Agent-Based Digital Identity Architecture

Problems — Analysis — Solution — Adoption

Problems Plaguing the Web

The Internet lacks an identity layer for establishing and validating user identity. PKI, HTTPS and SSL/TLS1.3 have reliably secured online transactions for decades while user identity, security, privacy, and ease-of-use have been neglected. The Web is supported by a patchwork of browser-based identity schemes. Browsers can be shared by users on different devices from different locations using different IP addresses representing different technical risks. These identity schemes do not support peer-to-peer collaboration between IP addresses. User-asserted identifiers, online passwords, and second factors are relatively easy to use but do not prove who users are. Users are frustrated maintaining countless passwords and online profiles. Users tend to specify and reuse weak passwords making them vulnerable to compromise. Biometric authenticators and tokens can harden user-provider bindings but are not practical for user-to user bindings and can unintentionally reveal biometric minutia of users. Unsurprisingly, impersonation and service provider breaches continue to rise.

Fixing the Problems

Decentralizing: Shifting responsibility over identity from service providers to users consolidates identity in the hands of those best-placed to maintain them; off-loads providers; and disperses the attack surface.

Digital Identity: Enabling users to leverage already known identitiers of family members, friends, and associates and the user’s foundational identifying documents (drivers license, birth certificate, etc.).

VCard 4.0: Exploiting the vCard 4.0 standard to structure digital identity templates and digital identities having the “look and feel” of physical identities in one’s wallet enabling intuitive ease-of-use.

Identity-Proofing: Supporting online and in-person identity proofing using provided identifying documents to prove that a given digital identity characterizes the user who created it.

Credit Card Proofing: Validating the user’s credit card online (“Card Not Present”) and then using the name on the credit card to proof the identifying information specified by the user’s digital identity.

Biometrics: Using biometrics to bind users to digital identities mitigates loss and tampering risk. Captured biometric minutia should never be disclosed. Localized passwords/PINs can strengthen such bindings.

Cryptography: Tightly integrating private/public encryption keys renders digital identities much harder to compromise than passwords. According to assessed risks, digital identities exploiting such cryptography should be able to reliably identify and authenticate users across multiple service providers.

Identity Agents: Provisioned “apps” implementing the above fixes that ordinary users can routinely install and deploy on their web-enabled smart phones, laptops, tablets and servers.

Solution Synopsis

The proposed architecture is comprised of identity agents deploying digital identities to owners revealing just enough information to satisfy transactional needs for the purpose of mutually identifying, authenticating, and securing messages, transactions, and private information.

Solution: Better than your Wallet

Technology Adoption

The architecture‘s critical features are specified in four US patents, one patent application, and eleven conference papers and journal publications. A progressive roadmap anchored by focused initial projects is planned. To facilitate technology adoption, ease-of-use, privacy, and security are baked in. A proof-of-concept prototype has been developed to validate the solution. The architecture is comprised of identity agents deploying digital identities that “look & feel” like physical credentials; have three (3) long-term elliptic curve key-pairs; and are verifiably owner-controlled (self-sovereign). Public copies of digital identities are distributed using ephemeral (short-term) keys exchanged using the ECDHE protocol.

Applying AI

It is expected that identity agents will be able to exploit artificial intelliegence (AI) to help owners avoid, detect, and prevent impersonation, phishing, and man-in-the-middle (MITM) attacks. Identity agents will help owners decide which digital identities to select and how much private information to disclose.