IBM and SecureKey Technologies, a Toronto-based startup founded 2008, with approximately 100 employees, and offices in Boston and San Francisco, have partnered with the Canadian Federal Government and the majority of Canadian banks in a bold initiative to solve the ubiquitous problem of personal identity security and authentication. Collectively, they are building and implementing a new national identity blockchain technology for Canadian citizens. IBM and SecureKey are building the identity network using Hyperledger’s blockchain technology, which the Canadian government and major financial institutions are already integrating at the highest levels.
A Permissioned Blockchain Driving Innovation
Despite the steady increase in identity theft, most of the world relies almost exclusively on increasingly weak and vulnerable forms of identity security and authentication. The World Economic Forum estimates the average user has over 130 authorization credentials, i.e., username and password pairs. Dealing with the ever-increasing burden of juggling our various credentials is no easy task, and all too often we fall into dangerous habits such as reusing predictable usernames and passwords across all our services. Stopgap fixes, such as two-factor authentication and credential managers, can actually compound the problem by adding even more vulnerable credentials to the heap. In two whitepapers, SecureKey described the inherent difficulties of current identity security and proposed a blockchain solution and has called on telcos to play a more active role in the identity and fintech industries.
On March 20, 2017, an IBM press release said “Together SecureKey and IBM are developing a digital identity and attribute sharing network using IBM’s Blockchain service which is built on top of the Linux Foundation’s open source Hyperledger Fabric v1.0… The network is currently in the testing phase in Canada, and once it goes live later in 2017 Canadian consumers will be able to opt-in to the new blockchain-based service using a mobile app.”
At the time of publication, the app release date has been pushed back to 2018. SecureKey told BTCManager it would be released for iOS and Android, in cooperation with the three major Canadian wireless providers; Rogers, Telus, and Bell. “The app allows consumers to easily share trusted credentials (of their choice) with organizations of their choice; [Credentials] such as verified name, address, DoB, phone number, location, etc.” The three major telcos will be “providing data (network verified phone number, network verified location, etc.) into the network through their Enstream joint venture.”
Identity App Due for 2018 Release
SecureKey revealed to BTCManager that the app to be released in 2018 will be “initially available for use by any consumers that have a relationship with [these financial institutions]. Service providers across Canada (including participating financial institutions, telcos, government, etc.) can then elect to use the network to verify the identity of these consumers and provide them access to their products and services.” Incredibly, SecureKey also stated to BTCManager that the software will be released under an open source license.
Essentially, this new financial technology will allow banks and other trusted institutions to easily, and securely, share previously validated customer identity information with third parties, via a consumer-controlled app on their devices. So, rather than having to go through their own identity verification process, third parties can instantly verify a new customer’s identity; if the customer allows their bank (or other trusted service provider) to send their information to the third party through the app.
“What IBM is building with SecureKey and members of the digital identity ecosystem in Canada, including major banks, telecom companies, and government agencies, will help tackle the toughest challenges surrounding identity,” said Marie Wieck, general manager, IBM Blockchain.
“This method is an entirely different approach to identity verification, and together with SecureKey, we have a head start on putting it on the blockchain. This is a prime example of the type of innovation permissioned blockchain networks can accelerate.”
In October 2016, many leading Canadian banks, including BMO, CIBC, TD, RBC, Scotiabank, and Desjardins, collectively invested C$27-30 million ($21.2-23.6 million) in SecureKey. SecureKey has also received funding from the Digital ID and Authentication Council of Canada (DIACC) and the Command Control and Interoperability Center for Advanced Data Analytics (CCICADA), a U.S. Department of Homeland Security Science & Technology Directorate funded research center. Already, the company has rolled out its SecureKey Concierge ServiceTM, which allows users to log in to 80 Canadian Federal Government websites.
At the time of publication, users can log in to these government websites using one of the following trusted partners; Affinity Credit Union BMO Financial Group, CHOICE REWARDS MasterCard, CIBC Canadian Imperial Bank of Commerce, Desjardins Group, National Bank of Canada, RBC Royal Bank, Scotiabank, Tangerine, or TD Bank Group.
Shedding Light on IBM and SecureKey’s Collaboration
In answer to the FAQ “Why is the Government of Canada offering users the option to use banking credentials?,” the Government of Canada website reads:
“By offering a choice of credentials, the government is making its online services more convenient for clients to access. Many individuals use their online banking credentials regularly, so being able to use the same credential to access government services online means that you will have one less User ID and password to remember.”
In answer to the question “Is any of my banking information shared if I use Sign-In Partner (SecureKey Concierge)?,” the Government of Canada website reads, “No, your banking information is not shared when you use a Sign-In Partner. The technology is designed in such a way that the Government of Canada will not know which Sign-In Partner (or financial institution) you have used. Similarly, the bank will not know which government department or agency its customer contacted. Also, the credential broker who facilitates this interaction will not know the identity of the individual or business. The participating financial institutions and departments and agencies will not share any information that identifies individuals, as directed under privacy legislation.”
Ann Cavoukian, Ph.D., and Second Executive Director at The Privacy and Big Data Institute at Ryerson University, in a SecureKey Concierge ServiceTM promotional video, asserted “When visiting a government services website that offers the SecureKey Concierge ServiceTM…sign in using the government supplied login or using a trusted Sign-In Partner… No passwords or personal information (such as your name, address, or date of birth) are exchanged during the process. Your bank won’t know which government service you’re accessing, and the government won’t perceive any information about your bank.”
In an IBM Blockchain promotional video, Greg Wolfond, Founder, Chairman, and CEO at SecureKey, colloquially explained, “We think identity is much more valuable than money, and you have to be able to stop [identity theft]. We turned to blockchain and started working on Hyperledger because we didn’t see another technology that could solve this problem the way we want to solve it. So what we’re able to do with Hyperledger and blockchain is really make the service ‘triple blind.’ When you take your driver’s license and you go to a bar, to a bar, to a liquor store, the bar and liquor store trust that you’re you because the state issued that document, but there’s no way the state can know you went here, you went here, you went there. And the biggest thing we get with Hyperledger is we also have to blind the middle; there is no broker in the middle. So, there’s no way the operator of the network can see any of the data in transit or at rest. So, blind on the receiving side, blind on the sending side, and blind in the middle means the system is ‘triple blind.’ So, all the banks will have this as a companion app…when I show up at a telco, and I want to prove who I am, I can take a picture of a QR, enter my mobile number; and I’m asked on my device, ‘do I want to share this information from my bank, and do I want to share that my credit score is over 700?’ And I’m consenting to that release… The telcos in Canada…say that just implementing this, it’s [CAD] 50-70 million a year in savings just in efficiencies — the banks have hundreds of millions in efficiencies.”
In another SecureKey promotional video, Wolfond says, “Security around identity is tough; we need strong ‘what I know factors’ like bank password and questions, we need ‘what I have factors’ like cellphones and cards, and we need biometrics to know who you are. We can’t do that without building an ecosystem where everyone works together for the common good.”
Rene McIver, Chief Security Officer at SecureKey, commented, “We have al ot of objectives to meet to get this right, like; leveraging established digital assets already established at trusted providers, not over-answering questions, putting the user in control of their information, blinding the relying party and identity provider from one another, preventing them from tracking the user, and lots more. We also need to comply with all privacy legislation across the country, both federal and provincial levels” (Indeed, there are a few privacy acts: FIPPA, FOIPPA, MFIPPA, PHIPA, PIPA, and PIPEDA!).
Andre Boysen, Chief Identity Officer at SecureKey, added “For example when a student shows their ID at a bar and then at another bar, there is no way for the [government] or anyone else to track where they’ve been. It’s crazy though, for a young woman to get into a bar, she has to disclose her height, her weight, her address, and her age.”
So, next time you buy a beer, Canadian or not, you may want to ask yourself, “Do I prefer to disclose my height, weight, address, and age? Or would I rather store my identity in a national blockchain?” Depending on how successful the new financial technology is in Canada, you too may see an identity blockchain coming to a government or bank near you.