exploit artificial intelliegence (AI) to help owners avoid, detect, and prevent impersonation, phishing, and man-in-the-middle (MITM) attacks. Identity agents will help owners decide which digital identities to select and how much private information to disclose in accordance with assessed risk.