Imagine a company that can verify the background of a new employee and onboard them with the click of a single virtual button, or a banking customer who can verify their identity for a loan without exposing personally identifiable information – again with a click of a button.

That's the potential blockchain holds for decentralized identity management. It's done by creating a digital wallet that serves as a repository for all kinds of personal and financial data, info that can only be shared after a specific request and only with the permission of the owner.

Blockchain distributed ledger technology (DLT) – in combination with digital identity verification – holds the potential to solve online privacy issues that plague everything from consumer sales and bank know-your-customer regulations to employee credentials that allow access to confidential business systems.

"There are multiple vendors in this space that are either in the early R&D stage or testing their products in pilot projects," said Homan Farahmand, a senior research director with Gartner. "It is too early to declare any winner, by any means, because just having a working product is not enough. Decentralized identity requires a vibrant ecosystem, a robust identity trust fabric built on a distributed ledger or blockchain, tools to support user-friendly functionality and good developer experience to support broad adoption."

One considerable security attribute of storing digital identities on an encrypted, distributed blockchain ledger is eliminating "honey pots," or central repositories for customer account information, according to Julie Esser, chief engagement officer for CULedger, a Denver-based Credit Union Service Organization (CUSO). Those repositories are prime targets for hackers.

Credit Unions are already testing ID management

Like other CUSOs, CULedger is a cooperative owned by multiple credit unions for the purpose of providing back-office services; it was created a year ago to build out a blockchain-based identity management platform called My CUID. The platform is expected to launch in the second half of 2019 and will hand the keys to data protection over to customers who sign up for an app. CULedger has 36 investors – 26 credit unions and several CUSOs.

In October, CULedger began piloting My CUID with five other credit unions and another CUSO; it eliminated the need for user names and passwords and relieved credit union call centers from the obligation of resetting them when a customer loses them.

How it works: a new or current customer of a member credit union contacts a customer service call center, which sends a text message to the customer's mobile device with a link to download the My CUID app. The credit union's rep then issues the customer their credentials – a digital wallet, which holds personally identifiable information obtained during the initial customer contact. That information is encrypted and can only be accessed with the member's authorization, which is requested when they make a transaction.

Each time a customer using My CUID contacts the credit union – or vice versa – their smartphone or tablet receives a pop-up dialogue requesting they confirm their membership before any transaction is completed.

"You'd click OK or Not OK. It doesn't feel a lot different than what happens with other apps on your phone," Esser said. "It's all based on...the encrypted channels we've created, which is really cool. You're creating a two-way secure communication channel. So, not only does your credit union know it's you they're talking to, but you also you know it's your credit union calling you."

CULedger has set a goal of issuing 1 million digital identities to credit union members in 2019. Because credit unions must comply with Know-Your-Customer federal regulations, the blockchain-based digital ID service would also fulfill regulatory compliance, Esser said.

Along with giving the customer control over their identity by handing them the blockchain encryption keys, My CUID would eliminate the need for user login names and passwords and dramatically reduce the time it takes for a credit union call center representative to authenticate a member.

It can take a rep from 60 to 90 seconds to authenticate a member before a transaction even starts. That can be reduced to 5 seconds or less with My CUID, according to Esser. "It's not a pleasant experience to phone a call center because the customer is welcomed with 20 questions to identify who you are, so it's a wonky process that needs fixing."

Traditionally, credit unions and other financial services firms rely on third-party service providers for call center and customer authentication services, many of which are located outside the U.S. CULedger would place control back in the hands of member credit unions, Esser said.

In 2019, CULedger plans to begin building out its production customer permission network; it is currently considering several blockchain platforms, including IBM's Hyperledger Fabric service and R3's Corda, the biggest commercial blockchain consortium among banks, insurers and other financial service firms. CULedger is also considering working with the Hedera Foundation, the creator of Swirlds, a software platform for creating distributed applications (dApps).

Swirlds is based on the Hashgraph protocol, a DLT well suited to the financial services industry because it can process more than 100,000 transactions per second, unlike bitcoin, which processes three to four transactions per second.

"We need the ability to conduct transactions instantaneously – in real time," Esser said. "We'd planned to create our own platform, but with the focus on a decentralized identification piece, this allows us to not recreate the wheel. There may be some applications that require different [blockchain] platforms."

How a self-sovereign ID works

For consumers who are mindful of their online information – credit card numbers, date of birth, annual income, etc. – blockchain has the potential for "self-sovereign" identities like CULedger is creating, meaning the user controls who can see their data or get purchasing approval without releasing their income details.

Self-sovereign identities work like this: the user has a bank confirm a credit limit or an employer confirm annual income; that confirmation information is then encrypted, but available, on a public blockchain ledger to which the consumer holds the private and public cryptographic keys.

If a buyer wants a car loan from an auto dealership, for example, the consumer can give them permission through a public key to confirm that he or she has enough credit or annual income without revealing an exact dollar amount. So, for example, if the car dealer wants to ensure a consumer earns more than $50,000 a year, that's all the blockchain ledger will confirm (not that they actually earn $72,587).

The confidentiality technique is known as zero knowledge proof (ZKP), a cryptography technology that allows a user to prove that funds, assets or identifying information exist without revealing the information behind it. Ernst & Young has created a public blockchain prototype it plans to launch in 2019 that lets companies use ZKPs to complete business transactions confidentially.

Sovereign IDs in the enterprise

CULedger is also working with the Sovrin Foundation, a new nonprofit\ that has created the blockchain-based Sovrin Network; it enables anyone to globally exchange pre-verified data with any entity also on the distributed ledger.

The online credentials issued via the Sovrin Network are akin to a physical ID you might carry in your wallet, such as a driver's license, a company ID or a bank debit card. The virtual encrypted wallet (or crypto wallet) would link back to the institutions that created them, such as a bank, a government agency or even an employer, which, through the blockchain, would automatically verify the needed information to a requestor.

"Our market strategy involves working with enterprise partners to solve their ID problems rather than trying to go direct to end users, so yeah, we're working hard in that area and have a number of partners who are doing things there. Three who come to mind are Government of British Columbia, CULedger and IBM/ATB Financial," said Phil Windley, chair and co-founder of the Sovrin Foundation.

The Government of British Columbia and the Government of Ontario have already rolled out a production system using the Sovrin Network for business registration and licensing; together they've issued over 6 million credentials, according to Windley.

Sovrin development partners IBM, Workday and ATB Financial (a bank in Alberta) have also started pilot tests of the Sovrin Network.

The partners are demonstrating how digital credentials could work for IBM employees. ATB Financial issues a digital credential, which can be used for both logging into the bank and IBM's user network. Along with validating the employees' financial information, the distributed ledger application eliminates the need for employees to have a username or password, Windley said.

"Because it's cryptographically based, it has a public key associated with them, and you [the employee] own the private key," Windley said.

Gartner's Farahmand said self-sovereign identities based on blockchain distributed ledgers are being eyed for all kinds of enterprises uses, including onboard new hires.

Each time a new employee is hired, a new decentralized identifier is generated by the that employee and passed to the enterprise. That identifier can then be propagated within the internal systems for user authentication to the enterprise network and applications, Farahmand said.

"This can be a powerful proposition as it speeds up the onboarding process and subsequent identity life cycle management activities, as well as enabling password-less authentication. It also helps with converging multiple personas a person can have relevant to the organization," Farahmand said, explaining that the digital IDs can be used to access multiple systems within a company based on organization-based permissions.

A popular design pattern for decentralized identity is comprised of a core identifier and a set of "pairwise" identifiers, each for a relationship the user has with an organization. Pairwise identifiers are cryptographically derived from the core identifier. The pairwise identifier enables an enterprise system to uniquely verify a user identity for each relationship and potentially prevent correlation of user activity across different relationships, enabling privacy-by-design principles at the protocol level, Farahmand said.

For example, a bank employee can be a bank customer at the same time while using the same self-sovereign ID. The two personas are typically represented by two digital identities in two siloed systems – one as an employee and one as a customer of the bank.

"In case of a decentralized identity model, the same person can have two sets of identifiers ... mapped to the same core digital identity, which can potentially simplify reconciliation of user activities," Farahmand said.

Another benefit to a self-sovereign ID is the ability to streamline B2B scenarios where an employee of one organization can have access to systems in another. For example, Farahmand said, if the host organization trusts the decentralized identity that is attested by the guest organization, then a new pair-wise decentralized identifier can be generated to authenticate the user; that simplifies the onboarding and access governance for business customers or other partners.

Significant hurdles remain

While self-sovereign IDs based on blockchain hold significant promise for increasing privacy and efficiency, there are also significant technology hurdles that have yet to be vaulted. For one, trust in blockchain.

A 2018 Gartner CIO survey revealed on average that only 3.3% of companies worldwide had actually deployed blockchain in a production environment.

In a blog post, Avivah Litan, a Gartner vice president and distinguished analyst, listed eight hurdles blockchain needs to surmount before it can become a cure-all for virtually any international, transactional network need – from fee-less, cross-border payments to supply chain tracking.

One significant challenge is integrating DLT systems with legacy databases, the current repositories for corporate employee identities. A decentralized identity system also requires a vibrant ecosystem, a roust identity trust fabric built on a distributed ledger or blockchain, tools to support user-friendly functionality and good developer experience to support broad adoption.

"While we encourage our clients to watch this space and do some limited experimentation or even proof-of-concept projects," Farahmand said, "we also caution them to make sure these products are battle tested, hardened and ready to withstand different types of attacks."