Credit unions look to blockchain to solve digital identity crisis
Identity is a tricky thing, for financial institutions as for philosophers. Banks and credit unions spend an inordinate amount of time learning who their customers are, verifying that they are who they say they are and proving to regulators that they know with whom they are doing business.
The standard means of authenticating a customer who calls in is to have the call center representative play 20 questions. Not only is that a waste of time better spent serving members, but it leaves a lot to be desired.
"If I call up my trusted credit union and they act like they don't know who I am and don't believe I am who I say I am, that's a lousy experience," said Bill Hampel, chief policy officer at the Credit Union National Association.
There are other, more automated methods—texting a verification code to the customer's smartphone, or using the customer's voiceprint to identify him. But the former method stores the authentication proof on the customer's phone, which is no safeguard if a thief gets ahold of the device. And the latter, says Hampel, depends on a third-party vendor system that doesn't come cheap.
Dig into the subject and it becomes clear that while humans do a decent job of identifying people in the real world, we screwed up the analog-to-digital conversion.
The solution may be to rethink digital identity itself.
For the past year, CUNA has been studying the benefits of creating a distributed ledger that employs credit unions as nodes. Several of the larger credit unions among the trade group's roughly 5,000 members together chipped in several hundred thousand dollars to finance a working proof of concept.
Its first test case will be authenticating a member over the phone. For that, the CULedger project, as it is called, is counting on an open-source technology called Sovrin, a blockchain network designed specifically for the creation and management of digital identities.
What makes these identities unique is that they are meant to be "self-sovereign," meaning that individuals retain independent control over their personal information. When interacting with a business, such as a bank or credit union, users can present unfalsifiable cryptographic proof of their identity.
The concept of self-sovereign identity promises to give individuals their own digital existences apart from any company or government. Perhaps Descartes could be sure of himself simply as a result of his own cognition, but people's identities online are fragmented, out of their control, spread across countless proprietary platforms. Mark Zuckerberg could erase anyone's Facebook identity tomorrow if he chose.
And yet businesses could actually benefit from not having to be the custodians of their customers' personal information. They could save money by eliminating their current verification systems and reducing the incidence of fraud.
If people could be in control of their own digital identities, and the public keys to those identities could be stored securely and cheaply on a blockchain, "all of a sudden now the bank doesn't have to build an identity system, yet they get identities that are more trustworthy than they got when they were building their own," said Phillip Windley, the president and chairman of the Sovrin Foundation, the nonprofit that governs the Sovrin network. (To be clear, sensitive personal information is not stored on the blockchain, only identifiers that point to where the information is stored.)
Anyone can read the Sovrin Foundation's Hyperledger Indy ledger, but only authorized parties can write to it, distinguishing the system both from cryptocurrency blockchains and from bank-controlled ones.Sovrin FoundationIn the CULedger test case, a customer who calls in to the credit union will be prompted to download an app on which she will create a encrypted identifier to be used only with her credit union. The next time she calls, she will be able to verify her identity using a thumbprint on her smartphone. For security reasons, her thumbprint won't be stored on the device itself.
Admittedly, this use case would not be much of a breakthrough for Sovrin.
"Using this technology to verify callers into a call center is a lot like swatting a fly with a sledgehammer," said Timothy Ruff, the CEO of Evernym, the company that developed Sovrin.
But it represents a starting point for Sovrin to prove its usefulness and for financial institutions to get comfortable with the technology, which Ruff says will get more powerful with time. "We have not gotten our Ferrari out of first gear with that [call center] product," he said.
In the future Ruff envisions, individuals will have the same power as banks to verify their peers' identities before transacting with them. To each person will attach "verifiable claims"—attestations from other people and organizations regarding things that person has done. By providing this proof that they are who they say they are, people will be able to interact with a high degree of trust in a truly peer-to-peer fashion, even if they don't know each other's names.
Hampel recognizes that this use of self-sovereign identity is a "Holy Grail" for some, a means of reversing the power imbalance that exists online between big businesses and consumers—or governments and citizens. But, from CUNA's perspective, a totally self-sovereign identity that customers can use with other institutions isn't essential, he says.
"That's cool, and if that happens it would be fantastic, but even if it doesn't, having a bulletproof identitity-authentication system just for the internal operations of the credit union would be worth it," he said.
Some experts are skeptical that the more radical version of self-sovereign identity will ever come to pass.
"Identity is a two-way street; it is not something that individuals have 'sovereignty' over," said Steve Wilson, a vice president and principal analyst at Constellation Research. "That might seem a stark point of view, but it's actually a human perspective. Identity is about relationships. I only have an identity—actually we all have many identities—because others know me."
Online, this means that identity is less about the individual than about the parties that do the identifying. Identity is given to us, says Wilson, in the form of account numbers, staff IDs, medical identifiers and so on. Service providers set the rules—or regulators do it for them—because they are the ones who end up in hot water when something goes wrong.
"A great deal of [self-sovereign identity] is founded on flawed intuitions about identity, and wishful thinking about how we could assert ourselves online more forcefully," Wilson said.
Rather than try to upend the concept of identity, institutions should make more incremental improvements to their methods of collecting and protecting people's private data, Wilson said. The biggest change—and an aspect of self-sovereign identity that Wilson says has merit—would involve shifting their focus to individuals' concrete attributes or credentials and away from personal details. New systems could then be built for sharing verified customer attributes among businesses.
"All these advances can be made without changing how we know people, and without romanticizing identity in cyberspace," Wilson said.
On Tuesday, Hampel is scheduled to present the findings of CUNA's work on the CULedger project at the trade association's annual roundtable, in front of some of the largest credit unions in the country. If all goes well, he said, "we'll be going for significantly more funding" to continue developing the ledger.
Hampel envisions CULedger extending its use cases first to other customer-verification channels, such as mobile apps and physical branches, and then to loan participations and indirect lending.
Also on Tuesday, the Sovrin Foundation announced that its ledger had been accepted for incubation by Hyperledger, the Linux Foundation's blockchain initiative. The move should attract more developers to the project and ensure its ability to integrate with other decentralized blockchains being created for banking, manufacturing, the internet of things and other industries.
Sovrin, whose code will now be developed under the name Hyperledger Indy, plans to begin its trial run with a provisional network this month and to launch a prime-time-ready version in the third quarter of 2017.
By the end of the year, says Windley, there is a real possibility that people will be using applications built on the network.