SovereignImage.com – "Better than your wallet"

Agent-Based Digital Identity Architecture

Problems — Analysis — Solution — Adoption

Problems Plaguing the Web

The Internet lacks an identity layer for establishing and validating user identity. PKI, HTTPS and SSL/TLS1.3 have reliably secured online transactions for decades while user identity, security, privacy, and ease-of-use have been neglected. The Web is supported by a patchwork of browser-based identity schemes. Browsers pose a range of risks since they can be shared by multiple users on different devices from different locations using different IP addresses. These identity schemes do not support peer-to-peer collaboration between IP addresses. User-asserted identifiers, online passwords, and second factors are relatively easy to use but do not prove who users are. Users are frustrated maintaining countless passwords and online profiles. Users tend to specify and reuse weak passwords further escalating risk. Biometric tokens can harden user-provider bindings but are not practical for user-to-user bindings and may reveal biometric data. Breaches and impersonation continue to increase.

Fixing the Problems

Decentralizing: Shifting responsibility over identity from providers to users puts identity squarely in the hands of users; off-loads providers; and disperses the attack surface over a large population of web users.

Digital Identity: Users are well-positioned to specify and verify digital identities given they control their foundational identifying documents and know the identifying attributes of family, friends, and associates.

Biometrics: Using biometrics to bind users to digital identities mitigates loss and tampering risk. Captured biometric minutia should never be disclosed. Localized passwords/PINs can strengthen such bindings.

Cryptography: Digital identities integrated with elliptic curve crypto are much harder to break than remote access passwords. Digital identities powered by such cryptography can be used to mutually identify and authenticate users across multiple providers. Crypto keys secure transactions, attest digital identities, encrypt private data, notarize documents, and delegate consent.

Credit Card Validation: A user having specified her digital identity uses his/her credit card to validate the digital identity. If the credit card verifies online, and the name displayed on the credit card comports with identifying information specified by the digital identity, it is cryptographically “validated”.

Identity-Proofing: Online and in-person identity-proofing involves submitting identifying documents and digital identities to identity-proofers. If successfully proofed, the digital identity is cryptographically attested to show it represents the owner’s identity at an elevated level.

VCard 4.0: Exploiting this standard structures digital identities having the “look and feel” of credentials in one’s wallet. By comparison, online passwords are not intuitive and can be routinely phished and stolen.

Identity Agents: Identity agents (“apps”) deployed on smart phones, laptops, tablets and servers implementing the above fixes overcome the identity-related problems undermining today’s Web.

Solution Synopsis

The architecture is comprised of identity agents deploying digital identities enabling owners to mutually identify, authenticate, and secure transactions and private data.

Solution: Better than your Wallet

Technology Adoption

The architecture‘s critical features are specified in four US patents, one patent application, and eleven conference papers and journal publications. A progressive roadmap anchored by focused initial projects is planned. To facilitate technology adoption, ease-of-use, privacy, and security are baked in. A proof-of-concept prototype has been developed to validate the solution. The architecture is comprised of identity agents deploying digital identities that “look & feel” like physical credentials; have three (3) long-term elliptic curve key-pairs; and are verifiably owner-controlled (self-sovereign). Public copies of digital identities are securely exchanged using the ECDHE (Diffie-Hellman) key agreement protocol.

Artificial Intelligence (AI)

Going forward, it is expected that identity agents will be able to exploit artificial intelliegence (AI) to help owners avoid, detect, and prevent impersonation and man-in-the-middle (MITM) attacks, as well as help them decide which digital identities to select and how much private information to disclose.