Identity will have to go on-chain sooner or later. This will make many things possible, both good and meaningful as well as frightening and dystopian. We look at two startups trying to find solutions to bring identity to the blockchain in an effective but privacy-sensitive way.
Identity is considered one of the keys to the blockchain ecosystem. Once you’ve got identity on-chain – somehow – so much becomes possible, from opening an account at a bank or exchange with nothing but your wallet, to keeping certificates in a wallet, be it the attestation for the first-aid course or the university degree, and through this possibly gets access to certain services, portals or buildings.
Hardly anyone denies that a digital identity would be useful, and many are convinced that a blockchain would be a suitable place for them. However, there is less consensus on how to do this. How do you prevent identities from being sold or stolen? How do you protect privacy, how do you allow users to reveal only the information that is necessary and only to those for whom it is intended? How can different identities – or fragments of identities – be linked together? How can it work as decentrally as possible ?
Such questions WILL BE answered in the years to come. The question is not if they will, and also less when – but how! How identity is brought on-chain will be decisive for how self-sovereign and private one will be in the internet in the future – and how tightly meshed the network of surveillance will be. It’s about utopia and dystopia.
Therefore, we are presenting two approaches here: First, KYCT from the Cologne startup Ubirch, and second, ZKPortal, a project by a lawyer living in the Netherlands. Both are different and thought through in their own way.
The abbreviation KYCT stands, not necessarily original, but consistent, for Know Your Customer Token: A token that is used to identify a customer. KYCT has the great advantage that the token is already live: anyone can mint it, anyone can query it, anyone can present it.
KYCT was developed by Ubirch , a startup that already had experience with the tokenization of Corona test certificates. In order to receive it, users must log into Ubirch with a Web3 wallet such as Metamask and then undergo identity verification, either via video ident or SMS. Ubirch then stores the data on its own server as a hash tree and stores the root hash on blockchains such as Ethereum or IOTA.
“We do not publish any personal or identity-related data,” explains CEO Stephan Noller. “However, the user can use the token to provide proof. At its simplest, that’s proof they have a token, like the blue tick on Twitter.” That would be useful, for example, to regulate comment areas or forums. With a smart contract, Noller continues, “you can see what type of identity check has taken place and, depending on the configuration, you can generate a link that makes the master data visible.” This link may only be valid for a limited number of views or a limited period of time to prevent it from becoming a data leak.
To prevent the identity from being sold, KYCT uses the concept of “ soulbound tokens ”. These are tokens that cannot be transferred once they are created and assigned to an address. This concept was specially developed to bring non-purchasable “assets” such as identities or proof of achievement on-chain. The KYCT is one of the first live applications of the Soulbound tokens.
As an application, Noller has several ideas in mind. On the one hand, he thinks “there will be a login with KYCT in the future. That’s obvious for Web3 applications like the Metaverse, but we’re also in talks with banks.” On the other hand, KYC tokens can make transactions more legally secure. When they are underlaid with an identity, it strengthens the means to defend against fraud.
In line with the DID concept, Ubirch also plans to tokenize not only civic identity. The startup is already taking a step towards this with the KYC light through the telephone number. “But we are also planning other things, such as certificates and citizen citizen tokens from cities and municipalities. You could have a Berlin token, for example, in order to use the city’s digital offers or give feedback to them.”
Sascha Jafari is a coder and tax attorney at the same time. As an interface between technology and law, he set up his own summitto five years ago to fight VAT fraud in compliance with data protection regulations. But because the cooperation with the tax authorities was too sluggish for his taste, he is now focusing with zkPortal on helping the crypto market with the technologies he has already developed to avert the data protection violations that the upcoming wave of regulations threatens to cause.
“There will be laws and regulations. That’s unavoidable, and the basic idea isn’t entirely wrong either, but it’s a balancing act,” explains the German, who lives in the Netherlands. “On the one hand we don’t want to regulate too much so as not to stall the ecosystem, on the other hand there are things like ransomware and other extortions that we want to prevent.” Ideally, you should protect the good and prosecute the bad. But that stands and falls with the identity.
His zkPortal project is trying to do just that. You can log in there and verify your identity, so far only with the Dutch DigiD certificate. “We then sign it with our public key, send it back to the app and then delete it again. So the user has a notarized identity on the phone, but we don’t know it.”
With this notarized ID, the app can now create zero-knowledge proofs . These prove that something is like this or that without revealing it, for example that someone is older than 18 without revealing how old they actually are. Or that someone is not from North Korea, Iran or Russia, but not from which country. “This allows apps or DeFis to require users to be of legal age and not from Russia without having to verify my passport.”
zkPortal only partially meets the classic requirements of banks and financial service providers. You can use them to prove that you are of legal age and not on any sanctions list. But you can’t really identify yourself with it. KYC and AML, i.e. customer identification and anti-money laundering measures, are not feasible to the extent that they are usually required.
Identification with the Dutch DigiD was relatively uncomplicated for Sascha. The German market, on the other hand, gives him more headaches. He is currently thinking about getting confirmation from a bank that it has carried out a KYC and then tokenizing it. Alternatively, a university degree would also work as proof of personal identity, or an Ethereum address to prove that you are not on a blacklist. Or proof by a token like KYCT?
Even if zkPortal certainly does not promise the complete solution for all problems with digital identity – the project can map some important components of the solution in a very sensitive way to data protection. Sascha hopes to convince the Web3 scene to possibly integrate his application into wallets.