Bridge CTO, Alex Guba, recently joined the Neo News Today podcast, where he discussed digital identity the nuances between authentication and authorization. He stated, “Authentication is who you are, and authorization is what you can do.” Guba also delineated how Bridge’s products and services address these two aspects of identity.
Authentication is the process of verifying who a person is. To be authenticated, an individual must be able present information to unique to their identify. Examples include a drivers license, answers to pre-selected questions only known by the authorizee, or confirming an email address. This type of information is often sensitive, meaning individuals desire to expose it at little as possible.
Once authenticated, the individual can then be authorized to participate in events containing restrictions. Examples include token sales limited to residents of a certain country, alcohol or tobacco purchases with minimum age requirements, or employment verification for access to company resources. In the interview, Guba said:
Traditionally, in distributed networks, or decentralized applications, you are essentially anonymous. You’re just an address that’s taking action on something. The challenge is on a day-to-day basis; users don’t need to be disclosing who they are for authentication. It’s mostly authorization – I’m allowed to buy beer, I’m allowed to do something. You don’t need to know who I am. You don’t need to know my address, and you don’t need to know my name. So, those are two different types of information that are needed at different times.
Bridge seeks to solve this issue by allowing its users to authenticate themselves in a way that enables authorization without exposing sensitive underlying data. For example, an individual may need to authenticate their age to access adult content. Using the Bridge Passport, the user would not need to expose their actual date of birth to a website, but could instead provide a claim stating the user was over 18.
The authentication process would only need to be completed one time by an identity verification provider selected through the Bridge Marketplace. The user could then authorize themselves across multiple websites or applications.
Although the underlying data is not readily exposed by the Bridge Passport, it is possible to see who authenticated the original information. This is important as it allows the claims made by the passport to be trusted, while also providing access to an audit trail if legal issues arise.
When you’re dealing with exchanges or anything that might be more heavily regulated, there has to still be – especially due to some of the international laws, in the United States and the banking system – an audit trail to be able to detect bad actors and still trace that back on an as-needed basis. Granted, 99% of the time, you probably only need authorization, not authentication. So there’s that element of full decentralization anonymity with the authorization component of what you can do. But, then, there’s also this sort of centralization component – there has to be accountability and a full trail if there were an audit that needed to be done.
Bridge Protocol recently announced version 3.0 of its identity platform, which included cross-chain BRDG token support, an updated network explorer, a redesigned Passport browser extension, and a restructured Bridge Protocol SDK.
The full interview can be found at the link below: