A while ago, I spoke about the death of passwords, and since then, power users have been becoming used to the idea of not using a username and password to access systems. Many vendors are working towards this, including Microsoft’s Love Passwordless campaign to encourage as many organisations as possible to eliminate passwords. The death of passwords may be long and drawn out, but it will eventually happen.
Another new disruption to digital identity is coming that will take this even further. This disruption is Decentralized Identity, a new standard being developed by the Decentralized Identity Foundation.
You might be thinking: “Not ANOTHER thing I have to learn about?”. Well, yes, sadly, you will need to understand this one. And once you understand what’s possible with this emerging standard, you’ll want the future to be now.
I’m not going to dive into how Decentralized Identity works or all the different potential use cases. Quite frankly, the standards are still being developed and tested. However, there is enough to know that this will deliver on its promise, and I see it core to my duties as the Chief Technology Officer of an Identity, Access and Security company to ready enterprise, government, and the public for it. I have been working on early preparation work for Decentralized Identity for a couple of years now, spreading the word and helping agencies prepare for the verified credentials market.
Digital Identity today?
Digital Identity has come a long way since simple logon accounts were established to access multi-user information systems. Today, you can prove your identity entirely online and do things such as open bank accounts, which are heavily regulated by governments worldwide to prevent money laundering. We have come so far in the digital world. Why are we looking at disrupting this?
Digital Identity is built on trust
For our current Digital Identity to work, we need trust. We need to trust our identity account provider, our document verification services, and our relying parties to treat our personal information appropriately.
What’s wrong with this?
What’s wrong? Well, how much can you trust these parties? As Federation is based on trust, you have no real say about what personal information is passed to other parties. Also, the scenarios are difficult for end-users to understand what’s happening behind the scenes.
You must be online
These services only work when you’re online. You can’t use your digital identity to prove who you are when you’re not connected.
It’s bad enough that registries, such as passports, driver’s licences, etc., typically store the registry in one system. Existing digital identity systems AGGREGATE and STORE this information in one place, making it a treasure trove for someone that can circumvent security protections.
Under normal circumstances, you don’t know what an Identity Provider is telling the Relying Party. By convention, they can ask for your permission before telling them, but nothing is stopping them from passing on anything they like. Only those who know what’s going on in the technical realm will be able to intervene.
Difficult to verify
In the conversation above, how does Relying Party know if what Identity Provider has said about me is true? They might be able to trust Identity Provider; it depends a lot on who Identity Provider is. It could be a government service such as RealMe (New Zealand) or MyGov (Australia), but is that appropriate that they know who Relying Party is? And they will. Sorry, I realise that goes in the Lacks Privacy section.
Difficult for end-users
The diagram above. Well, I simplified it. There’s a lot going on that doesn’t involve the end-user. Members of the general public can’t be expected to know what’s happening technically here. They have to trust that Identity experts are looking after them properly. And there’s that word “trust” again.
How does Decentralized Identity address this?
What is Decentralised Identity?
Decentralized Identity is a new identity ecosystem, based on open, standards-based, decentralized identity patterns for people, organisations and devices. The Decentralized Identity Foundation’s vision is to:
Enable a world where decentralized identity solutions allow entities to gain control over their identities and allow trusted interactions.Decentralized Identity Foundation
Noble sentiments, but everything looks like it is going to deliver on this vision.
I could go on forever about the details of Decentralized Identity standards and the potential use cases. The purpose of this article is to inform you how some key problems with current Digital Identity are addressed by Decentralized Identity.
There is a DID Communication working group on communication methods, some of which do not require being on the internet. Bluetooth is a standard that can be used to swap verifiable claims (a set of claims proven to be from the authority, using cryptography, see Verification is easy below).
The Storage and Compute working group is actively working on encrypted personal datastores, whereby the user can choose where they store them and who has access to what components of their data store. This allows people to then choose solutions based on their criteria instead of being bound to one provider.
With personal cryptography keys, the very standard itself makes it impossible for private information to be shared through Decentralized Identity without the user’s consent.
Verification is easy
Using the W3C recommendation of Verifiable Credentials, any participant can verify a claim presented to them was actually issued by an authority you want to trust. There is no third party trust required to do this verification.
Matches the physical world
As users collect their verifiable credentials and present them to whoever suits them, this much more closely represents the physical world with identity documents such a Drivers Licences, Passports, and other types of printed documents. End-users will be able to understand the flow of authorisation and consent.
How do I get involved?
Join the Decentralized Identity Foundation. There are still many working groups that need help, but most importantly, are the industry groups trying to set the use cases and standards for their industry. The technology is good enough for vendors to have products in market right now, but it will never deliver on its promise if industry sectors don’t get involved.
How do I prepare for this disruption?
Think about how and why you collect or distribute private information and verify who someone is when interacting with them digitally.
If your organisation holds registry information, start thinking about how you can become a verified credentials issuer. The same way you send out physical birth certificates, for example, can now be done using Decentralized Identity with far lower cost and greater security.
UNIFY are involved with Decentralized Identity Foundation and have a strong background in this emerging space, with partners Microsoft, Meeco and Mastercard all having differing and complementary offerings in market right now. Contact us now for specialised advice on preparing, or if you are interested in a Proof of Concept.