“Who’s there!?” 

If it’s good enough to open Shakespeare’s Hamlet, then it’ll serve as an opening to this blog. 

It’s also the crucial question of almost every important online interaction we perform. Identity verification is an essential function of how the internet works. If an account-based application can’t validate who you are, it can’t provide its services. If a regional application can’t verify where you are, it shouldn’t provide its services. If it can’t trust what you are - then its services might be rendered pointless entirely, or at the very least less valuable, e.g the bots that overrun various social media sites.

Institutions ranging from banks and governments to streaming services and dating sites need to ensure that you are you, not only to protect their users, but to protect themselves. Every one of us is reliant on powerful verification methods, underpinned by cryptography, to protect our privacy, our data, our assets and our lives when we interact online. From the humble password to vein pattern recognition, from “my voice is my password” to DNA-keys - we have no shortage of methods to work out if the person trying to access is indeed entitled to get into the party.

Sensitive Compromises

Where we drastically fall short is ensuring that the need to verify doesn’t also compromise that person’s privacy in the process. Passwords and other verification methods are, by their very nature, extremely sensitive information. Often, these types of access-control methods are replicated across multiple applications by users (they shouldn't, but they are). 

Should the password be compromised, then like dominoes every other piece of PII is usually up for grabs, as hackers can simply log in to individual accounts themselves. The famous Sony breach of 2011 was a travesty where thousands of passwords were leaked, along with personal info and emails, that then put other accounts of PSN users at risk as replicated information was put to use by hackers. 

Protecting Your Genome

And that’s just alphanumeric strings. What happens when iris scanning, DNA-verification, fingerprint scans and voice-recognition all become more default, as they already are in more sensitive sectors? Then a data breach doesn’t just reveal your mother’s maiden name, it reveals your whole genome. 

The increasing variety of potential verification data that goes beyond just passwords means that compliance can get very complicated indeed. Managing this data appropriately, especially when verification may be taking place across a fleet of edge devices, becomes a terrifying challenge. Remember, also, it’s not just humans who need to get verified - but perhaps devices themselves. 

Your smart car might be entitled to one free automated car wash per month, you just roll it straight onto the rank - but that service can only be initiated by the smart car communicating with the local device handling the car wash service. Or maybe you just need to speak into a verification device with your voice or press your fingerprint to get into a Airport lounge. They are twee examples - you can replace airport lounge with bank vault if you want something more serious - but they show how as we have more connectivity and our social environments become more automated and more of our daily services are ‘always online’, so we then expose ourselves to more potential privacy concerns, and the necessity for building robust data management for verification profiles becomes paramount in order for these neo-cities to flourish - or for the internet we have now to continue to work in an age of bots, hacks, and breaches.

To say, then, that storage and management of verification data is both essential and needs to improve is putting it lightly. GDPR and CCPA regulations already demand effective compliance, and developers are always looking for ways to secure verification data properly - no matter what form it takes. 

The End to Kiss and Tell 

There are ways to store verification data well. You can add salt, you can add pepper, you can use AES-256 encryption-at-rest, you can engage in tokenization of verification data then store it in a database while keeping the actual data somewhere separate and more ironclad. You can use Zero-Knowledge proofs so that users or devices can verify their credentials without revealing sensitive information, and implement robust relational (or role-based) access controls and enact watertight auditing to log any access attempts and keep a constant eye on who is trying to get in.

Source Network’s tools are able to securely manage and facilitate the storage and processing of all types of verification inputs, and ensure safe management of this most precious of data without having to resort to centralized databases that are at risk of getting violated. DefraDB’s granular access control over data permissions is crucial for managing sensitive verification data, and means that an application or the edge device it's running on does not need to have wholesale access to the data it’s using in order to verify the user it’s providing the service to - instead only having the essential it needs. Orbis manages secrets and credentials trustlessly and ensures that data that needs to stay private remains private, while SourceHub enforces the permissions and policies through consensus and ensures consistent data versioning and trust anchoring that makes these verification processes unimpeachable in their integrity.

Flexibility in Security

Source Network is about future-proofing ever more sensitive and ever more abusable PII for the increasingly connected world, while offering developers flexibility on how they implement their security with our Open Web tech. It’s about making the verification processes that occur across a distributed network as watertight - even more watertight - as those that take place in a monolithic system. It’s about changing the ideological paradigm of data from one of corporate control to one of user ownership, so that verification of who you are doesn’t mean revealing to every single app or service you ever want to use everything about yourself. It’s about laying the foundations for a new understanding of how we access the internet or the digital aspects of our physical reality, making the end users stakeholders in their own security. A world in which when it asks “who is there?”, we just respond “we are” - and that will always be enough.