ShoCard’s Quest to Secure Identity on the Blockchain

17384822311_94a894b98d_o-1030x688
24 July 2015

It’s perhaps best explained by a car crash.

As veteran entrepreneur Armin Ebrahimi tells it in interview, his car was hit by a truck two nights ago. The driver had no insurance, and he had little reason to trust him because of the poor quality of his government-issued driver’s license.

“The picture didn’t really match him. It was difficult to know it’s him, the picture was a little more clean cut. It’s got a PO box address on it, so I took the information I could,” Ebrahimi explained.

Ebrahimi isn’t just any driver. He’s also the CEO of ShoCard, a blockchain technology startup that’s seeking to harness the power of bitcoin’s distributed ledger to solve pain points with authentication such as those in this process. Whether it’s a true story or a convenient anecdote is unclear. Either way, the story cuts to the core of how ShoCard and blockchain technology can intercede and solve problems inherent in such an incident.

ShoCard, Ebrahimi asserts, aims to function as a mobile ID that can be verified in real time using a combination of cryptography and the immutability of bitcoin’s ledger. Perhaps most importantly, the company asserts identifying information could be verifiable without requiring users to give up control of their data.

Investors are already convinced the company has found a powerful use case for the technology. ShoCard recently raised $1.5m in funding from investors including AME Cloud Ventures and Digital Currency Group.

In interview, Ebrahimi provided a deeper dive into the underlying tech of the product he hopes will transform identity on the web, mobile and real world.

Ebrahimi told CoinDesk:

“We create a private and public key pair that allows you to access the blockchain and create separate key pairs for each of the fields that you’re going to be storing [on your ShoCard]. So you have a master private key and private keys for individual data fields.”

While top of mind given his recent experience, Ebrahimi sees ShoCard as effective beyond insurance incidents, impacting how people verify themselves to e-commerce providers, banks or any third party to whom they must prove their identity to.

ShoCard in practice

shocard

Though still in the pre-launch phase, ShoCard’s digital ID provides details such as the full name, address, signature, date of birth and physical details of each user. While it looks like a mobile driver’s license and contains the same information, the difference, according to Ebrahimi, is each field on the ShoCard is protected with cryptography.

“We create signatures for each field. We create a hash that encrypts the data that’s on there, then we create a digital signature of it, then put it on the blockchain,” he explains.

ShoCard doesn’t put the user’s data on the blockchain, rather just its own cryptographic proof that the data is correct.

“All you can do is validate that later,” he added. “I would give you my public key and name and say here’s my entry on the blockchain with a signature. You can use that data to go in and validate it, but I have to provide you my name to validate it.”

If both parties in the car crash were using the ShoCard system, Ebrahimi said, the app could be made to produce a QR code that when scanned could allow the users to pass the blockchain record of their identities to each other securely.

“My ShoCard would go in, pull the data out of it to verify that it is on the blockchain. Let’s say [the truck driver] was certified by the DMV and his bank. I could look at those [certifications] and say that these are ones that I can trust.”

Additionally, users could have control over what they share. In the instance of a car crash, a user might need to take another party’s name and address before submitting it to a third party like an insurance provider.

“I don’t have to see everything else,” he continued. “I don’t need to ask for his weight and eye color.”

A similar exchange, he said, could also take place without QR codes using a Wi-Fi transfer protocol such as Apple’s AirDrop. Either way, digital data is validated securely using bitcoin’s secure digital ledger.

Beating Facebook

Still, Ebrahimi believes ShoCard will perhaps be most immediately useful online, where online authentication is increasingly handled by Internet giants such as Google and Facebook.

Part of the current problem, Ebrahimi argues, is that these companies earn revenue from reselling data, and further, they have the ability to update their policies often, and in ways that might not always be friendly to users.

ShoCard, Ebrahimi believes, could compete against these systems if it could achieve a similar scale because the blockchain would help return control to users.

“Until the blockchain there was no way to build the best infrastructure, keep it as secure as you can and make sure no one can compromise what’s inside. There are so many public cases where credit card data is breached, we see that happen publicly over and over.”

A former CEO of Buysight and Advertising.com, Ebrahimi was also a platform engineer at Yahoo until 2008. There, he managed Yahoo’s user ID and login strategy, insight which he says allowed him to see the benefits of bitcoin.

“I was very fascinated with bitcoin and the infrastructure beneath it,” he said. “What I found is it provides a dramatically different approach to solving the problem and that the solution could be uniquely different than what was possible.”

He argued the blockchain provides compelling benefits even when compared to two-factor authentication, which he said has recently proven susceptible to hacking and interference.

“Two factor is a great step forward in terms of providing security, but we’re looking at two years from now, how does that landscape change and how do we do we focus on identity.”

Question of scale

The most pressing challenge for ShoCard isn’t technology, Ebrahimi acknowledges, it’s a question of scale. As the car crash analogy illustrates, ShoCard can only be as useful as the number of people and third-party institutions using it.

Identifying this “chicken-and-egg problem”, Ebrahimi said, was a key factor in ShoCard choosing to adopt a business-to-business (B2B) marketing strategy.

“The way we see this gaining traction is not us having end users download the product,” he said. “That’s much more challenging because the use cases will be limited. What we’re looking at is working with enterprises and having them be the ones who roll this out to their user base.”

Ebrahimi suggested ShoCard is already talking to banks interested in the technology, but declined to name potential partners. Presentations for the company suggest ShoCard believes its solution could be a compelling alternative to services like Verified by Visa, which while allowing major financial institutions to leverage access to user data, require them to store it in centralized databases.

More immediately, Ebrahimi sees the service as potentially appealing to bitcoin companies that currently rely on two-factor authentication services or other tools.

“Identity has become significantly more important for bitcoin companies as they start expanding beyond early adopters,” he said.

Until those partnerships are secure, however, the ShoCard product, will be kept under wraps. “That’s how we can get a larger user base and those users will have a use case,” Ebrahimi said.

Element of trust

Still, the irony is that, while the blockchain is effectively a trustless system, ShoCard’s partners still have to trust the system, something that has been difficult for institutions given the negative publicity surrounding bitcoin as a currency.

Ebrahimi aims to overcome this with a two-pronged strategy. First, convince enterprise businesses that using the blockchain is more secure and efficient; second, use trusted brands as distribution partners to consumers.

The first case, Ebrahimi suggested, will be easier given that enterprise companies are already trusting authentication providers with their data. If ShoCard was a traditional authentication company, he said, it would have its own database, meaning partners would have to trust that information therein is properly maintained and that it’s not improperly modified or changed.

“The people we have to convince, most of them are interested in blockchain,” he said. “A bank would have a hard time trusting another database, but you don’t need to trust us in storing or maintaining the integrity of the data, making sure it doesn’t get hacked into. I can independently validate the data and insist on its accuracy with an open database.”

It’s still too early, he said, for consumers to comprehend the blockchain. But, Ebrahimi believes consumers don’t need to necessarily understand it as long as they can use the technology conveniently.

He concluded:

“One of the things we’ve done is hidden away a lot of that complexity from the users. You understand looking at your ID, because it’s pushed out by a trusted enterprise.”

Photo by Noam Galai/Getty Images for TechCrunch