How Decentralized Identity Will Transform Banking Posted in Open BankingSecurity Art Anthony December 19, 2023 When Jesse James, noted outlaw of the old West, was asked why he robbed banks, he said, “Because that’s where the money is.” And he was right, but he may not be right for much longer. Because the way we access our finances is changing and changing rapidly. For many years, banking and finance have relied on the presence of key identity markers: photo identification, handwritten signatures, and account numbers. Recently, that list has expanded to include digital signifiers like two-factor authentication (2FA) via SMS messages or similar. Banks have become the guardians not just of “the money” but of identities as well. That’s proven problematic, with data breaches in finance resulting in names, social security numbers, credit card numbers, and more being leaked. And, as we’ll see below, there are other reasons why relying on banks or financial institutions to be the stewards of identity can be dangerous. Is decentralized identity the answer to some of these problems? And how might APIs factor in? What Is Decentralized Identity? Until recently, digital identity has mostly been centralized: when an individual joins a social media site or signs up for a new bank account, they verify themselves with that platform to create a digital identity that’s managed by the service in question and offers the user little control over it. In a nutshell, decentralized identity is a method of identifying and authenticating users or entities online without the need for a centralized authority. With this digital identity model, users can manage their verifiable credentials and port them between different services. This strategy also aims to alleviate some of the issues with using centralized identities, which are usually tied to verified email addresses, usernames, and so on. For example, the lack of ownership associated with such identifiers increases the risk of data breaches and spoofability. Moving From Centralized to Decentralized Identifiers Previously, confirming one’s identity to a financial institution has relied on things like bringing a driving license or passport into a branch, along with a utility bill dated within the last three months. Business accounts might also require proof of incorporation or tax documents. For various reasons — like bank branch closures or utility companies migrating from paper billing to online platforms — the process above is no longer always practical. Financial institutions are increasingly likely to verify identity using digital means, sometimes using tools like Onfido. But this is still just a half measure. Nor does it solve the potential problem of individuals within financial institutions misusing the data they hold. Take, for example, the issue of India’s Bank of Baroda tampering with customer accounts to meet onboarding targets. And then there’s the elephant in the room: any database or verification log that contains information about user identities represents the motherload to cyberattackers. (Using the right authorization policies, encryption, and tokenization in conjunction with APIs can help here!) With the right security measures in place, the verifiable credential model “overcomes the conundrum of ‘data honeypots’,” according to J.P. Morgan, which can be mined to ascertain identity and are notorious for being vulnerable to abuse. Decentralized Identity, Blockchain, and Self-Sovereign Identity Dock defines decentralized identifiers as one of three pillars of self-sovereign identity (SSI): Blockchain: A decentralized database shared among computers in the blockchain network Decentralized identifiers: Verifiable user-created identifiers independent of any organization Verifiable credentials: Cryptographically secure versions of paper/digital credentials When used properly, like in compliance with know your customer (KYC) and anti-money laundering (AML) requirements, SSI can be (and is being) deployed in the financial space. Cryptocurrency exchanges, which are subject to KYC and AML measures in the US, are a good example of this. In more traditional forms of banking, however, adoption lags behind. That’s not surprising for a couple of different reasons. First, there’s a lack of standardization and interoperability (despite the huge potential for the latter) in DID right now. Second, and just as important, is the need for stringent security protocols that prevent cyberattackers and other banks from accessing data they should not be able to. There’s a need to find common ground, or a stepping stone, between SSI and KYC before we can expect to see wider adoption, and APIs are, in some ways, a solid contender for this. The use of blockchain APIs could really help to open up banking in a meaningful way, allowing financial institutions to engage with the concept of decentralized identity while sidestepping some of the complexity associated with building infrastructure from scratch. Decentralized Identity in Financial Contexts Plenty of companies out there have embraced decentralized identifiers, and as more do so, this will have a significant impact on API security and management — especially in banking and finance. At our 2023 Platform Summit, Curity’s Jacob Ideskog spoke at length about how the adoption of decentralized identities might affect how we plan future APIs. He suggests the following considerations: Plan for token-based architecture with OAuth. Use a unique identifier as subject (independent of login mechanism, independent of sub-division, independent of the system being accessed, independent of whether accounts exist). Always normalize claims: “An email is an email is an email.” Don’t overshare information: If an API doesn’t need it, don’t send it. Since oversharing can break GDPR, follow the rule of least privilege. Token sanity checking: Know when to implement the proper checks, such as when to use date of birth versus age or a boolean like is_over_18. He also highlights how selective disclosure might play a significant role in the upcoming decentralized future. This refers to the capacity to redact information that comes when credentials are issued once and owned by users. As for the banking and finance space, he underscores the importance of determining who (which verified credentials) you’re going to trust. He concludes by saying that decentralized identity is coming, and “it’s really going to change how we do identity.” In the meantime, if (or perhaps when) different financial organizations adopt different blockchains or APIs associated with decentralized ID providers, we’ll need to see more ways for those services to talk to one another. That’s another area in which APIs might come into their own. Watch Jacob Ideskog’s presentation, Decentralized Identities Changes Everything, Even Your APIs, at the the 2023 Platform Summit in Stockholm: The Future of Decentralized Identity and Banking Although there are plenty of APIs out there relating to DeFi (decentralized finance), most of these focus primarily on cryptocurrency: Chainstack’s DeFi API, for example, allows consumers to fetch trading data, access liquidity pairs and reserves, analyze market trends, and so on. The De.Fi API, meanwhile, allows for integrating their antivirus and audit solutions, as well as wallet balances or supported chains. Various crypto exchanges have also exposed functionality using APIs. For example, Coinbase offers Market Data APIs and Trading APIs for placing orders or accessing account information. It probably won’t have escaped you that two of the major problems associated with DID and banking — lack of standardization and interoperability and a need for security without compromising on functionality — are two areas in which APIs have already been shown to excel. A great article by Peaka that highlights some of the similarities between DeFi and open banking details an example of how Stripe Capital leverages APIs to “lend money to merchants conducting trade on the Shopify platform” and “introduces capital from legacy banks to small businesses in a frictionless way.” The piece concludes that “crypto exchanges facilitate DeFi transactions by opening APIs and letting users perform transactions via those APIs…In that regard, DeFi practices are not far off from open banking practices.” It won’t, we’re sure, be the last time that comparison is made. The rise of the OpenAPI Specification could prove a compelling template for the standardization of centralized identifiers. Or, APIs may be used to facilitate communication between blockchains or DID providers. Regardless, we’re excited to see what the future of APIs and decentralized identity holds.