Solving a blockchain conundrum: Biometrics could recover lost encryption keys

Credit to Author: Lucas Mearian| Date: Thu, 17 May 2018 03:11:00 -0700

Blockchain could one day solve the online privacy problem by encrypting or scrambling personally identifiable information and issuing each person a random string of bits – a private key – created explicitly for unscrambling their data.

The person holding the blockchain private key could issue various public keys controlling who has access to the personal data on the blockchain. So, for instance, if a car rental agency needed to verify you have a driver’s license, you could use a public key to give them access to that information.

The still-nascent distributed ledger technology, however, faces a vexing problem: what does a user do if they lose their private key? Essentially, a lost key means they lose access to all of their data – and if that data happens to include bitcoins or other cryptocurrency, they lose their digital money as well.

For example, Bitcoin scrambles user information through the use of the AES 256-bit encryption algorithm, which creates a 256-bit private key that can be represented by 32 or 64 alpha numeric characters.

“For Bitcoin, there simply is no key recovery. If you lose your private key, you’ve lost your Bitcoin,” said Martha Bennett, a principal analyst at Forrester Research.

Lance Morginn, director and co-founder of the Blockchain Intelligence Group, believes the blockchain industry and government regulators will need to collectively come to terms on a standard for reclaiming a lost private key.

The Blockchain Intelligence Group is a private company that offers blockchain search and data analytics tools; it has already been working on ID management with U.S. regulators and law enforcement agencies.

The most likely method for reclaiming a private key would be to physically go to a secure facility where the key’s owner would have to pass a number of security measures before the key is restored.

“It’s going to come down to a multitude of biometric devices. It could include a fingerprint scanner with a pulse detector, a retinal scanner and facial recognition all tied together,” Morginn said. “We’re in discussions with number of different regulators around world.”

While the idea of going to a private key reclamation facility may seem far-fetched, regulators in various countries are already boosting their scrutiny of cryptocurrency exchanges, including requirements that cryptocurrency be stored offline.

After a number of bitcoin thefts over the past seven years, Japanese regulators this month tightened their rules requiring exchanges to keep bitcoins offline or in “cold storage,” and bitcoin wallet access will require more than one person’s login information.

Conversely, most of the world’s other bitcoin exchanges today continue to keep the digital currency in “hot wallets” or online electronic depositories managed by the exchanges themselves.

Japanese bitcoin exchanges will also have to take more action to prevent money laundering, just as financial service companies in the U.S. must do today by following know-your-customer (KYC) and anti-money laundering (AML) guidelines.

Blockchain identity networks projects have also sprung up, offering the potential to satisfy new, more stringent requirements, such as KYC, to ensure that companies know with whom they’re doing business. KYC regulations were enacted in recent  years to address a rise in money laundering and terrorist activity funding.

Through a blockchain identifier network, banks could pre-verify who their customers are, and whether or not they’re tied to nefarious activities.

There are already blockchain networks that use biometrics to enable access to private keys and the personally identifiable information (PII) they protect.

For example, Civic, a blockchain identity-verification technology provider, pre-registers users and their identification data, encrypts it and issues a passcode accessible via a finger print scan using an app on a mobile device.

In March, Civic partnered with mobile voting provider Votem to launch a know-your-customer process that will pre-register and authenticate those participating in Votem’s crowdfunding initial coin offering (ICO). Once user IDs have been verified using blockchain, the identities are stored on the Civic App and can be reused for the ICO.

Civic’s private keys are generated by a third-party crypto wallet, providing a firewall between Civic and users’ keys app. The fingerprint scan eliminates the need for logins  with a username, password, third-party authenticator, or physical hardware token. Civic users can choose who gains access to their information and what data gets shared.

Civic pre-registers users and their identification data, encrypts it and issues a passcode accessible via a finger print scan an app on a mobile device.

Just as physical keys only open the locks for which they were made, public keys can be used by blockchain users to control what data is released to whom; public keys are controlled through smart contracts, a blockchain business automation tool that determines what information is released based on the public key used.

There are several projects in the works to enable the worldwide exchange of PII via blockchain networks. The biggest benefit: there would be no central authority, such as a bank, governing the exchange of private data. The control would remain with the owner of that data.

For example, the Sovrin Foundation, a new nonprofit organization now developing the Sovrin Network, could enable anyone to globally exchange pre-verified data with any entity also on the network.

The online credentials would be akin to identify information that might already be in someone’s physical wallet: a driver’s license, a bank debit card or a company ID.

Instead of a physical card, however, the IDs in digital wallets would be encrypted and link back to the institutions that created them, such as a bank, a government or even an employer. Any of them, through the blockchain, would automatically verify  information to a requestor.

The owner of the digital wallet can limit what information a business receives via an electronic token.

“Let’s say I go to rent a car and you’ve got the 18-year-old behind the counter that I have to give all my information – my driver’s license, my credit cards. She doesn’t need all that information. She just needs to know that I’m authorized to drive that car. I have just given her the… token saying I’m licensed in the state of New York,” said Shone Anstey, president and co-founder of the Blockchain Intelligence Group.

“That way, if the car company has a break-in and someone steals all their databases, they don’t have my personal information,” Anstey added.

The ID2020 alliance, a global partnership, is working to create an open-source, blockchain-based digital identity system for people in the U.S. or other nations who lack legal documentation because of their economic or social status.

A blockchain-based identity token, one that contains PII, may be considered more sensitive because once in someone else’s possession it could be used to impersonate someone for any number of purposes. Witrh that in mind, regulators are considering how blockchain users would be able to revoke access to their identity tokens as well, Anstey said.

Michael Fauscette, chief research officer at G2 Crowd, a business-to-business software review site, expects that in the next five years, decentralized identity verification will no longer be a novelty; it will be the norm.

“Imagine hiring without reference checks or transcript verifications, where all that an applicant needs is a blockchain hash,” Fauscette said.

With identities, bank accounts and employer information all possibly stored online through blockchain, it will be more crucial than ever to ensure that a lost private key can be recovered.

Despite steps in the right direction, the industry isn’t even close to enabling how private keys will be recovered, Morgan said.

http://www.computerworld.com/category/security/index.rss