Introduction
We all use web services, and creating accounts is one of the obstacles to using them. You have to come up with a unique login, a complex password that you have to remember, and confirm an email address. It is not the most pleasant thing to do.
You can make signing up much easier by simply clicking the "Log in with (name of a popular provider)" button. Such a provider could be Google, Facebook, GitHub, or even your own service. In that case, the service does everything almost without the user's interaction. The user just has to confirm the use of his data by the third-party application. Usually, in this case, authentication is done using the OAuth 2.0 protocol.
But, despite its convenience, this approach has a number of drawbacks. There are a lot of services that offer OAuth 2.0 authentication. Sometimes, for example, it is difficult to remember which application was used with a Google account and which one was used with a Facebook account. Besides, a user depends on the company's policy. If, for whatever reason, a user loses access to his account, he loses access to all the services associated with the account.
Identity Wallet
The solution to these problems could be the use of a personal digital wallet application (Identity Wallet), which stores all the personal data and access consent of the user. An account is created in the wallet application and belongs exclusively to the user.
The Identity Wallet user account can be used for authentication to third-party services. When authenticating, the user can decide which data to share with a third-party application.
The user can also revoke access to their data, request to download all their data from the third-party application, or delete all personal data from any third-party application according to data privacy laws.
If personal data changes, the user can notify the relevant applications.
How it Works
The user installs the Identity Wallet application on their smartphone and enters their personal data, such as their name, birthday, phone number, and email.
During authentication with a third-party application, the application requests the user's consent to access their data. The user can either accept or decline the request. If accepted, the third-party application gains access to the requested data and authenticates the user.
Within the Identity Wallet application, the user can check which of their personal data was accessed, request a history of all actions taken with their data, or request deletion of their account.
When updating personal data, the user can notify the relevant third-party applications.
Technical implementation
System Architecture
The Identity Wallet solution consists of two parts: a mobile application and a server. The mobile application stores all user data, while the server is used for third-party application registration, sending notifications to Identity Wallet mobile applications, storing user data backups, and so on. All user data on the server is encrypted. The server knows nothing about the user except their wallet ID. For convenience, the user can provide data about themselves to the server (e.g., name). The user can use any server if necessary.
Authentication Flow
Authentication flow is based on the OAuth 2.0 protocol with several modifications.
- When a user logs in through Identity Wallet, the app creates a pair of keys: a public key and a private key.
- The application redirects the user to the Identity Wallet server with the public key and a list of requested data (scope).
- The Identity Wallet server identifies the user and sends a Push notification to the Identity Wallet mobile app requesting access to the data.
- If the user has not been authenticated on the server, they can authenticate by taking a picture in the application of the QR code generated by the Identity Wallet server.
- The user accepts the consent to access their personal data.
- The Identity Wallet Mobile App generates a symmetric key, encrypts the requested data with the symmetric key.
- The Identity Wallet Mobile App encrypts a symmetric key with the public key, and sends the encrypted requested data and the encrypted symmetric key to the mobile wallet server.
- The Identity Wallet mobile app stores information about the requested data and the third-party app.
- The Identity Wallet server redirects the user back to the application with a one-time code to retrieve the encrypted data.
- The external application calls the Identity Wallet server API and gets a copy of the encrypted data.
- The external application decrypts the symmetric key with the private key, encrypts the user's data with the symmetric key, and creates an account with the requested personal data.
Backup and Security
The Identity Wallet server does not have access to any user information. All user data is stored in encrypted form. Therefore, even if the server is compromised, an intruder will not be able to access the user's data.
Users can create multiple copies of their data with different keys. In case a user loses one key, they can restore their data with any of the other keys.
Top comments (0)