Digital Identities on the Web
Very few people really understand the concept of Self-Sovereign Identity. The technology is still in its infancy, and some enterprising individuals are pioneering its real-world adoption right now. What is necessary to understand here, though, is that it’s founded on something called Decentralised Identifiers (DIDs). What DIDs do is challenge our digital existence as we know it — providing an unprecedented private and secure way of leading our lives in the digital age. In contrast with the scientific excitement and cutting-edge research happening around it, a DID by itself looks rather inconspicuous: it is just a character string. Yet, its cryptographically generated keys contain all the power necessary to secure all aspects of your digital identity.
To properly understand the problem that the approach of DIDs and Self-Sovereign Identity is trying to solve, we first need to understand the current handling of our digital identities.
The Challenges We Face
In today’s internet, or the so-called Web 2.0, our simplest digital representation is the login credential: we use them all the time on the Internet to identify ourselves as users on a myriad of websites and platforms. We usually verify our identity using an email address, occasionally an optional username, and the mandatory password. Since almost every service on the internet now requires such an identity check, major identity providers such as Facebook, Google, and Apple offer their personal verification service. By logging in as a user of one of these major platforms, we can avoid the hassle of creating yet another account for each web service.
From the user's point of view, this sounds simple and practical: There is no need to remember countless login credentials, add secure (or convoluted) passwords, and manage them via password managers. Even better, once logged in, we can usually log in seamlessly to other sites (that also use this Single-Sign-On service) without further verification.
The silent price being paid here is our privacy, our data as indeed nothing is free in the world of centralised (identity) providers. The growing number of users who use such centralised services on the web indicates that a lot of people are unaware of the implications, or that they simply don't care - no direct damage can be felt: what can someone like Facebook do with the data, for example? We should think about this, though. When you create a social-media account, you also agree to your user data being passed on to third-parties, that is, monetized and sold to advertisers or other bidders. The incredible concentration of personal data on all social, economic, and behavioural topics makes this information pool incredibly attractive to certain parties. Authoritarian regimes, including their intelligence services and police forces, scammers and cyber micreants of all tropes, and even criminal or terrorist organisations can often find such centralised data sets quite invaluable.
Another problem for users of such services is that their traces on the internet can be tracked easily and reconstructed into paths, up to complete movement profiles. Since all data can now be linked to a specific profile, Google, for example, knows what you bought in a web store, which vacation destinations interest you and which articles you read on your favourite news portal. The fact that these services are generally free of charge is due to the fact that we actually pay for them with our data. It is possible to draw concrete conclusions about a real person with the help of the available data. Our choices, beliefs, and behaviour are no longer private.
Certain services on the Internet also require unique authentication of the real person; an e-mail address alone is not sufficient for this. This is necessary, for example, if we want to apply for insurance online or if an age confirmation is required to comply with the law for the protection of minors. To do this, we must prove our real identity, which is then linked to our digital identity. Because our sensitive and personal data is being processed here, we would want the utmost protection and security. However, when this information is transmitted to a company or institution,we have no control over how our sensitive data is stored and secured there. Nevertheless, we cannot completely avoid sharing our identity and identifiable details online. The digital networking of society is unstoppable and the use of online services is becoming a daily occurrence. We need an easy way to identify oneself on the web, while preserving our privacy and also the security of our data.
So what can SSI do to enable simple and secure identification, while avoiding the pitfalls associated with current methods?
No central repository of personal data and no link between one's identity and the data traces one has left behind – these are cornerstones of the identity mechanism that’s possible via DIDs. The concept of such a decentralised identity is what we refer to as Self-Sovereign Identity (SSI). The idea behind it is already in the name. In such a framework, I as a person regain control over my identity and the data associated with it. Decentralised Identifiers (DIDs) are currently emerging as a platform-independent standard for SSI.
The Holder of the Identity creates DIDs for every needed purpose; each identity refers to the subject but does not reveal any personal data. A DID does not contain information about an individual identity, it is just an identifier. So-called verifiable credentials (VCs) are used to prove whether certain information about the holder is valid. These VCs can be seen as statements from one entity about another, for example the statement that an identity belongs to a specific user.
The most important aspect of a decentralised identity is to separate the different components of an Identity and Access Management (IAM). In this way, critical data can be secured during access and the identity of the user can still be verified. A special form of data storage, called Distributed Ledger Technology (DLT) can be used for this. In contrast to centrally controlled databases, which run via a specific server and are dependent on it, the data in the DLT is stored in a distributed manner. A Distributed Ledger also brings maximum security inherently, because it relies on cryptography. Each new piece of information is cryptographically signed by a private key that remains under the user’s control to provide proof of integrity of data.
A DLT seems to be the ideal infrastructure for a distributed and secure Identity and Access Management system with the main components being user accounts and their access rights. The components can be assigned to different actors. The owner of the data (Holder) can control their data and decide how much of it they want to disclose, and for what purpose. A trusted Entity (Issuer) can verify individual documents or certificates (e.g. university diploma) and issue permissions on them and transmit them to the owner, the actual Personally Identifiable Information is never on the ledger. A third party (Verifier) in turn verifies the owner of these credentials as the person he claims to be.
The shift in control of moving from a centralised identity model to a Self-Sovereign Model.
Federated Identity Model: The identity holders (e.g. users) cannot provide their data themselves. The identification is usually carried out by a third party. An issuer (e.g. government) must confirm the identity to the Verifier (e.g. Service Provider) directly or through an identity verification service.
Self-Sovereign Identity Model: The Issuer (e.g. the government) issues credentials to their DID and Verifiers by submitting a challenge, which the DID Holder has to prove. The holder's wallet securely stores a key, which can prove ownership of the DID, that is stored in the DLT along with the DID document. The Holder (e.g. user) sends the required identity information to the Service Provider and proves these credentials by demonstrating control over the private key. The Service Provider validates the user's and issuer's cryptographic signatures via the DLT. After the validation process, the user is granted access by the Service Provider.
The SSI system is expandable, so in the future, one can provide certain information through selective disclosure, without having to reveal everything about oneself right away. It is possible to use a credential that proves that one is already 18 years old, without having to undergo a complete check of one's person including place of residence, nationality or other personal data. If a recurring identification for web services is to be anonymized, one can create a new credential for each login process. This way, the individual logins cannot be associated with each other and no conclusions can be drawn about the person.
The advantages of this decentralised and secure solution are visibly valuable and this approach could benefit not only us as users but will also help companies and institutions.
How does Self-Sovereign Identity help me?
More data protection through higher security: the data is encrypted and stored in a decentralised storage system, where it is protected from access by third parties
More control over one's own data: As a user, you only release the data that is necessary. The identity can be stored on one's own smartphone, for example.
Privacy on the web: Through the use of Zero-Knowledge Proofs (ZPKs) and selective disclosure mechanisms, there are limited data traces created that can be used to draw conclusions about a user's identity.
Simplified login procedures: The user becomes their own identity provider via their own decentralised digital identity. In the future, it will be possible to dispense with the creation of usernames and passwords in many areas.
More independence: Since the platforms or web services know less about the user, it is more difficult to manipulate them and encourage them to buy their own services or products.
Why would a big company or governmental body use Self-Sovereign Identity?
Transparency and trust: Companies and institutions that actively protect the privacy of their users are considered trustworthy and thus increase their customer loyalty or trust relationship with citizens.
Strengthening democratic processes: Small companies but also governments can better escape the market power of the current tech giants and align their processes to the needs of the users.
Cost savings through reduction of data storage: The permanent and secure storage of personal data is complex and expensive. This is no longer the case if the data is no longer stored at the company itself, but only retrieved for data relevant to the business relationship.
Privacy and security compliance: by outsourcing personal data to an external, encrypted system, companies do not need to build up and permanently finance their own legally compliant expertise in this field.
With the help of DIDs and VCs, the concept of Self-Sovereign Identity will become a tangible reality. It can drive digitization forward and enable us to fully utilise the potential of the digital world in a privacy compliant manner. The security concepts it supports will also provide strong foundations to convince adoption by critical users and to help drastically minimize the risks of fraud and identity theft that are prevalent in current Web 2.0 systems. As we observe the pitfalls of the current infrastructure that handles our digital identities, it is important that we start to step away from this reliance on digital identity provided by but a handful of individual corporations and together work towards the development of expertise and solutions in all key sectors that can help pave the way for the future of Self-Sovereign Identity, for everyone, everywhere.