ShoCard returns identity ownership to the individual
For the past two decades, Armin Ebrahimi has had a front-row seat to witness the changes data management, security and authentication have undergone in the internet age.
He used the lessons learned to found ShoCard, a company with the mission to empower individuals, businesses and governments to establish, verify and exchange identity information simply, privately, securely and at world scale.
From 1998-2008 Mr. Ebrahimi was a senior vice president at Yahoo!. For the last four years of his tenure, his duties included platform engineering and managing the registration and identity team.
Yahoo! was a more influential portal back then, but changing user behaviours and the entry of new competitors like Facebook and the growth of Google caused its influence to decline.
More competitors brought value to the marketplace, but it also meant the user kept having to establish their identity for each platform, something that struck Mr. Ebrahimi as unnecessary.
“Identity is something you shouldn’t have to keep recreating,” Mr. Ebrahimi said.
That belief stayed with him.
Mr. Ebrahimi’s experience and the travails of his former employer and others who have fallen victim to massive data breaches warned him of the risks associated with maintaining a central database. Companies were responsible for safeguarding user identities, and users placed significant trust in them.
Yahoo!’s trustworthiness took a big hit following the 2013 data breach, and the reasons behind it provided further lessons, Mr. Ebrahimi explained. Back in 2007-08 Yahoo!’s platform was incredibly secure, but the departure of key executives and three CEOs in quick succession led to 90 per cent employee turnover. As market pressures rose, the company paid less attention to security.
The lesson from that experience was a stark one.
“Whenever you trust data with a central server you’re only as secure as time,” Mr. Ebrahimi said.
Fast forward to 2012. Mr. Ebrahimi sold a startup he founded and spent nine months studying emerging technologies including mobile and the blockchain.
“In 2014, blockchain’s prominent application was in virtual currency,” Mr. Ebrahimi said. “I started to look at the blockchain and what it could do.”
It could do a lot, much more than it was being used for at the time. Mr. Ebrahimi saw blockchain’s ability to change the entire nature of digital identity management. Instead of being held by a company, the user could use the blockchain to maintain ownership and control over their own identity. As authoritative third parties certified they know an individual, they could share that information to create a web of trust. Future entities can verify an individual with confidence based on earlier efforts.
That’s the premise behind ShoCard, which allows users and enterprises to establish their identities with one another in a secure, verified way so that any transaction can be accomplished quickly and seamlessly. Users can create their ShoCard ID through their app or via a company that incorporates the technology into an existing app through a software development kit.
ShoCard also offers an enterprise product. ShoBadge provides enterprise-level identity authentication through mobile devices combined with secure blockchain technology to produce trusted sharing that is virtually unhackable, Mr. Ebrahimi said.
The process begins when a user downloads the app to create their ShoCard ID. They take a picture of a valid, government-issued piece of identification from which ShoCard extracts the personal information. The user confirms the data, self-certifies, and either creates a passcode or opts for their phone’s fingerprint scan.
ShoCard’s server writes the hashed, signed data onto the blockchain. After the information is encrypted and saved on the user’s phone, only they can approve the sharing of information with a third party. On the blockchain, the user initiates an identity verification handshake with the third party. The information is fully encrypted and placed in a secure data envelope that only the recipient can decrypt. Once both identities are confirmed the transaction can proceed.
Within a few months of launching in 2015, ShoCard appeared onstage at TechCrunch Disrupt. They have attracted two substantial funding rounds, received two patents (more applications are being processed), and have forged ties with airlines, banks and credit card networks.
“There’s mutual interest,” Mr. Ebrahimi said. “With the web of trust, the value goes up as more groups participate.”
ShoCard’s security measures are thorough because the use of multiple factors exponentially increases the difficulty for hackers, Mr. Ebrahimi explained. A hacker would have to pick up every communication in the authentication process separately. More factors can be added, such as a server requesting a live picture from the user that is compared to what is certified on the blockchain.
“Each one of these is an independent piece on a different device,” Mr. Ebrahimi said. “With each addition, the level of difficulty increases by an order of magnitude.”