We spoke to entrepreneur Jeff Hagins of Woven to find out how creating a system of distributed digital identity could prevent data breaches and replace the need for other types of cybersecurity solutions in the future.
For many businesses, a data breach can be a disaster. Breaches can cost businesses large sums of money and erode customer confidence. Yet the main source of most data breaches is not malware, but human error. According to information security company ShredIt, 47 percent of business leaders surveyed said human error by an employee had caused a data breach at their organisation. As many as one-third of these errors involved a compromised password.
Los Angeles-based Woven was founded to reduce the risk of enterprise security breaches by eliminating the vulnerabilities associated with today’s digital credentials. Woven does this by replacing passwords with cryptographic keys and multiple layers of biometrics and verifiable digital credentials. These credentials are attached to individuals, not companies, so can be taken from one employer to the next. To learn more about the vision behind this innovation and the future of cybersecurity, Springwise spoke to Woven’s founder, Jeff Hagins.
Hagins’ previous venture was smart home IoT platform SmartThings, which was bought by Samsung in 2014, just two years after its founding. While casting around for new ideas, Hagins was struck by the way that identity rests at the root of many cybersecurity problems. As an example, he points out that the root cause of a phishing attack is the fact that the user has no way of knowing whether the website they are looking at is authentic. Similarly, websites only know whether the person logging in has the right username and password, not whether those credentials have been stolen.
Hagins explains that, “The technology used in cybersecurity systems has actually been around for a long time. It is based on what’s called public key encryption (PKI). This involves the use of two cryptographic keys – a public key and a private key. The keys are very long strings of data. When sending a message, the sender generates a cryptographic signature, using their private key. The receiver can then use the public key to verify that the signature is correct. These cryptographic key pairs can be used instead of passwords.”
While PKI is not new, what has changed is the development of blockchain technology. This allows data to be stored in a way that you can prove the data has not been modified. Says Hagins, “Fifty years from now people will look back and laugh at us because they won’t understand why it took us so long to figure these problems out. What is new though, and part of what makes all this work, are technologies like blockchain. Not from a crypto-currency perspective … but rather blockchain as a mechanism for storing information and then being 100 percent certain that that data hasn’t changed.”
Hagins goes on to explain that once companies realised there was a real security problem with passwords they developed two-factor authorisation to add security. However, many consumers find two factor authorisation inconvenient, so rarely use it. And now many of the two factor authentication solutions have themselves been found to be vulnerable. “We kept building on top of passwords when what we should have been thinking about is how do you get rid of passwords instead. Passwords are part of the problem, not part of the solution.”
Rather than passwords or two-factor authorisation, Woven has created a system of multi-factor identification which uses “a combination of the private key, biometrics and other factors.”
Woven begins by taking a digital picture of a paper identity document, like a passport or driver’s licence. Woven’s software then runs forensic analysis to make sure that the document is real and has not been tampered with, and to extract the information. They then access data sources to verify the information before creating a digital version of the identity document. That digital document is then cryptographically signed by Woven, using their private key.
Hagins predicts that one day this Woven-issued digital identity document will be replaced with a government issued digital credential: “Of course, we look forward ten years from now to a world where your government-issued ID is actually going to be digital to begin with. But we don’t live in that world yet, so today [we] have to actually start with the Woven app on your phone and an actual identity document.”
When users want to share their digital identity, such as when starting a new job, they would sign it using their private key. This proves the document is authentic and belongs to the user. The private key itself will be held in secure hardware on the users’ phone, inside a special cryptographic processor. This may sound futuristic, but Hagins points out that this system is actually already in existence. “Guess what, every phone since the iPhone5 already has this… Even our software does not have access to these keys. The only thing we get is the public key.”
Given that Woven’s system is based on existing technology, there are a still a number of challenges to be overcome before it can see widespread use. Chief among them is the need for a new standards infrastructure. “Standards are hard, getting everyone to agree is never easy… The good news is we know how to solve these problems, but we have to get agreement on exactly what that looks like and that’s going to take a few years.”
Widespread use of distributed identity will also involve creating new ways of looking at privacy. Hagins describes the main problem as creating a system of distributed digital identity while at the same time protecting users’ privacy. He feels that the system will be a failure if all it does is place checks for users’ identity in the hands of central authority.
Privacy initiatives like GDPR are putting an emphasis on privacy and consumer rights to manage their own information, yet what Hagins really wants is to allow people to manage their own personal information. “I want to be able to control for what purposes [someone] is allowed to use my information and if I change my mind, I want this to be easy – I don’t want to have to go back to their website and log in… I want to do this from one place, from my identity wallet…”
For Hagins, initiatives like GDPR have added friction to the online experience. He envisions a system that removes that friction while still maintaining privacy. This system could allow, for example, people to share health data but not identity; or to allow marketers to use demographic information to present users with products without knowing their identity or contact details. Says Hagins, “It’s all about finding the right balance.”
For the future, Hagins sees the rise of distributed digital identity pushing out other types of cybersecurity solutions, because they will no longer be needed. “There’s a lot of cybersecurity solutions today that focus on trying to detect the bad guy… but [with] distributed identity… I won’t need to know anymore who the bad guys are because you will already know who the good guys are. If we lift everybody else up, from an identity perspective, then the bad guys identify themselves, because they’re not properly identified.”
While Hagins realises that distributed identity will not eliminate all forms of cybersecurity threats, he hopes that it will help to eliminate profit as a motivation for cyber-attacks. “It’s not like digital identity is going to magically solve all of our security problems… Our goal should be that internet hackers are not an industry… We have to create a world where you can’t make money being a hacker… That’s probably a 20-year journey.”
Woven is scheduled to launch at the end of March, 2019. Read more about Woven