Topic: The Future: Trustless Decentralized Identity (Read 233 times)

I am not sure on this part. If you make it on a smartphone sensor this will be difficult for fake fingerprints. Plus again it wouldn't be too crazy to do add additional functionality for the decentralized identity algorithm to keep making it more and more secure. You will never find something 100% secure but the important part is that as an open source project this can continue to develop and improve. There is always an arms race between antivirus vs virus, authentication vs forgery etc. One thing I am sure is that 3DPass will make this extremely hard/almost impossible.




This tech will be sybil attack proof. Of course there will most likely be a very small loophole but this loophole will be extremely difficult to reproduce.

Also the PoScan algorithm is based on PoW. The decentralized identity would have no impact on the layer 1 blockchain from 3DPass, this remains secured.

You have great insides on decentralized identity. Why don't you come and join the project and share your thoughts and ideas to make this better?

The only recognition algorithm implemented currently is for 3D shapes. The next one schedule for Q4 2023 is for 2D drawings which I recommended before joining the project on bitcointalk https://bitcointalksearch.org/topic/m.59443322

Come share your ideas and let's make this goal for a decentralized identity and most importantly secure.

Let me give you one more example, which is a hardware wallet having implemented in of both Grid2d and fingerprint recognition algo. And those two would be used for HASH ID creation. The input data, now, can never be replaced, unless you have it as a physical item (a real finger or "plastic" finger). And all you need to prove is whether or not there is a real human being behind, right?

I can see at least two possible ways to do that:

1. Meet him/her in person and verify the HASH ID with the hardware wallet
2. Trust a third party registrar (less trustworthy)

Suppose, there should be some methods on top..

 

As I posted above there are ready to use tools that generates infinite amount of fake fingerprints. Even if they are not perfect to cheat this system ... if big money will come in ... people will find a way.


Maybe indeed I am. 5 years in crypto made me very sceptical about new projects.


So its a super secured version of private key. Its a nice usecase too. But its not a digital identity because its not sybil attack resistant.

And I would not compare it to having multiple passports. You go to jail for a long time if you get caught.  Here you generate new fake fingerprint and scan random object and its ready.

KK, will do. pass3d recognition lib must contain both the fingerprint recognition algorithm and 3D object recognition (Grid2d), which is actually there. That's how it works. It will prevent each digital identity from copying just as it does with 3D objects mined on 3Dpass blockchain (every object has a unique shape). Like 1 object = 1 asset.


Yes, you are. As it was mentioned above, the recognition algorithm is used in 3dpass instead of standard SHA2 hashing.
I suggest that you read this article to compare and understand better how it protects objects from being copied: https://3dpass.medium.com/proof-of-scan-consensus-how-does-that-work-7a88b0fc8530


It doesn't, cause that's exactly what makes HASH ID real personal digital identity. Bio data serves to identify a person, not to protect your key. Moreover, I'm not sure, your fear to disclose your bio makes that much sense nowdays. In most cases, it's already being public (iris scans on your selfie photos published on the Internet, fingerprints on your camera). Of course, if you want to stay private, you can live your life without making photos, hiding from public cameras with a hood etc... but it's not common.

In my opinion, lots of people would prefer the possibility to use public digital identity for making p2p deals with real assets. Moreover, they would publish their iris scan with its HASH ID, so that 3DPass network can verify its authenticity. That's just my opinion. It doesn't make sense to keep in private something that you can't hide.

The algorithm checks the blockchain to make sure there is no match. Of course this depends on how many fingers are set up to generate a decentralized identity.

If 3DPass get's the algorithm and conditions right for generating a new decentralized identity then it would be 1 per person. Of course people can be very creative and I joked earlier that people will start scanning their toes 

Nonetheless there would be a strong limitation on the amount of digital identity per real human being with the goal being 1.

You have to remember that for something as difficult, as controlled and centralized as Passports there are a lot of people walking around with multiple passports of different identities. This is not an easy issue to solve but I think the 3DPass proof of scan consensus mechanism which is like a PoW is a great baseline to build from.



I think this is harsh and I hope you can be open minded on the project.

I believe it is more secure and secured in a different way. More secure in the sense of multiple biometric data plus an additional object which is a crazy level of security. Plus most importantly it will be more user friendly than anything I've seen so far.

Scan two fingerprints plus your favourite sculpture for example. Good luck trying to figure this out for a hacker or forgetting this.

Don't believe me on the accuracy of the algorithm check out this video I made playing around with the current recognition algorithm for 3D shapes.

https://www.youtube.com/watch?v=5TlDE69Tmms&t=6s

I appreciate what Idena did as the trendsetter for decentralized identity and for validators/nodes it's great. Ask yourself would this work for anyone else? Only a minority of people are into cryptocurrencies and from those even a smaller minority are into validation/nodes/mining. The feedback that the crypto community always get's is that the community must stop building products for other crypto people only.

Everything from the app is open source there is no data collection. Remember we are just talking theoretical and what ever idea is available to improve security and keep it simple can be discussed for implementation as a community driven project.

I mean we keep discussing it from a theoretical perspective but a private key can always be read if it can be accessed. The general trend when it comes to security is to move away from passwords towards Biometrics. I mean most of use unlock our phones every day like this. A lot of us travel internationally with biometric passports. There is a reason for this and it's the better security compared to a password.

Good dicussion so far to try and make this decentralized identity solution better!

So 3DPass is not a digital identity because 1 person can have infinite amount of digital identities. In my opinin, correct me if i'm wrong, it lose majority of use cases.


So 3DPass is only a more secured version of private key. Or maybe not "more secured" but "secured in a different way". Because you can also hash your private key using "something you know" AKA password and part of your best book as "something you have" using simple softwere. 3DPass is nothing more than that. Am I wrong?


good point. But that doesn't  this fact make bio useless in this system?

In my opinion, that's correct, that they will lose their assets, once having their private keys compromised. But only assets, not the identity, cause it was never be there... (in the bitcoin wallet, etherum wallet etc.) They will never ever prove it were their assets stolen.


I would disagree, and will try to explain my thoughts on it this way:

1. As you can see on the picture posted by @3dpass, the HASH ID is created from several pieces of data when together being leveraged as a seed. But each of them represents an authentication factor you can never recover the HASH ID without having all of them:

- a fingerprint is something that you are factor, which can identify the person easily (of course, in person);
- a piece of stone is something that you have factor.
- this combination might be expanded with some additional factors like a password (something that you know), etc.

My first conclusion is that you can identify a human being, however, it's not enough to only have their fingerprint to recover the HASH ID and keys. It implies, that your bio has been already compromised (or even public), but the second factor is private and strong enough to protect your keys.


  


The only way to check if a given fingerprint belongs to someone real is to meet him in person and verify it by his finger.

Just like with bitcoin wallet, etherum wallet etc. If you are irresponsible to the point that 3 people have access to your private key (which is suppose to be private) ... you are the one who is to blame for losing every asset that is on this wallet nor bitcoin or etherum network. Including digital identity.

3DPass also doesn't prove that digital identity belongs to human being. Identity can be sold or sensitive bio-data can be stole from previous similar projects or malicious apps that needs fingerprint to unlock it or from compromised police office database or from passport issuing office. Just answer this question. How is it possible, in your opinion, that someone has a database of 1 million fingerprints?

How 3DPass will deal with fake fingerprint data? I know its impossible to guess my fingerprint. The amount of possibilities are infinite. But creating a random fingerprints should be easy. How will 3DPass sort fake from real preventing 1 person from owning infinite amount of identities?

For example this:

I believe this would be the future of identification, considering it cannot be faked and it is always verifiable. And it is quickly becoming a norm now to have some electronic identification

Thanks, I see. Let me clarify my question a little bit. How does the private key identify me as a human being?
It doesn't have to do with me at all, right? So, it can't be treated as a personal identity, cause you'll never know who is the real owner of the private key. That's my point.

Let me give you an example. Imagine, you have 3 person coming over and claiming that each of them is the only owner of an IDENA account. All the three have the private key, which is correctly fit the account. How would you recognize the real one?


 

Private key is the thing that proves that you own this specyfic digital identity. Just like with every crypto wallet. But that's probably not what you wanted to ask, but how idena deals with the fact that one person has multiple nodes. Its the turing test i was talking about before. Its not a "some CAPTCHAs". Its 6 logic puzzles that you have to solve. This test is performed simultaneously for the entire network and short session last only 2 minutes. So there is no way to validate more than 1 identity. Well you can try with 2-3 but sooner or later you will run out of time and fail valition loosing stake and identity. Based on my experience with idena, 1 node is easy to have, 2 is hard, 3 is super hard and risky.


Fair point. But its not as hard as it looks like. I'm the owner of IDENA digital identity for more than 3 years.


you need 10-30 min of your time each validation (~20 days). They tried to aim for a sweet spot. Validation each day is cool because new members can join right away but from the other hand old members needs to spend 30 min each day instead of once every 20 days.



I'm not an expert but to me sharing any data is a red flag. I have no guarantee that this app wont collect my IP address, mobile phone hardware details, information about the browser, about the font size set on the phone, screen resolution, location from GPS. I have no guarantee that it wont be connected with darknet databases from other services that were already compromised.

Also if biometric data is all i need for your app ... it means i wont be able to safely use other apps that will one day reach mass adoption if this project will fail because my biometrics can already be compromised.

Great to see a response from someone familiar with both projects.

Real time biometrics = Human

If you limit the algorithm to checking only real time data you will always need a human to do it in real time.

I am less worried about a real person but ensuring that each person only has 1 decentralized ID.

Of course there are other aspects to consider such as how many fingers you scan. Humans are very good at making work arounds. Even if you used all 10 fingers people would generate a second ID with their toes 

But at least we limit it to two IDs per person minus anyone who of course sells their decentralized ID.

I know of both idena and 3Dpass, while dena is 1 node 1 person strict 3dpass is just blockchain but if it can hold biometric data and check with rest its their future, its just how you know if real person if behind biometric data on 3Dpass or not?

This is an excellent question and of course must be prevented.

I asked this question to the dev team and there is no storage. All processing is done locally using RAM only as mentioned in the white paper Data Privacy section.

On the official app the storage can of course be prevented but users MUST not store this locally anywhere.

Also it goes without saying that the device should not be compromised.

Once the HASH ID is generated this is protected by cryptographic standard SHA-2.

From my understanding of either 3dpass HASH ID and what @3DPass meant by his drawing above, the system doesn't collect any user's data except pub key and pub signature. HASH ID creation process is an offline operation being processed on user's machine without going outside. pass3d recognition opensource lib is only being involved in.  Follow the White Paper https://3dpass.org/3DPass_white_paper.pdf

It's not enough to steal  customer's biometric data from somewhere to recover its hash id. It's protected by several factors...

It's a great project for the future if it goes perfectly but I'm quite dubious about the service you will provide to customers, which as we all know we have different fingerprints until today, no one naturally have the same fingerprints.

In the process your system will record the fingerprints that I did to get an identity in the web3 industrial revolution, in my understanding you will have my original biometric data in your system before being encrypted. until whenever possible you will have my fingerprints, in this case I want to question how your system cannot be broken into that maybe hackers will steal fingerprint data of billions of people who are in the original data storage system that you have. In the process, fingerprints will be found in the state big data as my identity in social life. The worst possibility is that hackers have my fingerprints from various sources and can match my identity elsewhere.
I don't mean encrypted data but on the robustness of your system because of course your system keeps the original data to protect my identity.

Correct, no it does not, It's all encrypted.
Even if this was compromised which will not happen, what can someone do with a random fingerprint/iris scan without any other information. Good luck trying to find this person among many billions of people.

I've sketched it up in a little different way. Hope it becomes better to understand:

1. Biometric data, HASH ID and Private key - are all in secret
2. Pub signature taken form HASH ID ensures it belongs to the Network address and, on the other hand, it provides "0 knowledge" of any sensitive data.
3. HASH ID is protected by multi-factor authentication (it's not enough to steal your fingerprint, you also have to get the second object to recover)

let's say I've got an IDENA digital identity (based on solving some CAPTCHAs, please correct me if I'm wrong).
Now, how can I prove it belongs to me (as a real human being)?  

Cee2  From my understanding, this HASH ID Identity doesn't provide any knowledge about my personal sensitive data, right?