How Blockchain Startups Will Solve The Identity Crisis For The Internet Of Things
Identity protection is an emerging area for the Internet of Things. Millions of inexpensive consumer devices ship with a default username and password, but some of them end up in your house. Last winter a piece of software called Mirai herded hundreds of thousands of home routers and cameras into the most potent botnet ever, which then generated the first terabit scale distributed denial of service ever seen. What if there were a solution that permitted companies to reliably identify their customer’s devices without putting them in the position of holding customer data? What if there were a way to ensure IoT devices only accepted configuration from their legitimate owners? I talked to HYPR CEO George Avetisov about their biometrics and UniquID CEO Stefano Pepe about their device identity work to get a better feel for how blockchains will be used to solve these problems.
The service HYPR provides is a framework for passwordless authentication via biometric encryption. They don’t develop biometric devices, the focus of their innovation is creating a distributed, secure system based on existing, tested technology. We've covered the concept of cryptographic fingerprints here previously. Any digital item can be subject to some sort of cryptographic hash, then the hash can be used to check the validity of a digital item without the validator needing to have a copy. As an example, your phone's fingerprint reader does something involving a scan and a company that has access to a hash of your fingerprint's digital representation can validate you, but they don’t have the ability to impersonate you.
Digital fingerprints are just the start. HYPR supports all types of biometric data, from simple authentication algorithms for facial and voice recognition to more complex algorithms such as the way you type on a keyboard, the rhythm when you text on your phone, or how you walk on the street. Your home, your car, and your office all have access requirements and there is probably some degree of smarts already included. HYPR positions IoT vendors to include biometric authentication without a huge investment in expertise, money, or time to implementation.
A big part of HYPR's innovation is complete distrust of the internet for transmitting biometric data itself, which never leaves the user's cell phone. A single phone might get cracked and the biometric data used, but there is no path to hitting millions of victims in a single event. Where does the use of a blockchain fit in all this? It will serve as a distributed, trustless store of biometrics validation data. There are several implications and not all are obvious. A blockchain based system is resistant to denial of service attacks that cripple centralized businesses. Why? Because instead of bringing down a single server farm hosting with the authentication data, a DOS attack would have to identify and bring down many blockchain nodes hosted by several parties within the same permissioned blockchain environment.
Equally important to DOS protection is business process interoperability. Avetisov explains, “We are building use cases around associative forms of identity through the blockchain. Right now you can not authenticate between two different corporate entities, such as a bank and a car insurance company because there is not a shared identity between the two companies. Each company has a different identity stack that is not interoperable. By using a blockchain, you can have an interoperable ledger for identity between multiple entities without a complex infrastructure. An insurance company can prove your identity to a bank or a credit card can prove your identity to a streaming service all through biometric data.”
How does it all work? While the exact mechanics have not been finalized, it would involve each company acting as a validator of the data within the network running nodes that are constantly accepting biometric data. When a company that is not running a node wants to authentic a user, they would look to the network and the nodes would provide data on the last time stamp that a particular user could have been identified with a particular device accepting biometric data. If the user can prove they had a device that the network has agreed is associated with their identity within a recent timeframe, the user is then authenticated.
The value here is that different companies can identify users based on their specialized identity stack and provide authentication to others without sharing any of their personal data. Converting your customers to use biometrics is a complex, expensive project. But if 70% of your customers are already using a system from another company, and that system has been built with an eye on assisting third parties to make the jump to biometrics, the barrier to entry is dramatically lowered. Cost savings begin in quarters rather than years.
What sort of benefits accrue if diverse businesses authenticate their users with the same biometrics system? Here's a scenario Avetisov offered that's a nightmare today, but which would have a happy ending in a biometrics enabled world. Children don't typically have identity information until their later teen years when they start driving, so there is a three to five year window where they are allowed to roam widely without a formal ID. If they're brought to a hospital injured and unresponsive there is a delay while they are identified, wasting some of that golden hour in treating shock and trauma. A biometric solution accelerates that process and a blockchain allows that medical institution to authenticate through the identifying information collected from other companies.
These use cases could be implemented using Bitcoin's blockchain, but HYPR has chosen a private solution. While individuals are using biometrics to authenticate, they do so with large entities, and HYPR has focused on serving the needs of banks, health care, and insurance providers. For these enterprises, regulation around data security is a great concern. While a public blockchain with hashed or encrypted data provides high levels of data security, it is still unclear how managing data in such a way would fit within the current regulatory framework. As such, private or permissioned blockchains are the fastest way to market without the need to educate regulators.
While HYPR is focused on how to build an interoperable environment for humans to be authenticated via various IOT devices, UniquID is building technology that identifies the devices themselves while they are offline through a very clever use of blockchain technology and smart contracts.
Pepe offered an interesting example of how an offline smart contract might work, “If you want to rent a Zipcar, what happens if neither your phone or the car cannot connect to the internet. You can’t unlock the car with your smart phone unless the owner of the car comes with the keys in his pocket, drives the car out, and brings the car to a place to download a certificate. This is the only way for the car to establish a secure connection with your phone. However, with UniquID there is a very different scenario. Both the car and the smartphone have a UniquID wallet on the blockchain. Zipcar creates a smart contract on the blockchain that unlocks the car for a specific smartphone when a token is received in the car’s wallet. The smartphone downloads [all or a portion of] the blockchain with the smart contract already executed. Then when you go to the car without internet, your smartphone uploads the missing blocks of the blockchain that the car does not have, with the executed smart contract, and the car unlocks for the person with the correct smartphone.”
Through this innovative use of blockchain technology, devices do not have to be connected to the internet in order to communicate, identify and authenticate with each other in a secure way. This is an important mechanic for devices to be able to capture real-time data and communicate with one another in real time.
Unlike HYPR, which can be built on either a permissioned or public blockchain, this use case relies on the security provided through the proof of work mechanism of a public blockchain. A private blockchain environment, particularly a small one, may have vulnerabilities that a motivated attacker could exercise, modifying data in ways an offline node could not detect. A public blockchain’s security mechanism, proof of work consensus, costs the same amount to fraud, whether online or offline. Global bitcoin mining capacity is 3.75 million terrahashes per second. Translating that to something you can visualize, an AntMiner T9 will do 12.5 terrahashes per second, costs $1,140, weighs twelve pounds, and consumes 1576 watts. You’d need 300,000 of those to match current global Bitcoin capacity and theoretical attacks could be done with 10% of the total — a hundred and twelve tons of gear consuming 37 megawatts of power costing $34 million.
If you’ve got a $20,000 vehicle but it would take the purchase price of a 220’ yacht to steal it, such attacks are going to remain at the proof of concept stage. However, it is important to note that a downside to the current layout of this plan may require a device to download an entire blockchain, which would be cumbersome for a small IOT device. UniquID has very ambitious plans on how to improve device identity and communication through a new type of secure network that will act as alternatives to SIM networks and certificate authorities that I call decentralized certificate authorities. Unfortunately, UniquID has not yet released a white paper describing their service, so we’ll save that for another article.
You can see how these technologies will be required for a future with an Uber ordering coffee maker, a grocery ordering refrigerator, or laundry room that makes sure you’re always ready to do the next load. Humans will be identified by biometrics, devices by unique attributes like MAC addresses, likely in combination with the unique attributes of the human that first uses them, imprinting to their new owners the way some newborn animals do with their mothers. When a service needs to leave a message for a device that isn’t always on if it’s small it’ll be placed directly on a blockchain, while larger data say a software update, will be left as a URL on the blockchain and a cryptographic fingerprint of the file.
We’ve had robotics on factory floors for two generations, lines of carefully laid out systems assembling goods. That sort of automation is going to spread from within a single organization to across multiple enterprises, reaching out to consumers, and eventually imbuing the entire supply chain with situational awareness, speeding deliveries and reducing the need for human interactions.
Alan Zibluk Markethive Founding Member