FIO Identity
- Luke Stokes
- Pawel Mastalerz
PLEASE NOTE: This is just a draft idea, exploring some possibilities of the FIO protocol. It is NOT final or even suggesting at this time a path for FIO to take.
The traditional financial world, for better or for worse, works with verified identity through KYC (Know Your Customers) and AML (Anti-Money Laundering) compliance requirements. Even though this is only 0.1% effective at preventing crime, it is the reality we live in today (until we change it). Some examples of the problem:
Anti-money laundering: The world's least effective policy experiment? Together, we can fix it
Anti-money Laundering “Almost Completely Ineffective.” Why it Harms Us All
Saying It as You See It: How to Lose Friends and Infuriate People
And yet, if FIO wants to help the billions of unbanked people who want access to decentralized open finance tools while also providing a decentralized (as opposed to centralized or federated) solution for those who still have to play the KYC/AML game, we should look at creating verified FIO addresss. Depending on the need, this may end up driving the decentralized business strategy for the FIO Protocol which benefits all participants as the network effect grows. Billions of people and the many thousands of organizations that want to serve them have a problem FIO is uniquely positioned to solve.
Problem
I want to interact with a real human being, not someone claiming to be someone else (or 1,000 someone else's). I don’t want to store the KYC or profile information for that human on my servers. I may not want to do KYC at all and just want verification that some other organization I trust did do KYC. If I do KYC, I want a mechanism to, with the permission of the human, expose aspects of that KYC to third parties, and be rewarded for it.
Imagine how much we could improve the credit process if Equifax, Experian, and TransUnion were decentralized and the data they collect was in our control?
Solution
I’ll walk through an example to explain how FIO might help with this situation.
John Doe controls the FIO address john@doe via their private key.
I want to interact with Organization A (kyc@a, account aaaaaaaaaaaa) which requires KYC. I go through whatever process they require (upload identity documents, FaceTec, etc). I also sign an authentication message with my john@doe private key, proving the human they just verified has control as of right now of john@doe. kyc@a derives from their key path two new secret keys. These key paths are stored in a vouches table scoped to aaaaaaaaaaaa to associate them with john@doe via data encrypted with kyc@a’s private key:
Table: vouches
index | scope | data |
|---|---|---|
0 | aaaaaaaaaaaa | <encrypted text> |
With data decrypted as:
fio_address | voucher_secret_key_path | voucher_data_secret_key_path | voucher_type |
|---|---|---|---|
john@doe | m/44'/194'/0'/0/1 | m/44'/194'/0'/0/2 | 1 |
The voucher type of 1 would mean KYC. Other voucher types are described later.
The derived keys are then used to encrypt parts of a message on chain essentially saying “We’ve KYCed john@doe and collected the following information.” This data on chain might be stored in a vouchers table:
Table: vouchers
index | scope | voucher | voucher_data |
|---|---|---|---|
0 | aaaaaaaaaaaa | <encrypted text> | <encrypted text> |
The voucher content is encrypted with the secret from voucher_secret_key_path (the key from m/44'/194'/0'/0/1) and the voucher_data content is encrypted with voucher_data_secret_key_path (the key from m/44'/194'/0'/0/2). With each new entry, a new set of keys on the key path are used.
voucher | voucher_data |
|---|---|
{
"account": "abcdefghijkl",
"fio_address": "john@doe",
"data": ["first_name", "last_name", "date_of_birth", "country_of_citizenship", "country_of_residence"]
} |
{
"account": "abcdefghijkl",
"fio_address": "john@doe",
"data": ["John", "Doe", "1/1/1980", "United States", "Puerto Rico"]
} |
kyc@a then presents information for john@doe to encrypt and sign which essentially says “Here’s the table index where kyc@a vouched for john@doe encrypted with this secret key.”
{
"data": [{
"validator_account": "bbbbbbbbbbbb"
"validator": "kyc@b",
"vouchers_index": 0,
"voucher_secret": "5KN6kXyaxs68b9QqauTf1g13FkawCPL4baVzwLy9NcozyzNcLtu",
"voucher_data_secret": "5JM3esqkLk79MsF3pq9mYvjLRUciK4DUrCrj2GdAVfdNJhtaGRu"
}]
}The voucher_data_secret could be used to verify the voucher_data was stored correctly. The voucher_data_secret could be stored by the user for later use or discarded.
This information would be used to construct a new transaction to add a record in the validations table, scoped for john@doe, like so:
Table: validations
index | scope | validation |
|---|---|---|
0 | abcdefghijkl | <encrypted text> |
The decrypted validation content:
validator_acccount | validator_fio_address | vouchers_index | voucher_secret |
|---|---|---|---|
aaaaaaaaaaaa | kyc@a | 0 | 5KN6kXyaxs68b9QqauTf1g13FkawCPL4baVzwLy9NcozyzNcLtu |
This process is be repeated for organizations B (kyc@b), C (kyc@c), and D (kyc@d).
Organization E (kyc@e) authenticates john@doe and instead of asking for KYC, it presents a list of KYC validators or combinations of validators it will accept instead. For example, it could ask for Organization A (kyc@a) or Organization B (kyc@b) and Organization D (kyc@d) together or maybe some combination like “3 from the following list…”.
john@doe decides they trust Organization E (kyc@e)to know they have a relationship with kyc@b and kyc@d, but they’d prefer to keep their relationship with kyc@a private. john@doe sends an encrypted message via the chain with their shared key with kyc@e (similar to a FIO Request), with the following:
Organization E then verifies these vouchers on chain in the vouchers table using the vouchers_index and validator_account scope with the voucher itself decrypted with the voucher_secret. Note, they can only decrypt the voucher content with the voucher_secret, not the voucher_data content. This tells them which fields were validated, not the values themselves used for validation.
Organization E then saves a new record in the vouches table but with voucher_type 2 which essentially says “We acknowledge the identity of john@doe using validations we trust”:
New entry for vouches table:
index | scope | data |
|---|---|---|
1 | eeeeeeeeeeee | <encrypted text> |
with data being:
fio_address | voucher_key_path | voucher_data_key_path | voucher_type |
|---|---|---|---|
john@doe | m/44'/194'/0'/0/1 |
| 2 |
New entry for vouchers table:
index | scope | voucher | voucher_data |
|---|---|---|---|
1 | eeeeeeeeeeee | <encrypted text> |
|
Type 2 vouchers do not include voucher_data.
voucher | voucher_data |
|---|---|
|
|
New entry for validations table:
index | scope | validation |
|---|---|---|
1 | abcdefghijkl | <encrypted text> |
The decrypted validation content:
validator_acccount | validator_fio_address | vouchers_index | voucher_secret |
|---|---|---|---|
eeeeeeeeeeee | kyc@e | 1 | 5KN6kXyaxs68b9QqauTf1g13FkawCPL4baVzwLy9NcozyzNcLtu |
Upon login to Organization D, if any of the validations used for verification have been updated for liveness, a new, updated record can be saved for that organization.
Useful Data
Some organizations presumedly want additional information about the user like their name or maybe their country, email, age, income, purchasing preferences, etc. Each time this information is requested, instead of giving it to the company which would then have to store it in a central location which becomes a target for data breaches and GDPR concerns, it can be stored encrypted on chain.
Table: profile
index | scope | field | value | vouchers | value_secret |
|---|---|---|---|---|---|
0 | abcdefghijkl | first_name | <secret encrypted text> | <encrypted text> | <encrypted text> |
1 | abcdefghijkl | last_name | <secret encrypted text> | <encrypted text> | <encrypted text> |
2 | abcdefghijkl | <secret encrypted text> | <encrypted text> | <encrypted text> |
Organizations can request specific data based on the fields in the profile or request a new entry be added. The value_secret can be shared with them so they can decrypt the content in the value field. They can not decrypt the content of the vouchers field. Both the vouchers and the value_secret are encrypted by john@doe’s private key.
value decrypted would be simple text like “John”, “Doe”, “john.doe@example.com”, etc.
vouchers decrypted would include:
value_secret decrypted would be the plaintext secret used to decrypt this value.
The vouchers would be specific to the organizations which have vouched for that specific field value. The user can selectively choose which vouchers they want to expose when responding to a request for information.
The vouchers_index is the specific record in the vouchers table containing the voucher.
A response for information might look like:
The organization receives the information they need and can pull it from the chain in the future using the profile_index and scope. They have no need to store the information locally.
If the organization needed to validate this information, they could then look up the vouchers and send an encrypted message (via FIO Request) to a validator like kyc@a to validate the first_name of john@doe is “John” or answer a question like “Is john@doe over the age of 13?” Depending on the policies, kyc@a could ask for confirmation from john@doe via FIO Request before releasing the requested information to the organization.
Ideally we could add a “request for request” which would allow the validator to say “Send me a request for this amount so I can pay you for releasing this information to this organization.” The micro payment amount the organization pays to the validator when requesting the information would be more than the micro payment made to the person and the difference would be the validator’s profits.
Conclusion
This plan outlines a way for users to selectively validate their identity and personal information with multiple KYC vendors who don’t have to store the information on their local servers. Organizations requesting information can do so directly from the individual and receive a key to decrypt that information from the chain anytime they want it. They can also request validation of that information from the KYC provider that validated it. The user has the control to selectively expose which validators have verified their information and who can access that information in the future. The security focus of the validation company can now be entirely about key management instead of data management.
Areas for more exploration:
Zero knowledge proofs to ask questions about the data without needing the data itself.
Key rotation requirements to keep data freshly encrypted.
Potentially using transaction_id and the block log via history nodes instead of table indexes.
Get the correct key derivation path for FIO and/or a better approach as the examples here are most likely wrong.