ShoCard allows users and enterprises to establish their identities with one another in a secure, verified way so that any transaction – whether it’s to login, share personal information, or complete a financial transaction – can be accomplished quickly and with peace of mind. How exactly does it work and how is blockchain enabling this technology? We talk to Ali Nazem, VP and Business Development Manager at ShoCard.com.
How does ShoCard work, in a nutshell, and does it require both (or more) parties to participate in your system or you can use it to prove your identity to another party even if they don’t have a ShoCard identify themselves?
Ali Nazem: ShoCard has built a technology that leverages the blockchain as an underlying piece of its architecture to provide identity management for both end users and enterprises. ShoCard provides a mobile App (compatible on both iOS and Android mobile platforms) that users install on their mobile phones. The ShoCard platform uses public/private key encryption and data hashing to safely store and exchange identity information. It’s a strong form of multi-factor authentication with out-of-band communication and data matching, implementing multiple private keys and hashes throughout the process. The blockchain allows ShoCard to create a secure, distributed trust system with all the benefits of a federated identity system, with very little back-end overhead.
Key benefits to this approach include the fact that PII is not stored in any usable way either on ShoCard’s servers or on the blockchain. A user’s PII is collected by the App, encrypted and stored locally on their device; then, a one-way hashed, digital signature of those fields are created using the user’s private-key and is stored on the blockchain. The original PII, when processed in this way, cannot be deduced or extracted in any way. The user’s PII can then be validated and certified by a trusted entity such as an identity verification provider, a government agency or corporate office. Using a method similar to the above process, these certifications are also stored on the blockchain using the verifier’s private key. Once this data has been certified, the user can then interact with other parties and verify their identity or, if they choose, exchange personal data through a completely secure process. Similarly, enterprises can also provide validations of their own identity so that others (whether they be end users or other enterprises) can be assured of who they are interacting with.
The value and strength of ShoCard is really enhanced within an ecosystem that is participated in by multiple entities. You don’t need a ShoCard identity to prove yourself to another party but the verifying entity will need to access the system and trust the certifications of the given user to be useful of valid.
Personal data are, or at least have been so far, easily compromised on the internet. Do you think your tool, or blockchain solutions in general, is 100 % bulletproof against hacking attacks and such?
AN: In theory, nothing is 100% bulletproof against hacking and fraud. We can only increase the barrier by making it very difficult or costly to hack or breach a system, database, device, etc.
ShoCard approach to managing identity information has a number of advantages over current state of the art systems which leverage centralized authorities and data repositories implementing technologies such as LDAP, databases, Active Directory and the like. By implementing the solution on the blockchain, which itself is a public, highly distributed and highly encrypted data store, one can achieve a high degree of redundancy, scalability, security and overall reduction in costs typically associated with identity management.
Moreover, due to the way in which ShoCard has deployed its identity management solution, no PII needs to be revealed to or stored by the ShoCard server itself (other than the minimal amount needed for account recovery). And although the blockchain is leveraged to store data, the actual data written to the blockchain is encrypted, hashed and digitally signed so that it is impossible to derive the actual original data from what is written there. Instead, ShoCard uses those records as a way of comparing records to confirm when they were written, validate who wrote them originally, and allow other parties to certify part or all of a user’s data. The mechanism for this process is such that the data cannot be tampered with either during transit or at rest, while validating parties can verify the data’s authenticity. This mechanism provides the measure of certainly required for any third party to validate provenance of a data’s source while maintaining privacy and control of PII data for the user. Using this as the mechanism to verify identity, transmit information and certify parties is novel to the industry today.
Internet is not a safe place. Scams, phishing, social engineering etc. – many of these things work because of flawed identity verification or lack thereof but also people not using them. What’s more crucial here: the risk awareness of internet users or proper technology for protecting them from cyber-dangers?
AN: Fraud and cyber crime will always be a problem with security solutions and hackers playing a game of “cat and mouse”, where security threats are met and dealt with constantly. With the hacker often time one step ahead exposing breaches while the security experts come up with preventative measures. The answer in our opinion is that both risk awareness and proper technology are crucial for protection of internet users from cyber-dangers. It takes diligence not to get snared in phishing, scams, etc but technology plays a key role in protecting users from cyber crime by eliminating the potential to begin with.
What areas (businesses etc.) are most in need of safe identification systems? Is blockchain and blockchain-based systems the best (maybe the only?) solution here? Why so?
AN: Identity verification is most paramount in areas that protect lives. Hacked bank accounts, government records, email accounts, etc are relatively lower risk and consequence for breaches than something like identity for air travel where a breach could mean the loss of lives and property by a terrorist. Utilizing the blockchain with biometric authentication provides a system where identity can be validated yet keeping the personal identifying data of an individual safe.
Interviewed by Przemyslaw Cwik