Bitcoin Forum

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

You want to ideally meet the following criteria;

- Issued in a decentralized trustless manner
- Universally Recognized
- Secure
- Encrypted
- Recoverable

I have come up with a proposal on 3DPass in the below infographic on how this could be addressed.

This is by no means perfect but I truly believe this is better than anything I've seen anywhere so far.

The main issue which is still being discussed is what happens if someone steals your private keys.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

If future Web3 Trustless Decentralized Identity would be based on Biometric Data ... the worst thing you can do is to share it with random project in ICO stage for few pennies. Why this data is needed for? To prove that you are the owner of identity? Thats why private key is for. To collect sensitive data and run away? Most likely. To avoid sybil attacks? Maybe but there are better alternatives that does not force you to expose to unlimited risks.

For example IDENA and its Proof of Person network. It does not need any sensitive data. 1 node = 1 vote. Sybil resistance achieved by Turing test.

@Tytanowy Janusz I understand your concern.

My thinking is that Biometric data alone without anything else is OK.

The issue with most other projects and even ancestry websites is they also have your other details and this makes you very easy to identify.

As long as it’s only Biometric data which will also be encrypted this should not be an issue. The issue is when you combine Biometric data with name, address or any other data which can identify you and is accessible.

There is no ICO and no coins provided on 3DPass. If anything there would be a small cost for the computation needed to perform the check and issue the new ID (gas fee). The data is also encrypted so nobody has access to it besides the user.

There are too many use cases for a decentralized ID but what I agree with is this will be useless if it’s standalone. It needs to be used as part of Web3 ecosystem whether it’s as part of a Smart Contract, governance or a dApp.

What Idena does well is the flips, this is a brilliant concept.

A Decentralized Identity should be both secure and simple.

Idena is very secure but so secure that it makes it difficult for a user in my opinion.

Just to name a few things invitation codes, first time registration only possible every 18 days, a lot of time needed to solve flips.

I think it works for nodes/validators but will this work for the general public? Definitely not it needs to be simpler.

I think the 3DPass approach is simpler for the user.

Use the app to scan Biometric data (Transaction fee needed)-> Algorithm checks whether this is new or already on the blockchain --> Decentralized ID is issued or recovered

That's it

One downside that I just thought about on trustless decentralized identity solutions is age verification. I'm sure in the future age verification will be needed to access age appropriate dApps. This issue seems very difficult to tackle in a decentralized manner.

let's say I've got an IDENA digital identity (based on solving some CAPTCHAs, please correct me if I'm wrong).
Now, how can I prove it belongs to me (as a real human being)?  

Cee2  From my understanding, this HASH ID Identity doesn't provide any knowledge about my personal sensitive data, right?

I've sketched it up in a little different way. Hope it becomes better to understand:

1. Biometric data, HASH ID and Private key - are all in secret
2. Pub signature taken form HASH ID ensures it belongs to the Network address and, on the other hand, it provides "0 knowledge" of any sensitive data.
3. HASH ID is protected by multi-factor authentication (it's not enough to steal your fingerprint, you also have to get the second object to recover)

https://i.imgur.com/qRtKe2M.png

Correct, no it does not, It's all encrypted.
Even if this was compromised which will not happen, what can someone do with a random fingerprint/iris scan without any other information. Good luck trying to find this person among many billions of people.

It's a great project for the future if it goes perfectly but I'm quite dubious about the service you will provide to customers, which as we all know we have different fingerprints until today, no one naturally have the same fingerprints.

In the process your system will record the fingerprints that I did to get an identity in the web3 industrial revolution, in my understanding you will have my original biometric data in your system before being encrypted. until whenever possible you will have my fingerprints, in this case I want to question how your system cannot be broken into that maybe hackers will steal fingerprint data of billions of people who are in the original data storage system that you have. In the process, fingerprints will be found in the state big data as my identity in social life. The worst possibility is that hackers have my fingerprints from various sources and can match my identity elsewhere.
I don't mean encrypted data but on the robustness of your system because of course your system keeps the original data to protect my identity.

From my understanding of either 3dpass HASH ID and what @3DPass meant by his drawing above, the system doesn't collect any user's data except pub key and pub signature. HASH ID creation process is an offline operation being processed on user's machine without going outside. pass3d recognition opensource lib is only being involved in.  Follow the White Paper https://3dpass.org/3DPass_white_paper.pdf

It's not enough to steal  customer's biometric data from somewhere to recover its hash id. It's protected by several factors...

This is an excellent question and of course must be prevented.

I asked this question to the dev team and there is no storage. All processing is done locally using RAM only as mentioned in the white paper Data Privacy section.

On the official app the storage can of course be prevented but users MUST not store this locally anywhere.

Also it goes without saying that the device should not be compromised.

Once the HASH ID is generated this is protected by cryptographic standard SHA-2.

I know of both idena and 3Dpass, while dena is 1 node 1 person strict 3dpass is just blockchain but if it can hold biometric data and check with rest its their future, its just how you know if real person if behind biometric data on 3Dpass or not?

Great to see a response from someone familiar with both projects.

Real time biometrics = Human

If you limit the algorithm to checking only real time data you will always need a human to do it in real time.

I am less worried about a real person but ensuring that each person only has 1 decentralized ID.

Of course there are other aspects to consider such as how many fingers you scan. Humans are very good at making work arounds. Even if you used all 10 fingers people would generate a second ID with their toes  ;D

But at least we limit it to two IDs per person minus anyone who of course sells their decentralized ID.

Private key is the thing that proves that you own this specyfic digital identity. Just like with every crypto wallet. But that's probably not what you wanted to ask, but how idena deals with the fact that one person has multiple nodes. Its the turing test i was talking about before. Its not a "some CAPTCHAs". Its 6 logic puzzles that you have to solve. This test is performed simultaneously for the entire network and short session last only 2 minutes. So there is no way to validate more than 1 identity. Well you can try with 2-3 but sooner or later you will run out of time and fail valition loosing stake and identity. Based on my experience with idena, 1 node is easy to have, 2 is hard, 3 is super hard and risky.


Fair point. But its not as hard as it looks like. I'm the owner of IDENA digital identity for more than 3 years.


you need 10-30 min of your time each validation (~20 days). They tried to aim for a sweet spot. Validation each day is cool because new members can join right away but from the other hand old members needs to spend 30 min each day instead of once every 20 days.



I'm not an expert but to me sharing any data is a red flag. I have no guarantee that this app wont collect my IP address, mobile phone hardware details, information about the browser, about the font size set on the phone, screen resolution, location from GPS. I have no guarantee that it wont be connected with darknet databases from other services that were already compromised.

Also if biometric data is all i need for your app ... it means i wont be able to safely use other apps that will one day reach mass adoption if this project will fail because my biometrics can already be compromised.

Thanks, I see. Let me clarify my question a little bit. How does the private key identify me as a human being?
It doesn't have to do with me at all, right? So, it can't be treated as a personal identity, cause you'll never know who is the real owner of the private key. That's my point.

Let me give you an example. Imagine, you have 3 person coming over and claiming that each of them is the only owner of an IDENA account. All the three have the private key, which is correctly fit the account. How would you recognize the real one?


 

I believe this would be the future of identification, considering it cannot be faked and it is always verifiable. And it is quickly becoming a norm now to have some electronic identification

Just like with bitcoin wallet, etherum wallet etc. If you are irresponsible to the point that 3 people have access to your private key (which is suppose to be private) ... you are the one who is to blame for losing every asset that is on this wallet nor bitcoin or etherum network. Including digital identity.

3DPass also doesn't prove that digital identity belongs to human being. Identity can be sold or sensitive bio-data can be stole from previous similar projects or malicious apps that needs fingerprint to unlock it or from compromised police office database or from passport issuing office. Just answer this question. How is it possible, in your opinion, that someone has a database of 1 million fingerprints?

How 3DPass will deal with fake fingerprint data? I know its impossible to guess my fingerprint. The amount of possibilities are infinite. But creating a random fingerprints should be easy. How will 3DPass sort fake from real preventing 1 person from owning infinite amount of identities?

For example this:
https://media.springernature.com/lw685/springer-static/image/prt%3A978-0-387-73003-5%2F19/MediaObjects/978-0-387-73003-5_19_Part_Fig1-8_HTML.jpg

In my opinion, that's correct, that they will lose their assets, once having their private keys compromised. But only assets, not the identity, cause it was never be there... (in the bitcoin wallet, etherum wallet etc.) They will never ever prove it were their assets stolen.


I would disagree, and will try to explain my thoughts on it this way:

1. As you can see on the picture posted by @3dpass, the HASH ID is created from several pieces of data when together being leveraged as a seed. But each of them represents an authentication factor (https://en.wikipedia.org/wiki/Multi-factor_authentication) you can never recover the HASH ID without having all of them:

- a fingerprint is something that you are factor, which can identify the person easily (of course, in person);
- a piece of stone is something that you have factor.
- this combination might be expanded with some additional factors like a password (something that you know), etc.

My first conclusion is that you can identify a human being, however, it's not enough to only have their fingerprint to recover the HASH ID and keys. It implies, that your bio has been already compromised (or even public), but the second factor is private and strong enough to protect your keys.

https://i.imgur.com/qRtKe2M.png
  


The only way to check if a given fingerprint belongs to someone real is to meet him in person and verify it by his finger.

So 3DPass is not a digital identity because 1 person can have infinite amount of digital identities. In my opinin, correct me if i'm wrong, it lose majority of use cases.


So 3DPass is only a more secured version of private key. Or maybe not "more secured" but "secured in a different way". Because you can also hash your private key using "something you know" AKA password and part of your best book as "something you have" using simple softwere. 3DPass is nothing more than that. Am I wrong?


good point. But that doesn't  this fact make bio useless in this system?

I appreciate what Idena did as the trendsetter for decentralized identity and for validators/nodes it's great. Ask yourself would this work for anyone else? Only a minority of people are into cryptocurrencies and from those even a smaller minority are into validation/nodes/mining. The feedback that the crypto community always get's is that the community must stop building products for other crypto people only.

Everything from the app is open source there is no data collection. Remember we are just talking theoretical and what ever idea is available to improve security and keep it simple can be discussed for implementation as a community driven project.

I mean we keep discussing it from a theoretical perspective but a private key can always be read if it can be accessed. The general trend when it comes to security is to move away from passwords towards Biometrics. I mean most of use unlock our phones every day like this. A lot of us travel internationally with biometric passports. There is a reason for this and it's the better security compared to a password.

Good dicussion so far to try and make this decentralized identity solution better!

The algorithm checks the blockchain to make sure there is no match. Of course this depends on how many fingers are set up to generate a decentralized identity.

If 3DPass get's the algorithm and conditions right for generating a new decentralized identity then it would be 1 per person. Of course people can be very creative and I joked earlier that people will start scanning their toes  ;D

Nonetheless there would be a strong limitation on the amount of digital identity per real human being with the goal being 1.

You have to remember that for something as difficult, as controlled and centralized as Passports there are a lot of people walking around with multiple passports of different identities. This is not an easy issue to solve but I think the 3DPass proof of scan consensus mechanism which is like a PoW is a great baseline to build from.



I think this is harsh and I hope you can be open minded on the project.

I believe it is more secure and secured in a different way. More secure in the sense of multiple biometric data plus an additional object which is a crazy level of security. Plus most importantly it will be more user friendly than anything I've seen so far.

Scan two fingerprints plus your favourite sculpture for example. Good luck trying to figure this out for a hacker or forgetting this.

Don't believe me on the accuracy of the algorithm check out this video I made playing around with the current recognition algorithm for 3D shapes.

https://www.youtube.com/watch?v=5TlDE69Tmms&t=6s

KK, will do. pass3d (https://github.com/3Dpass/pass3d) recognition lib must contain both the fingerprint recognition algorithm and 3D object recognition (Grid2d (https://3dpass.org/grid2d.html)), which is actually there. That's how it works. It will prevent each digital identity from copying just as it does with 3D objects mined on 3Dpass blockchain (every object has a unique shape). Like 1 object = 1 asset.


Yes, you are. As it was mentioned above, the recognition algorithm is used in 3dpass instead of standard SHA2 hashing.
I suggest that you read this article to compare and understand better how it protects objects from being copied: https://3dpass.medium.com/proof-of-scan-consensus-how-does-that-work-7a88b0fc8530


It doesn't, cause that's exactly what makes HASH ID real personal digital identity. Bio data serves to identify a person, not to protect your key. Moreover, I'm not sure, your fear to disclose your bio makes that much sense nowdays. In most cases, it's already being public (iris scans on your selfie photos published on the Internet, fingerprints on your camera). Of course, if you want to stay private, you can live your life without making photos, hiding from public cameras with a hood etc... but it's not common.

In my opinion, lots of people would prefer the possibility to use public digital identity for making p2p deals with real assets. Moreover, they would publish their iris scan with its HASH ID, so that 3DPass network can verify its authenticity. That's just my opinion. It doesn't make sense to keep in private something that you can't hide.

As I posted above there are ready to use tools that generates infinite amount of fake fingerprints. Even if they are not perfect to cheat this system ... if big money will come in ... people will find a way.


Maybe indeed I am. 5 years in crypto made me very sceptical about new projects.


So its a super secured version of private key. Its a nice usecase too. But its not a digital identity because its not sybil attack resistant.

And I would not compare it to having multiple passports. You go to jail for a long time if you get caught.  Here you generate new fake fingerprint and scan random object and its ready.

Let me give you one more example, which is a hardware wallet having implemented in of both Grid2d and fingerprint recognition algo. And those two would be used for HASH ID creation. The input data, now, can never be replaced, unless you have it as a physical item (a real finger or "plastic" finger). And all you need to prove is whether or not there is a real human being behind, right?

I can see at least two possible ways to do that:

1. Meet him/her in person and verify the HASH ID with the hardware wallet
2. Trust a third party registrar (less trustworthy)

Suppose, there should be some methods on top..

 

I am not sure on this part. If you make it on a smartphone sensor this will be difficult for fake fingerprints. Plus again it wouldn't be too crazy to do add additional functionality for the decentralized identity algorithm to keep making it more and more secure. You will never find something 100% secure but the important part is that as an open source project this can continue to develop and improve. There is always an arms race between antivirus vs virus, authentication vs forgery etc. One thing I am sure is that 3DPass will make this extremely hard/almost impossible.




This tech will be sybil attack proof. Of course there will most likely be a very small loophole but this loophole will be extremely difficult to reproduce.

Also the PoScan algorithm is based on PoW. The decentralized identity would have no impact on the layer 1 blockchain from 3DPass, this remains secured.

You have great insides on decentralized identity. Why don't you come and join the project and share your thoughts and ideas to make this better?

The only recognition algorithm implemented currently is for 3D shapes. The next one schedule for Q4 2023 is for 2D drawings which I recommended before joining the project on bitcointalk https://bitcointalk.org/index.php?topic=5382009.msg59443322#msg59443322

Come share your ideas and let's make this goal for a decentralized identity and most importantly secure.