Identity Verification Using Blockchain
*This article was authored by a student studying blockchain. It clearly illustrates one of the potential use cases that can emerge from the BTCMobick blockchain network. Please note that there might be slight mistranslations. I do this in my spare time.
Identity Verification Using Blockchain
Sung-joon Noh (Graduate School, KonKuk University)
How can one authenticate their identity? Let's consider a scenario where I've traveled to country A. The local police in country A request to see my passport. The information they can obtain from my passport is that I am a citizen of South Korea and entered the country through legal procedures. However, what if the passport is forged? If I used a forged passport, the local police could request the South Korean embassy to verify the authenticity of my passport. But what if, while living in a foreign country, I somehow stole and forged the passport of a South Korean national residing in Korea? Confirming my identity wouldn't be easy. While this is an extreme example, identity verification is a more challenging issue than one might think.
Why is identity verification necessary? It is required to establish 'trust' for someone you are meeting for the first time without any prior connection. People around me can judge me based on their experiences with me. Their trust is built on data acquired through various experiences, indicating whether I am trustworthy or sincere. However, someone meeting me for the first time has no such experiential data.
A South Korean passport doesn't so much authenticate me as it vouches for me. In countries with low trust, the effectiveness of passports is low, and there are cases where entry into other countries becomes difficult. Citizens of countries with low trust (due to economic situations, political conflicts, etc.) may be refused entry, suspected of staying illegally after entry, or even considered potential terrorists.
So, what criteria do strangers use to evaluate me when they have no experiential data about me? There may be first impressions such as appearance, attitude, and speech, but these are highly subjective. Moreover, you cannot rule out the possibility that the aspects that make others like me could be a deliberately constructed image to quickly gain favor.
To create trustless trust, an objective metric that cannot be fabricated is necessary. Even subjective metrics can become objective over time through validation, and presenting these metrics can lead others to trust me. The following could be considered objective metrics:
1 Endorsement by High-Trust Nodes like countries or institutions
2 Credit Ratings
I will elaborate on how identity verification can be achieved using these, why identity verification is necessary, and finally, why blockchain with coins or tokens is essential for this.
1. Endorsement by High-Trust Nodes
Suppose I graduated from University A in South Korea and need to authenticate this to apply to Company B. I receive my graduation certificate from University A and submit it at the Company B interview. Currently, public documents like graduation certificates can be verified for authenticity through official verification sites, but verifying all of them requires significant manpower and time. Therefore, there might be people who submit manipulated or forged documents.
If I graduated from a foreign university, verifying this becomes more challenging. Since each country has different notarization laws, there is a process or international agreement for legally acknowledging a document issued in one country in another, which is called 'Apostille.' Let's assume I graduated from Harvard in the United States. To submit my Harvard diploma for a job in a Korean company, a complex process is required, involving notarization in the US and then obtaining apostille at the U.S. diplomatic mission in Korea.
The same complexity applies to verifying work experience. To verify the career of someone applying for a position, the HR manager needs to contact the respective company's HR team.
Details such as which university and department I graduated from, the grades I received, the tasks I handled in which company, etc., can serve as objective indicators of an individual's diligence and professionalism. However, these details are stored in the databases of the respective institutions. Since individuals do not have access to the servers of these institutions, they always need to visit or connect to the institution online to obtain such documents. If the company has closed down, this might even be impossible. In other words, individuals cannot own their proof of identity. To address this, an immutable ledger like blockchain is necessary.
1-1) Metaverse
In the 2022 Metaverse craze, most projects focused on bringing the real world into the online space. For example, Naver (Google's Korean version) hosted corporate briefings, exhibitions, and promotions on their Metaverse platform 'Geppetto.' However, these efforts have not gained much traction.
While integrating the real world into the Metaverse is a crucial aspect, if we solely focus on that, wouldn't it eventually lead to a scenario similar to the movie 'The Matrix'? If all information from the real world goes online, and even our consciousness can connect online, is physical reality necessary?
The term Metaverse is a combination of 'meta,' meaning virtual or transcendent, and 'universe,' meaning world or cosmos. It refers to a 3D virtual world where real-life and legally recognized activities, such as professions, finance, and learning, are interconnected. However, the Metaverse has not yet been conceptually defined.
Isn't it possible to say that the internet we currently use is a form of the Metaverse? Before the widespread adoption of the internet two decades ago, we lived in an era of limited information. In the absence of the internet, we carried paper maps for overseas travel, and information about a country was obtained through travel guides or individuals who had visited that country. Now, numerous people share their travel experiences on the internet, and by posting questions in travel communities, we can receive detailed responses from strangers. Our constrained real-world has expanded through the virtual world of the internet.
Yet, even the internet we use has limitations. As each internet platform (Naver, Google, Facebook, etc.) operates independently, we have to create accounts for each platform to use them. In other words, personal information becomes the possession of the platform. Moreover, in online games, game items are owned by the game company. Therefore, items obtained through time and effort can disappear if the game fails to gain popularity.
As you can see, it's evident that my personal information and game items stored in the databases of different organizations are essentially the same. Inconveniences arise both offline and online since my data is stored in specific institutions and platforms, and, due to security measures, it cannot be easily transferred to others.
To overcome the limitations of both the physical world and the internet simultaneously, there are two possible solutions:
1. The presence of a central authority with the ability to access all servers and databases.
2. A ledger allowing personal ownership without the need for a central authority.
A classic example of the first solution is the government. If you are a South Korean citizen, you may have already experienced this. After receiving a COVID-19 vaccine, you could check your vaccination certificate through platforms like KakaoTalk Wallet and COOV (short for 'Corona Overcome'). It implies that records of my vaccination are directly managed by the government instead of being only in the hospital database. What would happen if the central authority were not the government but a specific company like Apple or Samsung? What if they managed all your personal information and history on their central server? What if your smartphone access were denied by them? All your personal information would fall under the control of that central entity.
The second solution became possible with the birth of blockchain. It is represented by projects like NFTs, combining tokenization and transactions to create a decentralized ledger for personal ownership.
1-2) Worldcoin and Private Keys
Worldcoin is a project created by Sam Altman, the founder of OpenAI, the developer of Chat GPT. Worldcoin focuses on issuing World IDs for identity verification in the Metaverse. Based on the World ID, they plan to construct a basic income system and a financial network. World ID, created based on a hash value generated from iris information recognized by a tangible device called Orb, stands out.
Private keys and public keys utilized by blockchain are necessary for individuals to seamlessly move between internet platforms and own their data. By using a private key known only to the individual for authentication, an integrated ID that can log in to any platform can be created. Moreover, if extended a bit further, this ID could become a digital passport for offline use, authenticating one's identity.
However, since anyone can generate a private key, individuals could potentially create multiple private keys, leading to identity fraud. Furthermore, there is a risk that if the private key is lost, the identity might disappear because private keys cannot be decrypted.
To address these issues, it is essential to generate a unique private key through biometric recognition, as World ID does with iris recognition. This key should be impossible to replicate, and it should be decryptable. However, registering sensitive information like iris data on a specific device, such as Orb, comes with inherent risks, as evident from the criticism that Worldcoin receives. Users must trust the Worldcoin Foundation and the associated device (Orb).
Hence, biometric-based private key generation should take place on a device owned by the individual, namely a smartphone. Biometric recognition, such as fingerprint and iris recognition, is already occurring on personal smartphones. This data is encrypted and stored within the hardware security module of the phone's chip, ensuring it is not leaked, and there is no need to trust specific companies.
1-3) Private Keys Tied to Individuals
To create a private key using a smartphone, various biometric authentication technologies need to be combined. The most typical example is fingerprints, a method many people are already using for authentication. However, relying solely on fingerprints for generating a private key poses security issues. In South Korea, citizens register all ten fingerprints with the government, meaning that if needed, the government could potentially use the registered fingerprints for private key generation. Besides, some people may have registered fingerprints or other biometric data for access to their corporate facilities. Even for those who haven't registered it with a central authority, fingerprint recognition is not highly secure. It is susceptible to hacking through the use of fingerprint photos or traces left behind somewhere. Similarly, even iris recognition, considered more secure than fingerprint recognition, is not entirely immune to hacking. Instances exist where iris recognition security was breached by taking a photo of the iris. Additionally, fingerprints or irises can be lost due to accidents like finger amputation, fingerprint damage, eye loss, etc. Therefore, a combination of various biometric data is needed to construct an individual's unique biometric information.
When using a smartphone for private key generation, one could combine fingerprint recognition, iris recognition, and gaze recognition: extract images of fingerprints and irises, present a specific image to the individual, calculate the time the gaze lingers on the image, and generate the private key by combining the images of fingerprints and irises in proportion to that time. If stored in the smartphone's secure area, even if the smartphone or private key is lost in the future, it can still be decrypted, making it very difficult for others to hack. (For convenience, the private key generated in this way will be referred to as ID from the next passage.)
1-4) NFT
When personal information is not owned by individuals but stored separately on various institutional servers, it is inconvenient for both individuals and institutions. Individuals need to manage accounts separately for each central institution. If you are a college graduate, you must continuously maintain membership on university websites to entrust personal information for documents. Institutions that can verify the documents to prove a person's history may disappear when they close or go out of business. Moreover, for an institution looking to hire someone, verifying that the person has not forged their credentials incurs manpower and time, meaning costs. The solution is straightforward: give ownership of personal information to individuals. An example widely known to many people, using blockchain technology, is Non-Fungible Tokens (NFT).
NFT is not a new technology. The transaction history of a large-scale, sufficiently decentralized blockchain such as Bitcoin, and Ethereum is an immutable ledger that no one can modify. Using a ledger to record ownership is not new to humanity.
If my graduation certificate or career certificate is tokenized by a relevant institution and its transactions are created with my ID, a history accumulates on the ID. When changing jobs, if I inform the new institution of the public key generated with my ID, they can verify tokenized certificates associated with my ID. If they want to verify actual image files like a graduation certificate, they can access them using the ID. This reduces societal costs. Although it is possible to include images in transactions, it increases transaction size and fees. In the case of Ethereum-based NFTs, image data is stored in the InterPlanetary File System (IPFS), a distributed file-sharing and storage protocol.
Expanding this globally, it could be highly beneficial when refugees from a country facing war or coup seek asylum in another country. For instance, let's assume that war breaks out in South Korea, and I have a South Korean lawyer license. If I become a refugee, the institution that should verify my credentials might not function properly in the chaos. In such a case, a paper-based lawyer's license susceptible to forgery wouldn't be helpful at all.
Identity verification based on history may not be valid for people who haven't attended school, worked for a microbusiness, or are self-employed. Those in urgent need of identity verification are citizens of countries where societal functions are disrupted due to rebellion, dictatorship, etc. For citizens of advanced countries with internationally recognized credentials, this technology might just enhance convenience in their lives. Therefore, additional identity verification methods are necessary.
2 Credit Rating
Credit rating agencies score individuals' credit activities (such as credit card usage, loan repayment, etc.) to measure their credit scores. Credit scores have a significant impact on an individual's trustworthiness and can serve as a powerful means of strong identity authentication. It is challenging to measure credit scores in countries where a financial network is not established. However, by utilizing an ID created on a smartphone and the Bitcoin Lightning Network, individuals can control their credit scores.
2-1) Lightning Network and Credit Creation
The Lightning Network is a technology created to address the high fees of Bitcoin. Bitcoin transaction fees, calculated in proportion to the data transfer amount, are small when transferring large amounts but can be considered significant when dealing with small amounts. For individuals who frequently transact, they can operate off-chain (recording transactions outside the blockchain, similar to everyday ledger usage), only settling on-chain (conducting a blockchain transaction) periodically.
Imagine you want to buy a cup of coffee using Bitcoin. With a regular on-chain Bitcoin transaction, you might incur high transaction fees. Instead of recording every coffee purchase on the Bitcoin blockchain, you and the coffee shop can conduct multiple transactions off-chain within a payment channel on the Lightning Network. After several coffee transactions, you and the coffee shop close the payment channel, which is then recorded on the Bitcoin blockchain. In this way, you can avoid the need for multiple on-chain transactions for each cup of coffee, reducing transaction fees significantly.
While we often think of Lightning Network transactions as one-way, scenarios where people frequently transact with each other on the Lightning Network can illustrate its potential. Consider individuals A, who grows vegetables, and B, who runs a butcher shop. A and B frequently engage in transactions. To use the Lightning Network, each deposits 1 BTC (a total of 2 BTC deposited). However, if their accumulated transactions on the Lightning Network before closing have a total value of 4 BTC, meaning exchanges beyond the collateralized amount, it can be considered credit creation.
As the Lightning Network grows, hubs are inevitable. People who do not have direct channels can still transact using Hashed Time Lock Contracts (HTLCs). However, rather than everyone using individual HTLCs, it is simpler for them to relay through a trusted hub with significant holdings of a reliable coin.
Hubs can also easily create credit. For instance, a hub could offer loan services using the deposited coins. Citizens in developing countries have assets, such as land and houses, but lack proper records to use them as collateral. Tokenizing their assets and using the tokens on the Lightning Network, one can obtain loans against the deposited coins. Depending on the repayment of the principal and interest of these loans, credit scores can be calculated.
Hubs on the Lightning Network can provide services akin to credit cards, allowing them to evaluate creditworthiness. While the Lightning Network generally requires an upfront deposit, transactions without a deposited amount could be allowed like credit cards. If the deposit is not made within the specified period, credit scores can be reduced, decreasing the individual's trustworthiness.
Credit scores can be calculated based on specific nodes' transaction histories. If individuals use the Lightning Network to pay bills such as communication fees and utilities, credit scores can be affected by factors like the overdue period and amount. The history of consistently paying bills or continuously residing in a particular area and paying bills can serve as a means of identity and credit authentication.
Big tech companies capable of distributing their smartphones globally could engage in identity authentication businesses. They understand that by undertaking such business, they can sell smartphones to a vast population, creating loyal customers. However, pursuing this business faces hurdles such as conflicts with nations and skepticism about economic benefits.
Identity authentication and currency can be seen as the authority of a nation. We are already aware that big tech companies like Google know more about personal information than nations. While utilizing blockchain for identity authentication is transferring the nation's authority to individuals, it can be seen as challenging the nation's authority. Nevertheless, if there is a clear demand, even in an autocratic nation, governments would not be able to prevent what people desire from spreading. Companies only provide services, and whether to use them or not is the user's choice.
Beyond overcoming hurdles with nations, there is still skepticism about economic benefits. To undertake this business, a trustworthy blockchain must be used. Bitcoin and Ethereum are possible candidates. However, from the perspective of companies that do not hold Bitcoin or Ethereum, purchasing coins for an unexplored business may be considered risky. If they issue a new cryptocurrency and hold a significant amount of it on their own constructed blockchain to use as a transaction fee, it would obviously be beneficial. However, it may not be easy due to various reasons, such as potential confusion during the initial distribution process, the negative public image of the crypto space, and conflicts with regulators. To use the Lightning Network, you need to deposit coins, and to expand platforms for identity verification, you may need to provide some coins to participating institutions for transaction fees. Therefore, it is necessary to possess a significant amount of coins from the blockchain you intend to use. Big tech companies may be aware of the demand and profitability of identity authentication but are currently bystanders due to these hurdles.
What if someone were to transfer a trustworthy blockchain's coins like BTCMobick without charge? Companies could attempt this with a lighter heart. If the blockchain collapses, they can revert to Bitcoin as it has hard forked from Bitcoin. If the blockchain gains significant value, the value of the coins they hold could increase. Even if they do not sell the coins, they could use them for marketing or hiring talent. As seen in the case of Ripple, when an institution receives investment and provides coins, it might violate securities laws. However, It is not a violation of securities laws for an institution to provide coins to individuals and for individuals to trade them. Therefore, companies face minimal risks.
The business of creating a financial ecosystem through identity authentication is a winner-takes-all structure. The sooner they enter and expand the market, the more people will gather. The general public, like ants, trusts bigger networks. Like U.S. financial firms preparing for spot Bitcoin ETFs, big tech companies may already have preparations and suddenly announce blockchain-related businesses. Time may be running out. Considering the potential of this field, merely being a fast follower might not be sufficient.
#Mobick #BTCMobick #blockchain #worldcoin #identityverification