Resolving the Digital Identity Dilemma in a Decentralized Way
Identity is comprised of many things - name, date and place of birth, nationality, marital status, education degree, ability to drive a vehicle, blood type, and so much more. With our lives becoming more and more connected to the digital world, we end up offering many pieces of our identity information to prove we are who we say we are. Hundreds of websites utilize various pieces of personal data of their users - first and last names, addresses, age, to name a few - most of the time without proper rationalization and without the user even being aware. This oversharing leads to the loss of users’ control over their data, potential impersonation attacks, identity thefts, and so much more.
These risks are driving the community to discuss the digital identity dilemma and ways to solve it. Many professionals and enthusiasts are working on solving the challenge of finding a safe way to identify individuals on the internet (for instance, the DICE conference) without overexposure of their personal data. This article continues the discussion by covering some identity basics and later focusing on how decentralized identity can help individuals and organizations solve the current issues.
How does identity work?
Identity, whether physical or digital, presupposes three major actors: the user, the verifier (a party who needs to know something about the user), and the issuer (an authority that provides certain information about the user).
In the physical world, a person who wants to open a bank account (user) presents a particular credential (in this case, an identity card or passport) to a bank clerk (the verifier), which has an implicit trust in the issuing authority (e.g., a government agency) and checks the credentials without the said government agency knowing anything about it. It is on rare occasions that the verifier would call the issuing authority to inquire about the authenticity of your document.
In other circumstances, you would need to present an additional credential to cross-check some information - for instance, you might be expected to present your ID card alongside the university degree diploma. But even in this case, because of the established implicit trust, no contact with the issuer would be made.
In the digital world, there are the same three actors, but the relationship between the issuer and the verifier is direct because of technical reasons. Trust is explicit (typically established by federation): if the user needs access to certain resources, the verifier (bank app) requests the user to authenticate using a strong method with high assurance of the user’s identity. That process typically involves a direct call to the issuer of a digital identity, such as a government agency, via HTTP. Such a process creates a more or less permanent trail - the agency that issued the credential would know about the users' interaction with the bank app or any other app that they use the same login for. It can therefore track its users over the internet.
Digital Identity Dilemma
So what happens in the digital world and why does the identity dilemma occur? First, there is a direct connection between the issuer and verifier where the issuer authenticates users and shares data about them with the verifier. It poses risks not only for users but also for organizations who are collecting this information - they have to manage and keep it safe. But what if it is lost?
The second issue is that the digital trail is left everywhere you go. If you make one transaction online, it is not only the bank who knows it but the eID issuer’s system will be aware too as the bank would have to contact them to verify your identity. These log files will also have to be stored, creating another layer of vulnerability. With the current established standards, this trail is unavoidable as the direct connection is part of the design.
Finally, to present one piece of information, all the information should be revealed. For instance, if a website knows your dress size, they don’t necessarily need to know your date of birth. This creates the oversharing of information and can result in identity fraud and privacy issues. The digital identity dilemma is becoming even stronger. Identifying yourself on the web is necessary. However, the issues of privacy, oversharing, and identity theft need to be addressed as soon as possible. The measures should include stronger authentication, smarter systems able to assert properties about users without exploding the full information, and - more importantly - a paradigm shift in how we think about and treat digital identity.
Enter Decentralized Identity
The much-needed paradigm shift and a promising solution to the digital identity dilemma is decentralized identity. This new and exciting technology offers a path of how billions of users can start authenticating without relying on just a few databases and take control of their own identity, disclosing only the data that is needed and they wish to disclose.
Similar to how a movie theater attendant checks if a visibly young visitor can independently watch a PG-13 film, websites and apps must verify specific aspects of our identity to provide particular services. Instead of relying on a few centralized identity repositories and sharing excessive personal information, decentralized identity empowers users to restrict the data they wish to disclose. This enables users to furnish credentials to these apps without the identity issuer being informed about it. Moreover, the provided credential can consist of identity affirmations from various sources, culminating in a distinct and apt credential that enables users to access the intended service.
How Does Decentralized Identity Work?
The unique characteristic of a decentralized identity system is the introduction of a new actor: the wallet (or the entity holding the verifiable credential). A verifiable credential, often abbreviated as VC, functions as a record containing statements regarding an individual, their abilities, or accomplishments.
VCs share numerous parallels with tangible credentials like passports or identification cards. However, these digital credentials possess tamper-evident properties and undergo cryptographic verification. Consequently, they offer significantly enhanced security compared to their physical counterparts. Moreover, their digital nature facilitates swift transmission, rendering them more convenient and effective for establishing trust across distances.
The user keeps the wallet accessible, typically on their phone or a website they can readily reach. When interacting with a relying party or an application requiring a digital identity, rather than retrieving it directly from the issuer during that specific transaction, the wallet takes charge of furnishing the digital identity. To identify and validate the presenter of the credential, decentralized identifiers (DIDs) are used - they provide a way to bind keys that the user controls to a globally unique ID.
Benefits of Decentralized Identity Beyond Privacy and Data Control
At the current moment, technology is approaching a state of preparedness. Our mobile devices and computers are now ready to conveniently store credentials. Concurrently, there is increasing momentum in the adoption of standards to create a globally unified system, enabling effortless interoperability for both sharing and issuing credentials. This paradigm shift can provide several benefits to end users and organizations.
One benefit is the reduced friction for the end user. They can just use their cell phone and zap and share selective information with the relying party and not have to provide as much data about themselves. This leads to lower risks of identity theft and privacy breaches, allowing individuals to control their identities more productively.
There is also a relief for identity friction for organizations that will save time and effort on their part. At the same, it will reduce the amount of risk that the relying party has because they don't need to be in possession of unnecessary personally identifiable information. By limiting requested data to non-PII (with the goal of checking if certain conditions about you are true), businesses won’t have to protect them so carefully. This can result in more easiness when it comes to regulations compliance, audit, and security measures. No wonder, we see the enthusiasm towards this shift with 50% of larger and 62% of smaller companies are planning to start implementing decentralized identity in a year.
More Resources on Decentralized Identity:
Decentralized Identity, Decentralized Identifiers, and Verifiable Credentials