Every time you see “Login with Facebook” or “Login with Twitter” etc. on a website or use login credentials issued by your employer or school, you’re using Identity and Access Management (IAM) technologies in the background. IAM has become central to our online interactions, but like a lot of infrastructure it’s largely invisible to users (at least when it’s well designed and implemented). IAM is evolving rapidly, the stakes are high, and enterprises face an increasingly complex and puzzling digital identity landscape. There is also growing concern that businesses know too much about us, and therefore end users should reclaim control over their own identities. IAM is a hot topic in the technology world, with new architectures, business models, and philosophies all in play.
Blockchain technology (sometimes also called distributed ledger technology – DLT) is also gaining attention. Proponents advocate it for a wide variety of use cases, including IAM. Blockchain is a broad class of relatively new data security methods, with certain properties of potential value in IAM. Many IAM companies have launched identity registration solutions “on the blockchain,” while others are developing new blockchain-inspired infrastructure for distributing information about users (called “attributes” and used to inform decisions about whether to grant access to resources), which is a key element of IAM.
We wrote a white paper, titled “Do Blockchains Have Anything to Offer Identity?”, to provide an in-depth analysis of blockchain and IAM, and to provide a lens through which to view and evaluate forthcoming developments. Faced with a growing amount of hype and scepticism, we seek to provide a balanced perspective, and to clarify the ways in which blockchain technologies may or may not serve the needs of IAM.
In answering whether these new and innovative technologies can help with IAM, the starting point should be to appreciate what the first blockchains were designed to do (cryptocurrency), and then to build carefully on that. This paper should help those devising new IAM solutions, and those acquiring solutions and needing to evaluate blockchain-based approaches. Perhaps most importantly, we hope to provide guidance in evaluating current and new blockchain-based IAM solutions as they come along.
After our analysis, it is clear that blockchain technologies are collectively a work in progress. Our conclusion is that despite early enthusiasm about their general security properties, on closer inspection we find that the original public blockchains are generally not a good fit for IAM. The objective of cryptocurrency – to exchange electronic cash without intermediaries and without trust – is fundamentally different from that of enterprise IAM, which typically requires much more rigorous key lifecycle management and access controls than public blockchains offer.
Several new blockchain technology developments show promise for improving particular aspects of IAM, such as the provenance of identity attributes and cryptographic keys. Our recommendation is that any ongoing examination of blockchain technologies for IAM begin with a clear problem statement, and an appreciation of the nuances in blockchain security.
We hope you will read the paper and let us know if you have any thoughts on the matter.
Steve Wilson is a researcher, analyst and adviser in digital identity and privacy. He is General Manager of the Lockstep Group headquartered in Sydney, Australia, and holds an adjunct position as Principal Analyst with Silicon Valley based Constellation Research.
Steve Olshansky is Internet Technology Program Manager for the Internet Society.