Digital Identity: Decentralization and Self-Sovereignty
Author: Lenka Tušar
Source: Fintech Factory
The digital economy has thrived on the value of collecting, verifying, and managing user's identities in their interactions with the online environment. An array of use cases from ID issuing and health records to financial transactions and KYC have instilled the need for increased security and improved management of personal and virtual identity data.
At present, the large part of identification data remains stored and managed in centralized databases and servers, be it of government institutions or IT/telecom/financial companies. Having high-value data accumulated at one place not only incurs high costs and responsibility but exposes it to a higher risk of attack, data breaches, and identity thefts. The incentive to explore and implement a better way of handling personal data has now been brought about by both parts of the identity management equation.
On the one hand, companies inject big money in cybersecurity, regulation compliance, and personal data protection, but strict bureaucratic processes often harm the user experience. Businesses thus look for ways to optimize workflow and cut down expenses while becoming more competitive in serving their users better.
Individuals, on the other hand, hold various tangible documents and identity cards, while, on a daily basis, interact with the online world through third-party digital identity providers that give free access but charge by collecting personal data. Several infamous cases of data breach and unauthorized monetization have led people to seek alternative ways to manage their Personal Identifiable Information (PII) and history of interactions, control its sharing, and secure their privacy.
Digital identity – decentralized way
The main features of the blockchain technology and data management on a blockchain network are decentralization, immutability, and transparency. A blockchain-based digital identity responds to several challenges that centralized or human-run models are currently facing:
Prevents replicated identities through data verification by all the network users and through time stamping of transaction records
Prevents data tampering through hashing algorithms
Prevents data processing manipulation with a majority consensus achieved through several mechanisms (proof of work, proof of stake, etc.)
Governmental and authorized institutions would still have their role in authenticating the identity information by verifying and validating the digital records to be inscribed on the blockchain. But in the majority of cases, this would only be required the first time. Similar to an official document, a blockchain-based identity proof would serve the same purpose, but with enhanced security.
As opposed to a traditional identity document that lists several categories of PII at once, a blockchain-based digital identity could disclose or confirm only specific information through a cryptographic hash, digital signature (provided by authorized institutions), and zero-knowledge proof to authenticate encrypted data.
In a nutshell, the blockchain or distributed ledger technology gives room for digital identity improvement in a decentralized manner and gives more authority to individuals or companies to manage their own private or confidential data.
Self-sovereign identity (SSI)
SSI is a user-centric upgrade of a decentralized identity that addresses the need of individuals to retain control over their identity and share with organizations and platforms only the required information without disclosing the rest. What this means for businesses is that they would need a user's consent to operate with their data and could reduce the risk that a centralized management would otherwise expose it to.
With the potential to replace passwords to authorize a process or verify identity, SSI could provide several benefits through the implementation of the blockchain technology and cryptography.
From a user’s perspective, a single and user-managed digital ID could allow individuals to enter different online platforms with more authority over the use of their PII and all the data generated through online interactions while leveraging faster transactions and better user experience. When enhanced with the interoperability feature, it supports user mobility and easy transfer of data to another organization without the need to go through the same bureaucratic processes. By guaranteeing privacy and confidentiality, blockchain-based SSI becomes more secure than traditional means of identification.
One the other hand, companies, platforms, financial institutions, and online services that deal with digital identity and require users to undergo strict (and costly) authentication, due diligence, KYC and AML processes, could leverage the blockchain-based digital ID systems as more reliable and flexible (in terms of data transfer) than the traditional ones, especially in combination with digital signatures. The distributed and cryptographic system of data authentication and management would mitigate the risk of data hacks and frauds, while data management on a shared ledger could reduce costs, speed up the process and improve customer service.
Blockchain-based SSI is further addressing the needs of the privacy-conscious users. It would allow for the management of multiple virtual identities to resemble the identities people have in real life, from workplace to healthcare, while anonymous authentication through unique attributes would provide higher protection from hacker attacks.
To fight the unlikely security risks of the SSI on the blockchain, a combination of various security mechanisms should be put in place. For example, digital signatures issued by governmental institutions could mitigate the risk of so-called synthetic identity theft, and authorized validators could prevent the 51% attack that could threaten small and public blockchain networks. To some extent, SSI would thus still require initial participation of an authorized institution to issue and verify the digital identities (or to protect our private keys). This might undermine its fully decentralized status, however, the complete authority of identity on the blockchain would still be possible within the scope of virtual or pseudonymous identities.
Changes on the horizon
With the general public increasingly aware of the importance of security and ethical management of personal data, the traditional centralized digital identity systems have been testing new ways of redesign. The trend is backed also by EU regulators through the release of directives PSD2, GDPR, and MiFID2.
While it's still early to expect any significant shifts towards systemic decentralization, the blockchain technology combined with some support from government and financial institutions (at least in the area of initial identification and data authentication) could breed some promising ways of enhanced and more user-centric data management, storage, and sharing.
Many projects, like Sovrin, ConsenSys' uPort, Civic, and Global ID, have paved a solid way towards a more secure and well-managed digital identity and SSI. Regardless of the specifics of the features, applicability, or uses cases, it seems like some sort of distributed ledger technology or decentralization would often be at the core of the digital identity development in the years to come.