Deploy a Biometric Identity Management Platform With Blockchain on Oracle Cloud
Combining machine learning models, blockchain, and microservices, IPtoki built its cloud-native, W3C-compliant biometric identity management platform, and deployed it on Oracle Cloud Infrastructure (OCI).
To verify that users are who they say they are, the IPtoki platform captures human behavioral biometrics to create unique digital signatures, and then stores those signatures as immutable records in a blockchain ledger. Through machine-learning (ML) algorithms, IPtoki’s platform continuously authenticates individuals based on the unique ways they type on their keyboards, swipe the screens of their smartphones, or use other peripherals on their mobile devices,
Founded in 2018 in Quebec, Canada, IPtoki's platform allows individuals to identify themselves using their smartphones, wearable devices, or authorized devices from trusted third parties. Although users’ W3C-compliant verified credentials remain protected in their e-wallets, such credentials can also be presented under the governance of the user to authorize access to a specific application or a secure system or service.
After training deep learning algorithms, IPtoki’s I Am My ID authenticator can continuously validate human biometric data by using a blockchain distributed ledger and ML algorithms. Not only do the blockchain and ML algorithms make it possible to extract a unique signature for a user, these tools also help to validate the verified credentials presented by the users, confirms that those individuals are who they say they are, and then authorizes their access to specific systems and services. IPtoki uses smart devices sensors to capture users’ biometrics, define their signatures, and enable continuous authentication of their identities.
The core components of IPtoki's I Am My ID platform include:
- Multifactor authentication:
- Verify IDs
- Grant access to secure services
- Manage secured access
- Analyze screen swipes
- Behavioral biometrics:
- Track body movements
- Observe physical gestures
- Monitor keyboard strokes
- Manage code libraries for the blockchain application by using SDKs
- E-wallet:
- Access verified documents and credentials that are secured in the blockchain
- Share verified credentials
- Validate authentication inference results by using a zero knowledge proof
- Blockchain:
- Capture and store immutable records of individual identities, credentials, and documents
- Build and debug algorithms
- Train ML models
- Machine learning algorithms:
- Capture and classify device sensor data
- Run and maintain reports
- Write and enforce policies for applications and users
- Administration:
- Create and monitor dashboards
- Modify and manage the system interface
- Allow authorized individuals to access multiple services with a single set of credentials by using user federation
- ID management:
- Connect with and establish trust between multiple service providers (SPs) and different identity providers (IDPs)
- Connect devices and applications by using APIs
- Exchange information between applications by using REST APIs
- Microservices: Communicate with third-party services
Highlights of this architecture include:
- IPtoki’s I Am My ID platform captures and classifies individual behavioral biometrics through interactions with smart devices, such as keyboard strokes, mouse clicks, and screen swipes.
- IPtoki’s I Am My ID solution stores immutable records of users’ credentials by using Oracle Blockchain Platform.
- Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) manages the containers for the IPtoki platform, which consists of Kafka, Kibana, ID Manager, APIs, and machine learning operations.
- The machine learning operations use Oracle virtual machine shapes with NVIDIA GPUs as nodes on an OKE cluster.
- Oracle NoSQL Database Cloud Service provides database operations.
Architecture
IPtoki built and deployed an advanced identity platform on Oracle Cloud Infrastructure (OCI) by using machine learning and Oracle Blockchain Platform.
The IPtoki platform collects multimodal behavioral biometrics from sensors on smart phones and wearables by using the IPtoki I Am My ID app. These are captured as JSON files and contain behavioral biometric information (gait, gesture, motion, and keystroke dynamics) that drive the machine learning algorithms. Kafka is used to stream the JSON objects, which are stored in a Oracle NoSQL Database Cloud Service database instance.
Deep learning models are developed in containers on GPU-based virtual machine instances. Users have their own behavioral models, which are developed from the behavioral biometrics captured from sensors embedded in those users’ smart devices. This biometric data is then converted into JSON files and stored in a NoSQL database. When a biometric identification (ID) is established, the ID is linked to a user ID from an identity provider, such as LDAP, Oracle Unified Directory, Oracle Identity Cloud Service, Microsoft Active Directory, or Social Media Authentication (Social Auth). ID Manager creates the IPtoki ID and stores it on Oracle Blockchain Platform running an Ethereum Virtual Machine (EVM) by using a custom Solidity smart contract.
The following diagram illustrates the architecture:
iptoki-oci-architecture-oracle.zip
The IPtoki ID is stored in the immutable ledger of the Oracle Blockchain Platform as a unique signature that can be subsequently verified for continuous authentication. After an ID has been established, the IPtoki solution can verify a user’s identity by comparing the real-time biometrics provided by the authenticator app against the proof stored in the blockchain smart contract through a REST API call.
This transparent identity verification can be used to authenticate the user and authorize specific actions for diverse use cases, such as healthcare, supply chain, fleet and workforce management. For example, a user’s natural day-to-day interactions with smart devices can seamlessly unlock access to a web service. In other cases, a truck driver approaching the truck or a machine operator approaching a complex piece of factory equipment can be authenticated based on their gait or other biometrics to open the truck door, access factory machinery or operate the specific piece of equipment if they are authorized.
The IPtoki solution can support multiple organizations mapped within the permissioned blockchain network based on each use case. Blockchain nodes can be created within the Oracle Blockchain Platform network by using OCI consoles and then linked to the shared blockchain network. For example, a logistics organization might consist of an IPtoki founder node, and a carrier, port, and shipper organizations joining as participants. Specific blockchain channels between the organizations isolate ledgers and restrict access to specific information.
The following diagram illustrates the example Hyperledger Fabric network created with OCI’s managed blockchain-as-service instances.
iptoki-blockchain-network-oracle.zip
The architecture has the following components:
- Tenancy
A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.
- Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Availability domain
Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
- Route table
Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.
- Security list
For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.
- Internet gateway
The internet gateway allows traffic between the public subnets in a VCN and the public internet.
- Service gateway
The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.
- Compute
The Oracle Cloud Infrastructure Compute service enables you to provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.
- Object storage
Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.
- Container Engine for Kubernetes
Oracle Cloud Infrastructure Container Engine for Kubernetes is a fully managed, scalable, and highly available service that you can use to deploy your containerized applications to the cloud. You specify the compute resources that your applications require, and Container Engine for Kubernetes provisions them on Oracle Cloud Infrastructure in an existing tenancy. Container Engine for Kubernetes uses Kubernetes to automate the deployment, scaling, and management of containerized applications across clusters of hosts.
- Blockchain
Oracle Blockchain Platform is a managed blockchain service for running smart contracts and maintaining a tamper-proof distributed ledger. Built on the open source Hyperledger Fabric, it simplifies the development of secure and verifiable applications that share immutable, trusted data with third parties, such as suppliers and financial institutions.
Get Featured in Built and Deployed
Want to show off what you built on Oracle Cloud Infrastructure? Care to share your lessons learned, best practices, and reference architectures with our global community of cloud architects? Let us help you get started.
- Download the template (PPTX)
Illustrate your own reference architecture by dragging and dropping the icons into the sample wireframe.
- Watch the architecture tutorial
Get step by step instructions on how to create a reference architecture.
- Submit your diagram
Send us an email with your diagram. Our cloud architects will review your diagram and contact you to discuss your architecture.