A while ago, I spoke about the death of passwords, and since then, power users have been becoming used to the idea of not using a username and password to access systems. Many vendors are working towards this, including Microsoft’s Love Passwordless campaign to encourage as many organisations as possible to eliminate passwords. The death of passwords may be long and drawn out, but it will eventually happen.

Another new disruption to digital identity is coming that will take this even further. This disruption is Decentralized Identity, a new standard being developed by the Decentralized Identity Foundation.

You might be thinking: “Not ANOTHER thing I have to learn about?”. Well, yes, sadly, you will need to understand this one. And once you understand what’s possible with this emerging standard, you’ll want the future to be now.

I’m not going to dive into how Decentralized Identity works or all the different potential use cases. Quite frankly, the standards are still being developed and tested. However, there is enough to know that this will deliver on its promise, and I see it core to my duties as the Chief Technology Officer of an Identity, Access and Security company to ready enterprise, government, and the public for it. I have been working on early preparation work for Decentralized Identity for a couple of years now, spreading the word and helping agencies prepare for the verified credentials market.

Digital Identity today?

Digital Identity has come a long way since simple logon accounts were established to access multi-user information systems. Today, you can prove your identity entirely online and do things such as open bank accounts, which are heavily regulated by governments worldwide to prevent money laundering. We have come so far in the digital world. Why are we looking at disrupting this?

Digital Identity is built on trust

For our current Digital Identity to work, we need trust. We need to trust our identity account provider, our document verification services, and our relying parties to treat our personal information appropriately.

What’s wrong with this?

What’s wrong? Well, how much can you trust these parties? As Federation is based on trust, you have no real say about what personal information is passed to other parties. Also, the scenarios are difficult for end-users to understand what’s happening behind the scenes.

You must be online

These services only work when you’re online. You can’t use your digital identity to prove who you are when you’re not connected.

Honeypots

It’s bad enough that registries, such as passports, driver’s licences, etc., typically store the registry in one system. Existing digital identity systems AGGREGATE and STORE this information in one place, making it a treasure trove for someone that can circumvent security protections.

Lacks privacy

Under normal circumstances, you don’t know what an Identity Provider is telling the Relying Party. By convention, they can ask for your permission before telling them, but nothing is stopping them from passing on anything they like. Only those who know what’s going on in the technical realm will be able to intervene.

sequenceDiagram participant Me participant Browser as My Browser participant IdP as Identity Provider participant RP as Relying Party Me->>RP: Hello, I would like to use your service activate RP RP->>Browser: I need you to go to Identity Provider to get a token for me deactivate RP activate Browser Browser->>IdP: What would you like me to ask the user? deactivate Browser activate IdP IdP->>Browser: Display this authentication form. deactivate IdP activate Browser Browser->>Me: Yo, fill this out! deactivate Browser activate Me Me->>Me: Can I remember this stuff? Me->>Browser: I've filled it out now. deactivate Me activate Browser Browser->>IdP: Is this right? deactivate Browser activate IdP IdP->>Browser: Yes. Here's some stuff I know about the user. deactivate IdP activate Browser Browser->>RP: Here's some PII about the user deactivate Browser activate RP RP->>Browser: Great, let's let them in! Welcome! deactivate RP activate Browser Browser->>Me: You don't know what I told them, but here's some stuff. deactivate Browser

Difficult to verify

In the conversation above, how does Relying Party know if what Identity Provider has said about me is true? They might be able to trust Identity Provider; it depends a lot on who Identity Provider is. It could be a government service such as RealMe (New Zealand) or MyGov (Australia), but is that appropriate that they know who Relying Party is? And they will. Sorry, I realise that goes in the Lacks Privacy section.

Difficult for end-users

The diagram above. Well, I simplified it. There’s a lot going on that doesn’t involve the end-user. Members of the general public can’t be expected to know what’s happening technically here. They have to trust that Identity experts are looking after them properly. And there’s that word “trust” again.

How does Decentralized Identity address this?

What is Decentralised Identity?

Decentralized Identity is a new identity ecosystem, based on open, standards-based, decentralized identity patterns for people, organisations and devices. The Decentralized Identity Foundation’s vision is to:

Enable a world where decentralized identity solutions allow entities to gain control over their identities and allow trusted interactions.
Decentralized Identity Foundation

Noble sentiments, but everything looks like it is going to deliver on this vision.

The answers

I could go on forever about the details of Decentralized Identity standards and the potential use cases. The purpose of this article is to inform you how some key problems with current Digital Identity are addressed by Decentralized Identity.

Offline communication

There is a DID Communication working group on communication methods, some of which do not require being on the internet. Bluetooth is a standard that can be used to swap verifiable claims (a set of claims proven to be from the authority, using cryptography, see Verification is easy below).

Distributed

The Storage and Compute working group is actively working on encrypted personal datastores, whereby the user can choose where they store them and who has access to what components of their data store. This allows people to then choose solutions based on their criteria instead of being bound to one provider.

Privacy first

With personal cryptography keys, the very standard itself makes it impossible for private information to be shared through Decentralized Identity without the user’s consent.

Verification is easy

Using the W3C recommendation of Verifiable Credentials, any participant can verify a claim presented to them was actually issued by an authority you want to trust. There is no third party trust required to do this verification.

Matches the physical world

As users collect their verifiable credentials and present them to whoever suits them, this much more closely represents the physical world with identity documents such a Drivers Licences, Passports, and other types of printed documents. End-users will be able to understand the flow of authorisation and consent.

sequenceDiagram participant Me participant Wallet as My Wallet participant Browser as My Browser participant RP as Airline Note over Me: I already have a digital passport in my wallet Me->>RP: Hello, I would like to buy a plane ticket activate RP RP->>Browser: I need a passport from Foreign Affairs. deactivate RP activate Browser Browser->>Me: Do you want to supply your passport? Scan this QR code with your wallet deactivate Browser activate Me Me->>Wallet: Scan the QR Code deactivate Me activate Wallet Wallet->>Me: Do you consent to send your passport to Airline? deactivate Wallet activate Me Me->>Wallet: Go ahead deactivate Me activate Wallet Wallet->>Me: Scan your face so I know it's you deactivate Wallet activate Me Me->>Wallet: Don't I look great today? deactivate Me activate Wallet Wallet->>Airline: Here's the passport. deactivate Wallet activate Airline Airline->>Browser: Let's go ahead and take payment now. deactivate Airline Note over Me, Airline: Transaction continues

How do I get involved?

Join the Decentralized Identity Foundation. There are still many working groups that need help, but most importantly, are the industry groups trying to set the use cases and standards for their industry. The technology is good enough for vendors to have products in market right now, but it will never deliver on its promise if industry sectors don’t get involved.

How do I prepare for this disruption?

Think about how and why you collect or distribute private information and verify who someone is when interacting with them digitally.

If your organisation holds registry information, start thinking about how you can become a verified credentials issuer. The same way you send out physical birth certificates, for example, can now be done using Decentralized Identity with far lower cost and greater security.

UNIFY are involved with Decentralized Identity Foundation and have a strong background in this emerging space, with partners Microsoft, Meeco and Mastercard all having differing and complementary offerings in market right now. Contact us now for specialised advice on preparing, or if you are interested in a Proof of Concept.

You may also be interested in:

Mastercard
Mastercard
Customer
Mastercard is a leader in global payments and a technology company that connects billions of consumers, thousand of financial institutions, and millions of merchants, as well as governments and businesses around the world.
Shane Day
Shane Day
Shane is a leading cybersecurity strategist and mentor for agile development practitioners. He manages UNIFY’s global technology relationships and guides UNIFY’s product development. He comes with over 20 years experience developing enterprise software solutions.
Decentralized Identity
Identity
Prepare your organisation for the Decentralized Identity revolution.
Microsoft Partnership
Microsoft Partnership
Partner
UNIFY is the global leader in design and deployment of Microsoft CIAM solutions. From MIIS to Azure, UNIFY remains Microsoft’s trusted partner for quality Cybersecurity, Identity and associated secure collaboration outcomes.
Meeco
Meeco
Partner
Meeco was created with the purpose to empower people to own and benefit directly from their personal data. Reward is not just about money; it is what matters to you. Meeco is about helping you gain the insight and have the data to negotiable better outcomes for you and your family.
Optus Promotes Mastercard Partnership
Article
Vaughan Paul, Optus Vice President, Digital Consumer, profiled the Optus and Mastercard partnership for the Mastercard ID service and discussed some of the complexities of digital identification.