Event Recording

Identity Management in a Web 3.0 World


Log in and watch the full video!

The third iteration of the Web, Web 3, aims to put more control over web content in users’ hands. It promises to be built on blockchain, eliminating all big intermediaries, including centralized governing bodies. The vision for a Web3 world is for people to control their own data and be able to bounce around from social media to email to shopping using a single personalized account, creating a public record on the blockchain of all of that activity. What does this mean from an identity management point of view? We will explore some important questions that should be addressed as the future of the internet unfolds, including the impact that limited oversight in crypto currency will have, including poor authentication; the role of decentralized identities and private key management; and finally, the privacy aspects of having transaction data on the blockchain and what that means for attackers that can potentially compile new identities or further identity theft as we know it today. Whether it is Web3 or beyond, these issues will be critical to build trust on the internet of the future.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
So as Raj mentioned, web three is exciting. It's pretty much in the news. Every single day, we look at it from many, many different perspectives. I know there were tons of speakers talking about self sovereign identity and bare Bible credentials and whatnot. I wanna give a little bit of a, a twist to, to this, to the subject and talk about overall identity management, the risks and the opportunities given where we are today, the state of technologies and where things, where things are going. Let me just start with the promise of web three. I think that we're all here and that there's a lot of excitement because there, there are a lot of good things that that web three can bring democratization. So if everybody is working together in this world, in this metaverse world, in the web three world, perhaps there's an opportunity to eliminate disproportionate influence by certain players and not giving, not giving people access to certain types of information inclusion yesterday, I was, I was sitting with someone from the world bank talking about how crypto wallets are able to support many countries whose banking systems do not reach most people and how by, by providing payments and interventions and social services and things via crypto wallets, we might be able to remove barriers to financial and social societal participation and increase social and economic development.
Anti-establishment. So this one is always interesting because to me, because clearly this all started as, as an, as a response to big tech and central players owning and managing data and information. But I think, and one of the things that that we'll talk about today is that it, it's not like you can completely eliminate some of these, some of these players, and finally, the central tenant, as we all know that we've talked about is a world in which individuals own their data, their identity, their transactions, and they get to manage how it is all, how it is all being used. Some of these things potentially could be in conflict. And we see this in the reality that, that we exist today. And I think anybody who's been following the news this week on the tumult in the crypto market recognizes that the reality is not so rosy all the time, Coinbase reported 430 million loss in the first quarter.
So the question is, you know, what is that, what does that mean for the rest of the, of the crypto market over time losses from crypto scams last year, totaled 14 billion. And I was just reading over javelin report that came out yesterday saying that stolen identity losses across all markets were 24 billion. And that there was a 90% increase in account takeovers using stolen identities. You can just imagine what this, the consequences of this in web three and on the metaverse we know open sea reported that a lot of the majority of the NFTs that they are listing are fraudulent or plagiarized, tons of spam going on over there. And on the flip side for the, for the honest people, there's 20% of Bitcoin value is either lost or unrecoverable because people don't have access to, to their private keys to unlock. And so there re there are some real problems that, that have to be addressed.
And on the left side are the reality from a democratization point of view and inclusion point of view. So I think we have a long way to go. And I think that identity management is at the core of a lot of these things. And when you think about the promise of web three, and you think about the, some of the core tenants, blockchain, self sovereign identity, security, liability, KYC, and AML, there are tons of challenges and opportunities that that needs to be considered. Realistically, if we wanna take a step back and really capitalize on, on the opportunity of web three. So blockchain obviously has enormous an enormous role to play. So where web three goes, blockchain goes, or blockchain goes, web three goes, and it's at the core of a lot of the privacy aspects. And the, obviously all of the wallets and things that people throughout this conference have been talking about from an identity perspective, there are a couple of issues to highlight.
One is that we can store information, identity information on the blockchain, but you can't process information on the blockchain. So whatever you're going to do from a biometric point of view specifically would have to be taken out of the blockchain and then processed in some kind of a centralized location. There's also the limitation around device dependency and where the private key resides from an SSI perspective. I think while there's a lot of promise and I love the idea of verifiable credentials. I do question given all the work that I've done over the years is how, how do you establish the root of trust? How do you know that that credential is being created and by, by an authorized entity and being presented by the right person, and how do you do that validation at scale? Do you need a centralized authority? And if yes, what does that, where, where does the government come in to play?
And even behind a lot of these decentralized IDs and self sovereign identity schemes are still centralized repositories of data, because you still need to ensure that people aren't creating credentials under multiple identities or people aren't switching credentials and, and whatnot from a KYC and AML standpoint, obviously big, big need from a compliance point of view. But what happens to all of the data that's being collected? If you do a KYC and an AML upfront, an AML check up front, how do you know that the person transacting is the person that you just checked? Where, where are those? Where, where does, where do those questions get answered and how, and from a security and liability perspective, what happens if, if we're in a world where we don't really use biometric identity for validating transactions or for securing wallets and things like this, what happens when a hacker steals our, our credential and then impersonates us, who's reliable, who's liable.
How do you reconcile that with other consumer protection laws or GDPR with and other privacy laws? So I think these are really, really big questions that are often not asked while we're sort of writing this wave of, of web three. And it's not a, it's not a silver, there is no, there is no a 100% solution and answer to all of these questions all of the time. But I think that if we look at zero knowledge proofs in multiparty computing, it does give us some direction in terms of how to balance the privacy, security and identity needs within this, within this world. So from a privacy perspective and PCs are like blockchain, where information is distributed over network of nodes. So there's no single point of ownership. There's no central point of of control. There's no central data repository, but there's a big benefit in that.
There's also no dependency on a particular device from a security standpoint, when you are leveraging and using MPCs because it's cloud-based and not device oriented. There are ways to link the identity to a root of trust and to leverage biometrics and PII information without having any ownership. In a central point. As I mentioned, BCS can also be used to store retrieve and manage private keys and can be supported across different web three applications like smart contracts and NFTs and, and managing crypto keys as well. And this framework also can be applied to biometrics and identity. So instead of relying on a biometric template that will sit on a device, and then you don't know who's behind the device, or you have a template that is sitting in a centralized repository, you can break up the biometric data into essentially anonymized bit. So they're, they're not even biometrics by the time they're they're charted and they can be distributed over this peer-to-peer network.
And computation can also be done in a distributed way, both one to one matching authentication. So as Francis who she claims to be, and one to many lookups have I seen Francis before in the database. So to ensure that somebody else isn't trying to apply under my information or that I'm not trying to apply or get into a system under multiple identities. And so you can leverage this, this type of technology for strong authentication without any of the privacy challenges that that are typically found when, when we're implementing these kinds of schemes. And so if we put it all together and again, we're short on time today, so I'm kind of moving quickly and throwing different concepts, but if we throw it all together, this is really the end to end for how you would leverage both, both blockchain, as well as verifiable credentials or SSIS and NPCs together in a web three world to close a lot of the gaps and provide the strong identity management that, that we need.
So on the left side are, is the enrollment process. This is what today we do IDV or KYC or AML text. And it would be at that point that you would enroll in the users biometric and distribute that throughout the MPC network, binding the biometric to the identity that that is registered at that point. Any blockchain identity, any verifiable credential or whatnot can be used. And if there is a new device that is presented, or you need to transfer the keys, or you need to initiate a, a signature, you could do that by authenticating against the MPC network in the cloud. And this is a very, very high level view of how you would reconcile a lot of the issues that that I've raised before. So with this idea, essentially your leveraging biometrics and not weak authenticators like usernames and passwords or other mechanism, this would be used to access wallets, secure transactions, verify transactions, transfer keys, leverage decentralized infrastructure to maintain privacy from a fraud and security side, connect the different silos in the current identity management stack that are contributing to all of the fraud, whether it's within NFTs, for example, managing NFT ownership, transferring and selling, or if it's accessing and securing wallets and crypto cryptocurrency distributions.
Again, this is a very short talk, so I've just thrown out some different concepts. I'm very happy to take questions. We probably only have time for one or two questions at this point. So if there are, if there are any questions, I'm happy to take them now,

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

Webinar Recording

A Winning Strategy for Consumer Identity & Access Management

Success in digital business depends largely on meeting customers’ ever-increasing expectations of convenience and security at every touchpoint. Finding the best strategy to achieve the optimal balance between security and convenience without compromising on either is crucial, but can…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00