ShoCard: Own Your Identity

Our online identity is an integral part of who we are, especially as the Internet continues to evolve into a more social and interactive space. Today, networks, communities and businesses are eager to obtain, store and analyze information about us. As cloud applications have grown, users suffer from identity bloat where managing user names and passwords across accounts becomes very difficult. Studies have shown that a person can have dozens if not hundreds of online accounts, which often share credentials, leading to a massive security and management problem. The spate of cyberattacks in recent times have exposed the data of hundreds of millions of users and a significant percentage of them fall victim to identity fraud, scams or harassment. Password managers, two factor authentication and identity management platforms are great tools to mitigate these risks, but don’t address the fundamental problem of a user not owning his or her identity.

For enterprises, this is especially a major concern as employees and third party contractors/consultants often need variable access to company systems and applications. They need a solution that can verify and manage identities in a reliable, cost-effective and secure manner while maintaining trust across multiple parties in real time. Such a solution does not exist today.

“There is No Global Digital Passport” — Customer

This is precisely the problem that ShoCard solves. ShoCard establishes a unique identity for each user and preserves that identity across transactions and interactions using blockchain. This enables the employee, employer and a 3rd party organization to build trust among themselves and dramatically increase security and management over standard username/password and two factor authentication tools.

“ShoCard allows you to preserve identity across organizations and industries” — Customer

5 Factor Authentication!

The ShoCard platform begins by giving each entity in an interaction a persistent private key to sign all communication. This includes the user/employee, the cloud application being accessed and even the individual session used to exchange data. The public keys and the relevant signatures are stored on the blockchain and can be accessed anytime to verify the identity of the entities. When a user tries to access the application, the private keys are used to digitally sign the information required to establish a session while the identity is verified by accessing the public keys on the blockchain. All communication is encrypted using the receiver party’s verified public key. The keys and the authentication process are seamlessly managed by the ShoCard app running on the user’s mobile device and the ShoCard IDP service running in the cloud application’s network. Once the session is authorized, there is no need for any further verification and the communication continues as it normally would between the user and the application. This workflow can be seen in the image below.

“ShoCard is very powerful and truly leverages the strengths of blockchain. It is not just a federated solution” — Customer

One of the great value propositions of ShoCard is that the private key of the user is unique to the mobile device where the ShoCard app is running. As long as the device stays with the user, his/her identity is secure. Therefore, massive breaches where millions of identities are stolen are very difficult to pull off since there is no central repository to hack. Large numbers of individual devices have to be compromised to get access to the user private keys or the blockchain itself has to be undermined, both of which are extremely hard. Furthermore, the lack of username, password in this entire workflow makes management and security a lot easier and cheaper. The Session ID, private user key, private key of organization/application and any additional verifications like fingerprint matching can create four or even five factor authentication resulting in a level of unprecedented security for enterprises and their users.

The ShoCard platform also integrates with existing SSO services and leverages protocols like SAML and OpenID Connect. As a result, nothing needs to be replaced and deployment/integration is quick and painless.

Trust Across The Network

“ShoCard provides a truly secure mechanism to manage and share data across boundaries” — Customer

The ShoCard solution is built around an individual. This user, employee or contractor can move across organizations and/or services and carry his/her identity. This creates an incredibly powerful security and ownership infrastructure that fundamentally alters how we think about identity.

A simple example is the contractor user case. Lets say a PwC consultant needs access to Oracle’s (the names here are only used for the sake of illustration) systems for an annual audit. In this scenario, Oracle has to provision and maintain credentials for the consultant. This is not only expensive but poses security challenges since there is no real time feedback about the consultant’s affiliation with PwC. Furthermore, each company that the consultant works at will need to provision separate credentials and might end up having the same username/password combination, which is an alarming security risk.

ShoCard addresses this by allowing the consultant to verify identity through his/her private key without needing to maintain usernames and passwords across companies. Furthermore, PwC can store the signed verification of employment for the consultant on the blockchain. The ShoCard platform allows Oracle to check this verification in real time whenever the consultant tries to use internal applications to ensure only trusted parties have access.

This process not only solves the identity bloat that exists today, but truly lets you own and maintain your identity across any number of applications. This is illustrated in the image below and generates a powerful network effect as applications and users adopt ShoCard.

Team

The ShoCard team is uniquely suited to addressing the security and identity challenges facing the industry today. They have built enormously complex systems before including the identity product at Yahoo and know how to meet the demands of both enterprises and their users.

“The ShoCard team is amazing. Each engineer is better than 10 of ours” — Customer

At Storm, we are thrilled to join them on their journey to realize the promise of owning your identity.