No longer let their private data "run naked", a new identity authentication system has emerged

Machine Heart report

Author: Jiang Jingling

When you are verifying your identity as a "student", "member information", etc., when you book tickets for air tickets, hotels or attractions through third-party platforms, when you enter your ID number, mobile phone number, and address on various member pages and shopping platforms, does the intrusion of privacy boundaries always ring a warning in your mind: Will my data be leaked? This question becomes an unanswered question in your internet life, but most of the time, it's just a powerless self-tapping — you can't know where the information you're typing is going or where the data from the black ash is coming from.

For those platforms that really only need to do user authentication once, excessive unnecessary privacy data is like a hot potato at this moment. With the successive promulgation of laws and regulations such as the Personal Information Protection Law and the Data Security Law, the risk of obtaining and retaining users' private data has greatly increased. Once accidentally leaked, the legal sanctions are about to fall.

The intersection of the Internet and real life is increasing, and there are more and more scenarios for identity authentication, but in the cross-platform user information authentication scenario, both users and institutions feel many obstacles, and mining the value of data has become more challenging.

In terms of identity authentication, how to make private data be used to a minimum, so that users can feel more at ease, and enterprises can use authentication information more securely, has become a topic worth exploring.

Recently, the IIFAA Internet Trusted Authentication Alliance has jointly explored a new generation of distributed trusted authentication system with terminal security technology and cryptography technology as the core, that is, users can selectively disclose and minimize personal information under the condition of independent authorization management, and complete cross-platform identity and qualification certification.

Founded in 2015, IIFAA Internet Trusted Certification Alliance is jointly initiated by six units, namely the China Academy of Information and Communications Technology, Huawei, Ant Group, Samsung, Alibaba, and ZTE, and is an important domestic trusted digital identity technology specification launching organization. Since 2015, IIFAA has helped solve the problem of inconsistent authentication specifications caused by openness in the Android ecosystem and the problem of identity authentication standards for IoT devices by formulating technical specifications recognized by the upstream and downstream of the industry, and promoted the popularization of biometric technologies such as fingerprint and face recognition in China.

The "distributed trusted authentication system" is a user-centered software and hardware integrated trust framework, which can ensure the authenticity, security and circulability of identity. Under this framework, various institutions issue credentials for users and store them encrypted within the secure area of the user's terminal. In the digital card package of the user terminal, the future will not only include legal identity, academic qualifications, and ability information, but also may include boarding passes, park tickets, membership cards, NFT and other digital certificates.

The value of this system lies in the fact that the user can centrally control its various identity attribute information, and authorize it when needed and achieve the principle of minimal disclosure. Enterprises, on the other hand, can only collect and verify the necessary information, and do not need to store any data and call the agency data interface, so as to use user identity authentication information within the scope of compliance. In the future, when more and more institutions in the ecosystem choose the access system, data channels between multiple platforms will be further formed, releasing greater potential data value in addition to protecting privacy.

The need for digital identity authentication is escalating

We are gradually entering a highly digital society. On the Internet, we are no longer just a thin symbol of name, age, place of origin. We may also be: a university graduate, a member of a cycling club, a member of a fancy hotel, a holder of a Japanese N1 level... Identity attributes and legal identities in different scenarios and platforms together constitute a rich and real user identity in the digital world.

In the current data environment, because identity authentication often involves the user's most sensitive privacy information, once the data is leaked, it can usually correspond to the specific identity of the user. Therefore, digital authentication of these complex and scattered scenarios is not as simple as imagined, and there are certain risks.

After the official implementation of the Data Security Law and the Personal Information Protection Law in 2021, the boundaries of how enterprises acquire, use and process personal information have been clearly defined. Among them, Article 44 of the PIPL stipulates that individuals have the right to know and decide on the processing of their personal information, and have the right to restrict or refuse the processing of their personal information by others. The Data Security Law further stipulates that the company's data processing needs to fulfill the obligations of the whole process from data collection to data deletion, as well as obligations such as data level protection and risk monitoring. "Where the national core data management system is violated, the relevant competent departments may impose a fine of between 2 million and 10 million yuan, and order the suspension of relevant operations, suspension of business for rectification, revocation of relevant business permits, or revocation of business licenses according to the circumstances."

Taking the visually impaired population to carry out barrier-free viewing activities as an example, in a traditional identity authentication process, in order to realize the needs of the viewing platform to verify the information of the disabled, it is usually necessary for the competent unit of identity information such as the Disabled Persons' Federation to open the database interface containing the list of visually impaired people to the viewing platform, and then after the visually impaired people submit their own identity information, the viewing platform collects these identity information and compares it with the called disabled persons' federation database, and finally realizes identity authentication.

In this process, the risk points of all parties are very obvious. For the disabled federation that holds the identity details of visually impaired people, it needs to establish a high degree of trust relationship with the platform in order to allow the user identity data it holds to be opened to the viewing platform in the form of a service without the authorization of the user; For the viewing platform, it needs to collect and retain a number of private data from users that can be associated with identities locally or in the cloud, and once there is a problem with the server and the data is leaked, then the platform will bear legal responsibility; For users, in addition to necessary information such as disability numbers, as visually impaired people, they will also need to submit very detailed legal identity information and irrelevant privacy information such as the type, time, and level of disability contained in the disability certificate to the viewing platform, and they cannot control and know how the data will be used after sharing the information to the platform, and whether there is a risk of leakage.

On the whole, under the gradually clear policy boundaries, the risk pressure generated by traditional identity authentication schemes on all parties makes the cost of data circulation very high, the lack of trust system between institutions and institutions, each other becomes data islands, data is difficult to circulate, difficult to audit, difficult to trace, and many potential data values are suppressed and difficult to mine. At the same time, personal privacy data is still in crisis in the entire chain, for users, digital accounts are scattered everywhere with poor experience, digital credentials do not have a unified standard, digital certificates are difficult to verify, and counterfeiting is frequent.

Under such circumstances, the importance and necessity of an infrastructure that can connect the trust of multiple parties begins to become apparent. A digital identity credential needs to be recognized by both upstream and downstream, while ensuring the circulation of upstream and downstream data, private data is not leaked and can be minimized, so that the competent unit or information institution can trust the third-party institution at low cost, allow the third-party data user to use personal privacy data at low risk, and enable the private data holder users to have stronger control over their own data and use the digital credential more confidently.

Protect digital identities with distributed authentication

Globally, better authentication of digital identities has begun to become an important topic. In 2022, the European Union released Digital Identity: Building Trust Using the Concept of Self-Sovereign Identity and the European Digital Identity Architecture and Reference Framework (eIDAS 2.0), proposing to adopt the traditional eID and autonomous sovereign identity SSI hybrid development technology roadmap to develop digital identity authentication. The document predicts that within three years, more than 80% of EU users will have an app that controls their identity, possibly in the form of a wallet.

The "distributed trusted authentication system" proposed by IIFAA provides a set of secure and trusted identity information intercommunication links, each independent module needs to be built on protocol standards and verifiable links, and the ultimate goal is to provide a guarantee for the secure flow of digital information, so that digital identities can be safely and trustfully circulated in the industry chain.

The "distributed trusted authentication system" mainly involves three subjects, namely issuer, holder and application. The issuer refers to the authority, enterprise, school and other institutions that issue identity authentication to the holder, and the holder can apply for the corresponding identity certificate from the issuer through the IIFAA-supported platform, and has the ownership and use of the certificate, while the application party of the certificate such as online stores, financial institutions and other platforms only need to request the certificate holder for the certificate, and then verify the authenticity of the certificate.

Compared with traditional solutions, the distributed authentication system will be more secure in the authentication of digital identity, which can ensure the authenticity and authority of digital certificates. In the authority link, because the identity credentials under the system will have the identity signature of the authority, IIFAA introduces a distributed identity registration module. IIFAA will work with the National Cryptography Engineering Research Center to authenticate the organization, confirm the authenticity and authority of the organization, and ensure that the identity assets issued by it to users are true and authoritative, and manage them.

On the circulation link of identity asset certificates, the system adopts many formal verification methods to ensure the circulation security of data assets on the link. The whole system is based on the blockchain public key infrastructure, and the identity assets will be saved to the terminal trusted execution environment in the user's mobile phone terminal after being put on the chain. This distributed storage method, on the one hand, can avoid the risk of internal leakage and external breach caused by centralized storage of data, and on the other hand, it can allow users to fully control their own private data and control them.

At the terminal, the system innovatively applies terminal computing contracts and key asset guardian technologies, and the terminal device can process and process data between multiple VCs (Verifiable Credential). At the same time, it can ensure the authenticity and credibility of the entire computing process by introducing methods such as public algorithms, trusted computing and computational signatures. Endpoint security-based asset daemon securely stores and processes critical user assets such as features, models, and keys. This technology uses secure storage technology within the terminal TEE/SE to ensure that these critical assets are not accessed or stolen by unauthorized third parties. At the same time, it can also safely handle these critical assets to prevent them from being tampered with or compromised by malware or attackers.

In the authentication link of the final third-party platform, the distributed trusted authentication system adopts hierarchical credential technology to help users complete identity verification without exposing personal privacy; Using biological template mapping technology, the human biometrics can be processed into irreducible information, and the information is reduced to feature vectors through safe calculation, which will extract some obvious biological features, convert them into stable strings without feature attributes, and map to an irreversible state to complete the distributed biological nucleus. After comparing the user's identity through biometric template mapping technology, it can finally be achieved, allowing a person to prove his identity without revealing other private information related to this. Based on cryptographic protocols and algorithms, users only need to disclose yes or no information to complete qualification authentication, such as login, authorization, etc.

By covering the whole link of digital asset issuance, storage and verification, the distributed trusted authentication system can ensure the authenticity of digital assets, minimize the exposure of private data in the whole process of digital authentication, and ultimately greatly improve the protection level of user privacy data. At the same time, the abuse of user privacy data by some third-party platforms will also usher in changes, and the use of data throughout the process will be traced and audited.

Of course, when the popularity continues to increase, upstream and downstream companies in the industry will intervene in data interconnection at a lower cost, so that data can generate greater value.

Compared with the extremely high trust cost required by traditional solutions, a visually impaired person only needs to apply for a disability identity verification certificate from the Disabled Persons' Federation through an online mini program to support visually impaired users from IIFAA, and when they watch movies on the online viewing platform, they only need to authorize the verification certificate of the disabled category to the platform, and after completing the online verification, they can enjoy the barrier-free cinema at home. The institution no longer needs to take risks and establish a high-trust relationship with third-party platforms, the viewing platform no longer needs to collect a large amount of sensitive information from users, only needs to verify digital credentials, and users can also choose the sensitive information to be exported through their mobile phones.

Under this trend, the threshold for upstream and downstream interoperability of the data industry chain will be further reduced, and more data value may be tapped. For example, in the future, with the access of services, the scope of application will continue to expand, and the identity verification of the disabled will be moved online, and scenarios such as the application of disabled equipment, free admission of disabled people to parks, volunteer disability assistance services and settlements, and disability loans may be expanded. When centralized digital certificates are popularized, for terminal manufacturers, the user's personal portrait will be further improved, and users will be able to get more accurate services.

A complete ecology needs to be built by multiple parties

Since its inception in 2015, IIFAA has been committed to promoting the development and application of trusted authentication technology, and has played an important role in leading the industry in the development of technical specifications.

At present, IIFAA has more than 300 member units, covering leading application manufacturers, mobile terminal manufacturers, IoT vendors, chip manufacturers, security solution manufacturers, artificial intelligence manufacturers, national testing agencies and other "whole industry chain roles" in diversified business scenarios. Currently, the IIFAA Trusted Digital Identity specification is used and supported on more than 1.6 billion mobile devices, 43 mobile phone brands, and more than 900 mobile phone models worldwide; IIFAA also provides services to finance, government, online shopping and public travel applications such as Alipay, 12306, China Construction Bank, Bank of Communications, China Eastern Airlines, Suning.com to ensure a safe user experience.

Over the past eight years, IIFAA has actually gone through three phases of significant iterations:

From 2015 to 2018, the local password-free phase. 2015 was the year IIFAA was founded, and it was also the year of the explosion of fingerprint recognition. This year, Xiaomi, Huawei, OPPO, VIVO and other domestic mainstream Android mobile phone manufacturers have launched mobile phones with fingerprint recognition, and fingerprint recognition has begun to become the standard for new domestic Android machines. In the same year, Ali, JD.com, and Tencent started an arms race on mobile payment, and fingerprint payment became an important competition point.

Prior to this, whether it was mobile phone unlocking or payment verification, most of them used the scheme of entering passwords. Fingerprint recognition technology opened a new era of bionuclear bodies, and after that, the use of biometrics as a means of authentication began to be popularized in the mobile ecosystem. Compared with the password input scheme, the use of fingerprint for payment is more secure, fast, without the risk of forgetting, and difficult to be hacked, which greatly improves the speed and security of user identity verification.

Behind the popularity of fingerprint recognition in Android terminals, IIFAA has played an important role. At that time, the open Android ecosystem did not have a unified standard for biometrics. The absence of standards means that the upstream and downstream solutions of the industrial chain will be complex and inefficient. At that time, IIFAA used its own advantages to collaborate with upstream and downstream applications, terminals and chip manufacturers to begin to develop standards and output portable local password-free frameworks suitable for upstream and downstream to the industry.

Under the trusted system defined by IIFAA, the biometric collection, calculation logic, storage of user feature data, verification result delivery and other issues of the terminal are stipulated, and a series of bionuclear body solutions such as fingerprints, FaceID, 3D faces, and irises are supported, ensuring the speed and security of biometric solutions, and finally promoting the rapid popularization of fingerprints, faces and other recognition methods. IIFAA grew rapidly as a result.

After 2018, the Internet of Everything phase began. Based on the previous trust system, IIFAA broadened it to the Internet of Things. On the end side, in addition to continuing to explore more standards with mobile device manufacturers, IIFAA has begun to establish standards or explore standard technical capabilities with certain types of IoT device manufacturers and chip manufacturers in vertical industries. IIFAA has introduced IoT certification standards and IoT authentication chips, and the scope of certification has been broadened from people to people and devices, such as the certification of a digital car key, a smart home device, and a smart machine. Data shows that 2.5 million IoT devices have also been connected to IIFAA since 2022, of which more than 1.5 million electric bicycles have used IIFAA's digital car key solution.

In 2023, the distributed authentication system is the third upgrade iteration of IIFAA, entering the digital identity stage. IIFAA's certification extends from people, people and devices to the attributes associated with people. A senior employee within IIFAA said, "We found that as the scope of IIFAA certifications continues to expand, we need to do more at the security and trust level. ”

Similar to the 2015 phase of local secrecy, the digital identity phase is in its early stages of global standards development, but the need for digital identity is escalating. The difference from the previous two times is that the authentication of digital identity attributes is no longer a peer-to-peer authentication, it involves a growing number of institutions, users and third-party platforms, and it contains a wider range and greater energy. As a set of trusted basic frameworks, the distributed authentication system requires the participation of every member of the ecosystem, improving it from various aspects such as protocols, standards, security, and links, and jointly building interoperable, mutually recognized, and transparent trusted authentication services.

The popularization and improvement of digital identity is a distant vision, as IIFAA Chairman Shao Xiaodong imagined at the Bund Conference: in the future, the trusted digital asset card package supported by the IIFAA distributed trusted authentication system will provide users with a platform to manage their personal identity, personal digital credentials and personal digital assets. Through this platform, users will have the ownership and use rights of their own digital identities and digital assets, and only under the condition of self-authorization, in encrypted form, selectively minimize the disclosure of personal information, and complete cross-platform identity and qualification authentication. During the whole process, users can view authorization credentials and verification records at any time, and manage them in real time according to their own wishes.

"There will also be various segmentation types of users' personal identities, personal digital credentials and personal digital assets in the future." My identity" may save my legal identity, education/ability qualifications, professional qualifications, or special qualifications (such as the elderly, medical personnel), etc.; In "My Digital Voucher", my boarding pass, park tickets, membership card, my medical certificate, etc. may be saved;" My Digital Assets", I may have saved my NFTs, my game accounts, my digital car keys / door keys, etc.

It is foreseeable that under a more secure and trusted authentication system, all parties in the digital identity authentication link will benefit from this, and can protect the privacy of users under the premise of compliance, while tapping the value brought by more digital identities. Of course, for this distant vision, popularity is the most important indicator for a long time to come. When digital identity credentials are popularized on a large scale, privacy issues will no longer be a problem for enterprise data interoperability, and more operational business models will emerge around digital identity.

Shao Xiaodong, chairman of IIFAA, called on the Bund Conference that in the future, IIFAA hopes that more ecological members will participate in the construction of distributed certification system, and join in from the perspectives of technical specification discussion, safety and functional core construction, and innovative application exploration. We believe that the IIFAA distributed trusted certification system will eventually become a "user-centric" cross-agency trusted authentication infrastructure, providing a trusted technology system for the security and compliance flow of authentication information, and escorting the development of the digital economy.