[RFW0004] User Registration and Identification via PRISM

[ProfilaMitchell]

Table of Contents

• Housekeeping
• The Problem
• User Story
• Request Type A/B
• Owner
• Summary
• Is This Really Necessary?
• Motivation
• Named concepts
• Examples, Risks & Assumptions
• Success Metrics
• Conceptual Design
• Drawbacks
• Alternatives
• New Data
• Business Release Date

Housekeeping

Make sure to clearly understand Type-A and Type-B requests, and the relavant limitations. Failling to follow the guidelines pertaining to the two acceptable types of RFWs will automatically lead to disfqualification of the RFW.

Take time to complete each section below with as much detail as is required to establish a comprehensive understanding about the underlying product specification.

ALL BELOW FIELDS ARE REQUIRED

The Problem

There is currently no DID creation when a user registers on Profila

User Story

As a Profila user I want to create a DID through Profila so I can use the platform

• High business severity - DID creation is an essential part of a zero knowledge environment
• High Priority - Setting the foundation of building out Profila, the registration process needs to be defined thoroughly from the onset

Request Type A/B

Type B

Owner

Mitchell Goudie

Summary

The issuing of DIDs (Decentralized identifiers) and verifiable credentials is being introduced to the Profila registration and sign-in process for people and brands.

Is This Really Necessary?

Privacy and agency is a core Profila promise to people, and Profila aims to guarantee to people that any brand on Profila is verified and real and Profila promises brands that only real, verifiable people are on the Profila platform. To deliver these promises it is the "best way" to implement verifiable digital identities for both people and brands on Profila using a next generation trust infrastructure like Atala Prism coupled with Magic Link.

Motivation

By implementing a verifiable digital identity for people and brands on Profila we deliver on the promise of ensuring people interact with real brands and brands interact with real people, and can share information that is from a trusted and verified source. The scope of this request:

• A persons registration/sign-up to Profila
• A persons login to the Profila platform
• The creation of a Personal DID (P-DID) in the persons registration process
• The verification of a person in the P-DID registration process - (This process is facilitated through use of Magic Link wherein the user must have access to the email entered in order to register. This would need to extend to KYC level national ID card verification in future releases)
• A brands registration/sign-up to Profila
• A brands login to the Profila platform
• The creation of a Brand DID (B-DID) in the brand registration process
• The verification of a brand in the P-DID registration process - (TBD this verification step can be simpler 2 factor authentication to an approved domain email address using Magic Link, but would need to extend to KYC level company registration verification in future releases)

Named Concepts

• DID is a Digital Identity
• P-DID a Profila term for a Personal Digital ID
• B-DID a Profila term for a Brand Digital ID
• Verifiable DID is a DID that has been verified by a KYC type process
• Atala Prism is a SSI protocol that provides the encryption capability (also) on Cardano, so, it enables proofing the credentials that they are true. It is a service suite for verifiable data and digital identity" in the Named Concepts section
• Magic Link is a user authentication and private key management solution that integrates with Atala Prism for seamless sign up and login capabilities

Examples, Risks & Assumptions

1. Explain concretely what will manifest as a result of this RFW.

• Profila platform users and brands will be able to register for Profila and will be verifiable by creating a DID using ATALA PRISM
• Profila platform users, people and brands will be unable to create multiple accounts associated with the same identity
• Profila platform users, people and brands will be able to sign into Profila using the DID created
• The private key generated from the resulting DID created will be managed by Profila

2. Explain how is it different from what is already manifesting i.e. what we already have?

• There is currently no way to ensure that the user has a single verifiable identity.
• Atala Prism provides the secure layer for identity in internet communication

3. Explain what Profila users/brands will experience as a result of this RFW. How will they feel as a result of it? How will they benefit as a result of it?

• Profila users, people will feel more comfortable in sharing their personal data with brands that are verified to be real brands and not fake bots, or fake brands. Similar to seeing a blue verified tick in LinkedIn or twitter, people will feel confident that their relationship is with the brand they intended.

• People will trust the Profila platform more as the platform has taken the efforts to ensure that only real brands are using the service and the platform is not trying to force unknown brand relationships onto people to drive potential fake ad revenues.

• Profila brands will feel more confident that they are subscribing to a real person/customers data that has been verified, improving the data quality in their organisation. Brands will also feel more confident to advertise to and communicate with real identifiable/verified customers rather than risking advertising to some people and many bots.

• Brands will trust the Profila platform more as their engagement will be with real people/customers and they will not need to worry about fake metrics that skew their marketing ROI, and will yield better returns in retention or real customers.

4. If applicable, provide sample messages for any new messages the system will display as a result of this RFW.

• You are about to create a verifiable personal digital ID. This P-DID will protect your identity on Profila and will help you to remain anonymous should you wish to. The P-DID will also give brands the comfort that you are a real person, a customer and not a robot, which will help them to deliver the best service and experiences personalised to your needs.

• You are about to create a verifiable brand digital ID. This B-DID will protect your brands identity on the Profila platform and will give people, your customers, confidence that they are engaging with your actual brand, and not a fake internet account. This will also give your customers the confidence to share accurate personal data and communicate with your brand anonymously and/or privately which results in more authentic and meaningful customer relations focused on retention and lifetime value of each individual.

• You have successfully created your Profila digital ID. You are now able to view Brand content (TBD, do we limit a persons platform experience with brands until they create the DID and can the person create the DID after the normal web registration process.)

• Welcome to Profila, you have not completed the step to create your Digital Identity, please return to the settings to complete this step. Until your P-DID is created you will experience reduced interactions with your brand connections.

5. Define what is out of scope in this request.

The UI implementation of the registration process for both brands and users is out of scope, housed in respective RFWs

6. What are the data protection, privacy and security assumptions made for this request (example, should this be GDPR, HIPPA (healthcare), NIST compliant etc. - Speak to Michiel or Ipek!)

Identity management security risks such as:

• Identity proofing errors (i.e., a false applicant claiming an identity that is not rightfully theirs);
• Authentication errors (i.e., a false claimant using a credential that is not rightfully theirs)

7. Explain how this user story will be supported (i.e customer support - if the user story fails technically, how will the user be supported).

Support Flow If the user cannot register successfully at any point in the flow, they will need to contact Profila to notify them of this issue, as well as have the issue resolved.

User Logic

• There is direction to contact Profila if something goes wrong in the process
  • Text within error message to display "Contact support@profila.com"
    

Tech Support Logic

• Needs to resolve issue with why the user cannot register as it is a technical issue
  

8. Explain how this user story impacts revenue or billing (if applicable).

• The registration process as a whole affects billing our to incurred costs of sending verification messages to registering users (as noted in the User Registration sign up RFW)
• The creation of a DID incurs a cost
• The use of Magic Link incurs a cost

9. State any additional risks identified as a result of this user story.

Success Metrics

Once the user or brand registers on the platform, a P-DID or B-DID is created respectively

Conceptual Design

NOTE: These steps do not account for the use of 'Magic Link' like technology within the registration process (link used to sign in/register, no password is created)

• The implementation of PRISM will be used in the registration process within the platform - The consumer will register by submitting their national digital ID or physical ID so that a DID is created and sent to Profila for a signed verifiable credential. This step is a part of the verification step and to be described further in another RFW as this step specifically is not an outcome of this RFW.

• KYC IV (identity validator) will ensure that the user or brand registered on the Profila Platform is a living person by using the registered digital or physical ID. This step is a part of the verification step and to be described further in another RFW as this step specifically is not an outcome of this RFW.

• KYC IV will ensure that all users are cryptographically identified as a unique person so that no two users with the same identity can register on the platform. This applies to brands and users. This step is a part of the verification step and to be described further in another RFW as this step specifically is not an outcome of this RFW.

• The implementation of PRISM and 'MagicLink' like technology (developed in house) will be integrated into the registration and sign in process

• Users and brands will register using an email address through the use of 'MagicLink'. This creates a non-custodial wallet for the brand or user.

• The email credential used to register is then associated with a DID created by Atala Prism. This DID is also associated with the non-custodial wallet created.

• Users and brands will sign into the Profila platform with their email associated with their DID or with an email and password associated with the DID. This is facilitated through 'MagicLink'

• Profila will create a Verifiable Credential for the consumer and sign it with our own DID

• Profila will receive the verifiable credential in place of the consumer and act as custodians for it
  

User Registration Flow

Brand Registration Flow

Drawbacks

The use of MagicLink with Atala mandates the creation of a DID for the user or brand. The drawback resulting from this is that this DID would be separate from an existing Atala DID that the user has. The amalgamation of DIDs is not currently possible, however it does not pose any drawback in relation to usability of the platform.

Alternatives

There are DID technologies which provide more autonomy for the user (managing their own seed phrase and keys), however, seed phrases hinder initial sign up and ease of use for users. This has been evaluated and resulted in the use of MagicLink with Atala Prism which enacts Profila as the custodian of the user's private keys.

New Data

A Profila ID - each person and brand will be assigned a Profila platform ID that will become the platforms unique identifier per person and brand. TBD if this is the DID, as DIDs may not be used by all users/people or brands. (ISS: DIDs must be used by all end users)

Verifiable credentials of people and brands - min and desired credentials TBD for people and brands

Public keys and private keys for the person and brand that are managed by Profila

Business release date

A rough timing for the planned release for the specification possibly resulting from this request.

Delivery of the full DID scope is requested by the end of Q4/December 2022. The Profila registration and sign-in process, upon which this RFW depends, is requested by the start of Q4/October 2022.

[IpekSahiner]

User Flow Diagram for the user (Individual) and Brand registration: Team please review: @shawnjensen @MichielVanRoey @parhelium @ProfilaMitchell @lucasbragg