The Future: Trustless Decentralized Identity

[Cee2]

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

You want to ideally meet the following criteria;

- Issued in a decentralized trustless manner
- Universally Recognized
- Secure
- Encrypted
- Recoverable

I have come up with a proposal on 3DPass in the below infographic on how this could be addressed.

This is by no means perfect but I truly believe this is better than anything I've seen anywhere so far.

The main issue which is still being discussed is what happens if someone steals your private keys.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

[Tytanowy Janusz]

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

If future Web3 Trustless Decentralized Identity would be based on Biometric Data ... the worst thing you can do is to share it with random project in ICO stage for few pennies. Why this data is needed for? To prove that you are the owner of identity? Thats why private key is for. To collect sensitive data and run away? Most likely. To avoid sybil attacks? Maybe but there are better alternatives that does not force you to expose to unlimited risks.

For example IDENA and its Proof of Person network. It does not need any sensitive data. 1 node = 1 vote. Sybil resistance achieved by Turing test.

[Cee2]

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

If future Web3 Trustless Decentralized Identity would be based on Biometric Data ... the worst thing you can do is to share it with random project in ICO stage for few pennies. Why this data is needed for? To prove that you are the owner of identity? Thats why private key is for. To collect sensitive data and run away? Most likely. To avoid sybil attacks? Maybe but there are better alternatives that does not force you to expose to unlimited risks.

@Tytanowy Janusz I understand your concern.

My thinking is that Biometric data alone without anything else is OK.

The issue with most other projects and even ancestry websites is they also have your other details and this makes you very easy to identify.

As long as it’s only Biometric data which will also be encrypted this should not be an issue. The issue is when you combine Biometric data with name, address or any other data which can identify you and is accessible.

There is no ICO and no coins provided on 3DPass. If anything there would be a small cost for the computation needed to perform the check and issue the new ID (gas fee). The data is also encrypted so nobody has access to it besides the user.

There are too many use cases for a decentralized ID but what I agree with is this will be useless if it’s standalone. It needs to be used as part of Web3 ecosystem whether it’s as part of a Smart Contract, governance or a dApp.

[Cee2]

For example IDENA and its Proof of Person network. It does not need any sensitive data. 1 node = 1 vote. Sybil resistance achieved by Turing test.

What Idena does well is the flips, this is a brilliant concept.

A Decentralized Identity should be both secure and simple.

Idena is very secure but so secure that it makes it difficult for a user in my opinion.

Just to name a few things invitation codes, first time registration only possible every 18 days, a lot of time needed to solve flips.

I think it works for nodes/validators but will this work for the general public? Definitely not it needs to be simpler.

I think the 3DPass approach is simpler for the user.

Use the app to scan Biometric data (Transaction fee needed)-> Algorithm checks whether this is new or already on the blockchain --> Decentralized ID is issued or recovered

That's it

One downside that I just thought about on trustless decentralized identity solutions is age verification. I'm sure in the future age verification will be needed to access age appropriate dApps. This issue seems very difficult to tackle in a decentralized manner.

[chum_yum]

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

If future Web3 Trustless Decentralized Identity would be based on Biometric Data ... the worst thing you can do is to share it with random project in ICO stage for few pennies. Why this data is needed for? To prove that you are the owner of identity? Thats why private key is for. To collect sensitive data and run away? Most likely. To avoid sybil attacks? Maybe but there are better alternatives that does not force you to expose to unlimited risks.

For example IDENA and its Proof of Person network. It does not need any sensitive data. 1 node = 1 vote. Sybil resistance achieved by Turing test.

let's say I've got an IDENA digital identity (based on solving some CAPTCHAs, please correct me if I'm wrong).
Now, how can I prove it belongs to me (as a real human being)?  

Cee2  From my understanding, this HASH ID Identity doesn't provide any knowledge about my personal sensitive data, right?

[3DPass]

I've sketched it up in a little different way. Hope it becomes better to understand:

1. Biometric data, HASH ID and Private key - are all in secret
2. Pub signature taken form HASH ID ensures it belongs to the Network address and, on the other hand, it provides "0 knowledge" of any sensitive data.
3. HASH ID is protected by multi-factor authentication (it's not enough to steal your fingerprint, you also have to get the second object to recover)

[Cee2]

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

If future Web3 Trustless Decentralized Identity would be based on Biometric Data ... the worst thing you can do is to share it with random project in ICO stage for few pennies. Why this data is needed for? To prove that you are the owner of identity? Thats why private key is for. To collect sensitive data and run away? Most likely. To avoid sybil attacks? Maybe but there are better alternatives that does not force you to expose to unlimited risks.

For example IDENA and its Proof of Person network. It does not need any sensitive data. 1 node = 1 vote. Sybil resistance achieved by Turing test.

let's say I've got an IDENA digital identity (based on solving some CAPTCHAs, please correct me if I'm wrong).
Now, how can I prove it belongs to me (as a real human being)?  

Cee2  From my understanding, this HASH ID Identity doesn't provide any knowledge about my personal sensitive data, right?

Correct, no it does not, It's all encrypted.
Even if this was compromised which will not happen, what can someone do with a random fingerprint/iris scan without any other information. Good luck trying to find this person among many billions of people.

[Dickiy]

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

You want to ideally meet the following criteria;

- Issued in a decentralized trustless manner
- Universally Recognized
- Secure
- Encrypted
- Recoverable

I have come up with a proposal on 3DPass in the below infographic on how this could be addressed.

This is by no means perfect but I truly believe this is better than anything I've seen anywhere so far.

The main issue which is still being discussed is what happens if someone steals your private keys.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

It's a great project for the future if it goes perfectly but I'm quite dubious about the service you will provide to customers, which as we all know we have different fingerprints until today, no one naturally have the same fingerprints.

In the process your system will record the fingerprints that I did to get an identity in the web3 industrial revolution, in my understanding you will have my original biometric data in your system before being encrypted. until whenever possible you will have my fingerprints, in this case I want to question how your system cannot be broken into that maybe hackers will steal fingerprint data of billions of people who are in the original data storage system that you have. In the process, fingerprints will be found in the state big data as my identity in social life. The worst possibility is that hackers have my fingerprints from various sources and can match my identity elsewhere.
I don't mean encrypted data but on the robustness of your system because of course your system keeps the original data to protect my identity.

[chum_yum]

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

You want to ideally meet the following criteria;

- Issued in a decentralized trustless manner
- Universally Recognized
- Secure
- Encrypted
- Recoverable

I have come up with a proposal on 3DPass in the below infographic on how this could be addressed.

This is by no means perfect but I truly believe this is better than anything I've seen anywhere so far.

The main issue which is still being discussed is what happens if someone steals your private keys.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

It's a great project for the future if it goes perfectly but I'm quite dubious about the service you will provide to customers, which as we all know we have different fingerprints until today, no one naturally have the same fingerprints.

In the process your system will record the fingerprints that I did to get an identity in the web3 industrial revolution, in my understanding you will have my original biometric data in your system before being encrypted. until whenever possible you will have my fingerprints, in this case I want to question how your system cannot be broken into that maybe hackers will steal fingerprint data of billions of people who are in the original data storage system that you have. In the process, fingerprints will be found in the state big data as my identity in social life. The worst possibility is that hackers have my fingerprints from various sources and can match my identity elsewhere.
I don't mean encrypted data but on the robustness of your system because of course your system keeps the original data to protect my identity.

From my understanding of either 3dpass HASH ID and what @3DPass meant by his drawing above, the system doesn't collect any user's data except pub key and pub signature. HASH ID creation process is an offline operation being processed on user's machine without going outside. pass3d recognition opensource lib is only being involved in.  Follow the White Paper https://3dpass.org/3DPass_white_paper.pdf

It's not enough to steal  customer's biometric data from somewhere to recover its hash id. It's protected by several factors...

I've sketched it up in a little different way. Hope it becomes better to understand:

1. Biometric data, HASH ID and Private key - are all in secret
2. Pub signature taken form HASH ID ensures it belongs to the Network address and, on the other hand, it provides "0 knowledge" of any sensitive data.
3. HASH ID is protected by multi-factor authentication (it's not enough to steal your fingerprint, you also have to get the second object to recover)

[Cee2]

I believe that a digital identity will be essential in the future as part of the evolution to Web3

There are a lot of challenges to getting this implemented in a way that is good for society and individuals.

You want to ideally meet the following criteria;

- Issued in a decentralized trustless manner
- Universally Recognized
- Secure
- Encrypted
- Recoverable

I have come up with a proposal on 3DPass in the below infographic on how this could be addressed.

This is by no means perfect but I truly believe this is better than anything I've seen anywhere so far.

The main issue which is still being discussed is what happens if someone steals your private keys.

Let me know what your thoughts? I'm especially interest in feedback on the Infographic below as well as other projects tackling this issue or even any comments you have in general on digital identity.

It's a great project for the future if it goes perfectly but I'm quite dubious about the service you will provide to customers, which as we all know we have different fingerprints until today, no one naturally have the same fingerprints.

In the process your system will record the fingerprints that I did to get an identity in the web3 industrial revolution, in my understanding you will have my original biometric data in your system before being encrypted. until whenever possible you will have my fingerprints, in this case I want to question how your system cannot be broken into that maybe hackers will steal fingerprint data of billions of people who are in the original data storage system that you have. In the process, fingerprints will be found in the state big data as my identity in social life. The worst possibility is that hackers have my fingerprints from various sources and can match my identity elsewhere.
I don't mean encrypted data but on the robustness of your system because of course your system keeps the original data to protect my identity.

This is an excellent question and of course must be prevented.

I asked this question to the dev team and there is no storage. All processing is done locally using RAM only as mentioned in the white paper Data Privacy section.

On the official app the storage can of course be prevented but users MUST not store this locally anywhere.

Also it goes without saying that the device should not be compromised.

Once the HASH ID is generated this is protected by cryptographic standard SHA-2.

[reb0rn21]

I know of both idena and 3Dpass, while dena is 1 node 1 person strict 3dpass is just blockchain but if it can hold biometric data and check with rest its their future, its just how you know if real person if behind biometric data on 3Dpass or not?

[Cee2]

I know of both idena and 3Dpass, while dena is 1 node 1 person strict 3dpass is just blockchain but if it can hold biometric data and check with rest its their future, its just how you know if real person if behind biometric data on 3Dpass or not?

Great to see a response from someone familiar with both projects.

Real time biometrics = Human

If you limit the algorithm to checking only real time data you will always need a human to do it in real time.

I am less worried about a real person but ensuring that each person only has 1 decentralized ID.

Of course there are other aspects to consider such as how many fingers you scan. Humans are very good at making work arounds. Even if you used all 10 fingers people would generate a second ID with their toes 

But at least we limit it to two IDs per person minus anyone who of course sells their decentralized ID.

[Tytanowy Janusz]

let's say I've got an IDENA digital identity (based on solving some CAPTCHAs, please correct me if I'm wrong).
Now, how can I prove it belongs to me (as a real human being)?  

Private key is the thing that proves that you own this specyfic digital identity. Just like with every crypto wallet. But that's probably not what you wanted to ask, but how idena deals with the fact that one person has multiple nodes. Its the turing test i was talking about before. Its not a "some CAPTCHAs". Its 6 logic puzzles that you have to solve. This test is performed simultaneously for the entire network and short session last only 2 minutes. So there is no way to validate more than 1 identity. Well you can try with 2-3 but sooner or later you will run out of time and fail valition loosing stake and identity. Based on my experience with idena, 1 node is easy to have, 2 is hard, 3 is super hard and risky.

A Decentralized Identity should be both secure and simple.

Idena is very secure but so secure that it makes it difficult for a user in my opinion.

Fair point. But its not as hard as it looks like. I'm the owner of IDENA digital identity for more than 3 years.

Just to name a few things invitation codes, first time registration only possible every 18 days, a lot of time needed to solve flips.

you need 10-30 min of your time each validation (~20 days). They tried to aim for a sweet spot. Validation each day is cool because new members can join right away but from the other hand old members needs to spend 30 min each day instead of once every 20 days.

My thinking is that Biometric data alone without anything else is OK.

I'm not an expert but to me sharing any data is a red flag. I have no guarantee that this app wont collect my IP address, mobile phone hardware details, information about the browser, about the font size set on the phone, screen resolution, location from GPS. I have no guarantee that it wont be connected with darknet databases from other services that were already compromised.

Also if biometric data is all i need for your app ... it means i wont be able to safely use other apps that will one day reach mass adoption if this project will fail because my biometrics can already be compromised.

[chum_yum]

let's say I've got an IDENA digital identity (based on solving some CAPTCHAs, please correct me if I'm wrong).
Now, how can I prove it belongs to me (as a real human being)?  

Private key is the thing that proves that you own this specyfic digital identity. Just like with every crypto wallet. But that's probably not what you wanted to ask, but how idena deals with the fact that one person has multiple nodes. Its the turing test i was talking about before. Its not a "some CAPTCHAs". Its 6 logic puzzles that you have to solve. This test is performed simultaneously for the entire network and short session last only 2 minutes. So there is no way to validate more than 1 identity. Well you can try with 2-3 but sooner or later you will run out of time and fail valition loosing stake and identity. Based on my experience with idena, 1 node is easy to have, 2 is hard, 3 is super hard and risky.

Thanks, I see. Let me clarify my question a little bit. How does the private key identify me as a human being?
It doesn't have to do with me at all, right? So, it can't be treated as a personal identity, cause you'll never know who is the real owner of the private key. That's my point.

Let me give you an example. Imagine, you have 3 person coming over and claiming that each of them is the only owner of an IDENA account. All the three have the private key, which is correctly fit the account. How would you recognize the real one?


 

[JANUS23]

I believe this would be the future of identification, considering it cannot be faked and it is always verifiable. And it is quickly becoming a norm now to have some electronic identification

[Tytanowy Janusz]

Thanks, I see. Let me clarify my question a little bit. How does the private key identify me as a human being?
It doesn't have to do with me at all, right? So, it can't be treated as a personal identity, cause you'll never know who is the real owner of the private key. That's my point.

Let me give you an example. Imagine, you have 3 person coming over and claiming that each of them is the only owner of an IDENA account. All the three have the private key, which is correctly fit the account. How would you recognize the real one?

Just like with bitcoin wallet, etherum wallet etc. If you are irresponsible to the point that 3 people have access to your private key (which is suppose to be private) ... you are the one who is to blame for losing every asset that is on this wallet nor bitcoin or etherum network. Including digital identity.

3DPass also doesn't prove that digital identity belongs to human being. Identity can be sold or sensitive bio-data can be stole from previous similar projects or malicious apps that needs fingerprint to unlock it or from compromised police office database or from passport issuing office. Just answer this question. How is it possible, in your opinion, that someone has a database of 1 million fingerprints?

How 3DPass will deal with fake fingerprint data? I know its impossible to guess my fingerprint. The amount of possibilities are infinite. But creating a random fingerprints should be easy. How will 3DPass sort fake from real preventing 1 person from owning infinite amount of identities?

For example this:

[chum_yum]

Thanks, I see. Let me clarify my question a little bit. How does the private key identify me as a human being?
It doesn't have to do with me at all, right? So, it can't be treated as a personal identity, cause you'll never know who is the real owner of the private key. That's my point.

Let me give you an example. Imagine, you have 3 person coming over and claiming that each of them is the only owner of an IDENA account. All the three have the private key, which is correctly fit the account. How would you recognize the real one?

Just like with bitcoin wallet, etherum wallet etc. If you are irresponsible to the point that 3 people have access to your private key (which is suppose to be private) ... you are the one who is to blame for losing every asset that is on this wallet nor bitcoin or etherum network. Including digital identity.

In my opinion, that's correct, that they will lose their assets, once having their private keys compromised. But only assets, not the identity, cause it was never be there... (in the bitcoin wallet, etherum wallet etc.) They will never ever prove it were their assets stolen.

3DPass also doesn't prove that digital identity belongs to human being. Identity can be sold or sensitive bio-data can be stole from previous similar projects or malicious apps that needs fingerprint to unlock it or from compromised police office database or from passport issuing office. Just answer this question. How is it possible, in your opinion, that someone has a database of 1 million fingerprints?

I would disagree, and will try to explain my thoughts on it this way:

1. As you can see on the picture posted by @3dpass, the HASH ID is created from several pieces of data when together being leveraged as a seed. But each of them represents an authentication factor you can never recover the HASH ID without having all of them:

- a fingerprint is something that you are factor, which can identify the person easily (of course, in person);
- a piece of stone is something that you have factor.
- this combination might be expanded with some additional factors like a password (something that you know), etc.

My first conclusion is that you can identify a human being, however, it's not enough to only have their fingerprint to recover the HASH ID and keys. It implies, that your bio has been already compromised (or even public), but the second factor is private and strong enough to protect your keys.


  

How 3DPass will deal with fake fingerprint data? I know its impossible to guess my fingerprint. The amount of possibilities are infinite. But creating a random fingerprints should be easy. How will 3DPass sort fake from real preventing 1 person from owning infinite amount of identities?

For example this:

The only way to check if a given fingerprint belongs to someone real is to meet him in person and verify it by his finger.

[Tytanowy Janusz]

The only way to check if a given fingerprint belongs to someone real is to meet him in person and verify it by his finger.

So 3DPass is not a digital identity because 1 person can have infinite amount of digital identities. In my opinin, correct me if i'm wrong, it lose majority of use cases.

1. As you can see on the picture posted by @3dpass, the HASH ID is created from several pieces of data when together being leveraged as a seed. But each of them represents an authentication factor you can never recover the HASH ID without having all of them:

- a fingerprint is something that you are factor, which can identify the person easily (of course, in person);
- a piece of stone is something that you have factor.
- this combination might be expanded with some additional factors like a password (something that you know), etc.

So 3DPass is only a more secured version of private key. Or maybe not "more secured" but "secured in a different way". Because you can also hash your private key using "something you know" AKA password and part of your best book as "something you have" using simple softwere. 3DPass is nothing more than that. Am I wrong?

that your bio has been already compromised (or even public), but the second factor is private and strong enough to protect your keys.

good point. But that doesn't  this fact make bio useless in this system?

[Cee2]

Fair point. But its not as hard as it looks like. I'm the owner of IDENA digital identity for more than 3 years.

you need 10-30 min of your time each validation (~20 days). They tried to aim for a sweet spot. Validation each day is cool because new members can join right away but from the other hand old members needs to spend 30 min each day instead of once every 20 days.

I'm not an expert but to me sharing any data is a red flag. I have no guarantee that this app wont collect my IP address, mobile phone hardware details, information about the browser, about the font size set on the phone, screen resolution, location from GPS. I have no guarantee that it wont be connected with darknet databases from other services that were already compromised.

Also if biometric data is all i need for your app ... it means i wont be able to safely use other apps that will one day reach mass adoption if this project will fail because my biometrics can already be compromised.

I appreciate what Idena did as the trendsetter for decentralized identity and for validators/nodes it's great. Ask yourself would this work for anyone else? Only a minority of people are into cryptocurrencies and from those even a smaller minority are into validation/nodes/mining. The feedback that the crypto community always get's is that the community must stop building products for other crypto people only.

Everything from the app is open source there is no data collection. Remember we are just talking theoretical and what ever idea is available to improve security and keep it simple can be discussed for implementation as a community driven project.

I mean we keep discussing it from a theoretical perspective but a private key can always be read if it can be accessed. The general trend when it comes to security is to move away from passwords towards Biometrics. I mean most of use unlock our phones every day like this. A lot of us travel internationally with biometric passports. There is a reason for this and it's the better security compared to a password.

Good dicussion so far to try and make this decentralized identity solution better!

[Cee2]

So 3DPass is not a digital identity because 1 person can have infinite amount of digital identities. In my opinin, correct me if i'm wrong, it lose majority of use cases.

The algorithm checks the blockchain to make sure there is no match. Of course this depends on how many fingers are set up to generate a decentralized identity.

If 3DPass get's the algorithm and conditions right for generating a new decentralized identity then it would be 1 per person. Of course people can be very creative and I joked earlier that people will start scanning their toes 

Nonetheless there would be a strong limitation on the amount of digital identity per real human being with the goal being 1.

You have to remember that for something as difficult, as controlled and centralized as Passports there are a lot of people walking around with multiple passports of different identities. This is not an easy issue to solve but I think the 3DPass proof of scan consensus mechanism which is like a PoW is a great baseline to build from.

So 3DPass is only a more secured version of private key. Or maybe not "more secured" but "secured in a different way". Because you can also hash your private key using "something you know" AKA password and part of your best book as "something you have" using simple softwere. 3DPass is nothing more than that. Am I wrong?

I think this is harsh and I hope you can be open minded on the project.

I believe it is more secure and secured in a different way. More secure in the sense of multiple biometric data plus an additional object which is a crazy level of security. Plus most importantly it will be more user friendly than anything I've seen so far.

Scan two fingerprints plus your favourite sculpture for example. Good luck trying to figure this out for a hacker or forgetting this.

Don't believe me on the accuracy of the algorithm check out this video I made playing around with the current recognition algorithm for 3D shapes.

https://www.youtube.com/watch?v=5TlDE69Tmms&t=6s