Will the blockchain help optimize IAM solutions?

The blockchain technology, still in its early stages of development, is a decentralized database in which each participating system (or the so-called node, “node”) stores an exact copy of all available data. Like links in one chain, each block of information is inextricably linked with the previous one, forming an ever-growing chain of blocks of information. These blocks of information always remain unchanged, making the blockchain technology ideal for archiving and storing information, acting as a distributed registry.



The decentralized database technology allows "parties who do not fully trust each other to agree on the existence, status and appearance of new facts that are known to all parties."

Blockchain’s popularity is primarily due to its:
')

• the ability to archive data without the possibility of their deletion or modification;
• the ability to support pseudo-anonymous transactions;
• lack of dependence on the central authority, which is achieved thanks to the decentralized structure of the blockchain;
• applicability in a wide variety of industries, including financial services, health care, public sector, consumer services industry - for example, a blockchain-based digital citizenship project in Estonia, the use of blockchain for real estate transactions in Dubai, or the use of blockchain Bank of Ireland.

Perhaps the most famous embodiment of the blockchain technology at the moment is Bitcoin cryptocurrency (Bitcoin). This is the first form of currency in the world, whose emission is not centralized, and which is not controlled by the government or the state. The term "cryptocurrency", used today in relation to such electronic currencies as bitcoin, got its name due to the fact that in such currencies encryption is actively used.

Can the blockchain be seen as a response to the rapid increase in the number of digital accounts that we all have to deal with in our daily lives? Today, more than 20 companies are using blockchain-based infrastructures for various user identity and access management (IAM) functions.

However, the prospects for such use are questionable, including for the following reasons:

• This is a database, but not an access control mechanism.
  Distributed registries, such as the blockchain, are great for storing and archiving information with the guarantee that this information will always remain unchanged. The main idea here is that you still have a reliable and secure repository of important information, such as cash transactions, medical records or real estate transactions. Access control and contextual authorization control in real-time is usually not performed by databases.
• Right to oblivion as provided for in the “General Terms of Data Protection”
  Since the information blocks on the blockchain cannot be deleted or edited, this actually contradicts the “right to oblivion, which allows users to control how their personal data is stored. One possible solution is to publish the various attributes of the identity account separately so that they cannot be linked to each other, for example: age, name, address. In addition, it was proposed to publish such attributes using encryption (cryptographically-valid) - in such a way that only the party with which the transaction is performed could read them.
• Swelling hashes
  Given that the blocks are encrypted using cryptographic hash functions, can anyone guarantee that within a few years these hash functions will not be cracked in order to gain access to information or to hack data? Suffice it to recall the MD5 or SHA-1 hashing algorithms, which some time ago were considered to be very robust, but after some time were officially recognized as not so reliable. Again, to avoid risks, the idea of ​​splitting and anonymizing individual attributes of identities can be useful here.
• Distributed data blocks
  All participants in a private or public blockchain system have a copy of all blocks of information. And although the blocks of information are really encrypted or encoded using the hash function, given all the above, can we assume that such protection will be enough? On the other hand, since the PKI public and private key pairs are used in the blockchain to sign information and authentication blocks, storing the keys as hardware PKI tokens or in hardware security modules can provide an additional level of protection for private keys. Separate storage of identity attributes in the form of separate blocks also allows you to minimize such risks.
• Verification and Verification of Identity
  Who will be responsible for confirming the validity of attributes of the identity that you provide in the blockchain? For example, who will confirm the fact that you really are who you say you are? In such a context, state digital IDs, such as those provided for in the EU-approved eIDAS regulation and issued by many EU countries, can be very convenient, and the PKI public key infrastructure is also used to work with accounts in such systems. Adding another factor, for example, taking into account behavior, biometrics, authentication based on knowledge or based on context, can increase the level of trust. In addition, you can use other service providers, such as social networks, telecommunications providers, or banks that are able to confirm some of these attributes with the information they have, and thus act as a trusted third party to verify certain attributes: your address, number phone, age, etc.

As you can see, the above concerns do not at all deny the possibility of using the blockchain in managing user identity and access, and this trend can be considered very promising with proper planning.