The need for decentralized identities

The world is in the middle of a global and holistic digital transformation on every imaginable level. Businesses that recognize this trend and embrace technological innovation will be able to align their technologies, products and services and extend their market dominance. The development of the so-called Internet of Things (IoT), the vision of seamless networking and automation of data, systems and devices, is one of the relevant issues. Vehicles that increasingly communicate and perform driving operations autonomously, artificial intelligence in medical fields which use data to make more accurate diagnoses of patients, cities that become smart, and more importantly, big data and sensors that enable accurate forecasts and efficiencies are just the tip of this technological transformation.

How can we ensure that these grand visions do not end in digital chaos?

The fundamental technical requirements and features that encompass almost all these visions are

  • interoperability and nondiscrimination,
  • scalability,
  • resource efficiency, as well as
  • trust and security.

We see the application of distributed ledger technology in connection with so-called decentralized (or self-sovereign) identities as fulfilling essential properties of these core requirements. This is a new concept based on proven cryptographic methods and it offers transparency for each participant. At the core of the concept is the user (a human or even a machine or device), who manages control over his own identity and correlated data, making unmonitored data use by third parties enormously difficult by having the user provide only necessary and verifiable identity data. This approach enables a high degree of privacy and a secure exchange of correlated attributes, as well as easy peer-to-peer communication without middlemen.

Over the next few chapters and blog posts, we will discuss this topic on a high technical level, but also in a straightforward way, so that you can become an expert on decentralized identities too! First, we will clarify what a (digital) identity is and what approaches and challenges exist today, before we go in depth on the central components of decentralized identities, verifiable credentials, and distributed ledger technology, ending with the potential of these components and how they work together.

What is an identity?

In order to answer this question, we first need to define the term “identity”.

According to the international standard ISO 24760:2019, an identity consists of different sub-identities, which in turn contain a set of attributes, i.e., characteristics or properties of an entity.

An entity is an object which has a perceptible existence of its own. It may have a physical or logical embodiment, such as a person, an organization, a device, a group of objects, a SIM card, a passport, a network card, a software application, a service, or a website. Several identities can belong to the same entity.

Attributes are characteristics or qualities of an entity. They may embody an entity type, address information, a phone number, an authorization, a MAC address, or even a domain name. [1]

What is the essence of a digital identity?

In the world we live in, an identity is usually represented by a physical object. For instance, nowadays everyone has a passport, a driver’s license, maybe even a company ID card or a membership card of a gym or a club. This asset can be used to prove an affiliation and the attributes it contains, such as the date of birth, can be used for authorization by third parties.

Let’s assume a person (here: the entity) wants to purchase a beer at a bar. They will provide physical proof of their identity in the form of an ID card to the bartender who recognizes that certain authenticity attributes are present on the ID and that it comes from a known issuer, e.g. the Federal Republic of Germany. The link of the ID itself to the entity is established via a comparison of the image and the person. Based on the associated attribute “date of birth”, the bartender can also verify the person is authorized to purchase a beer, provided that the legally required age has been met. As a result, the bartender can take the order.

We should always keep this concept in mind for the following approaches and digital processes, as it wasn’t possible to implement this concept in the digital world without challenges so far. The risk of misuse and falsification of digital identities on the internet is immense, since it is difficult to verify a digital identity on the basis of its characteristics.

Most of us have multiple online accounts from different providers, each covering one or more specific services in our daily lives, but each time requiring certain characteristics of the user. These characteristics are present in online accounts that we have to create and verify ourselves.

The online account in conjunction with the characteristics stored there, such as picture, age, place of residence or occupation, then form our digital identity, to which we gain access when we log in with the correct credentials to the identity held by the service provider.

The steps of the process are as follows:

A user would like to use a website or a service. To do so, they must specify which digital identity belongs to them by entering their username. To prevent anyone from logging in with this name and using the service without authorization, the user must prove that they are the real holder of the identity. For digital identities, there are three categories of methods to do so:

  • Through knowledge (e.g., a secret password),
  • possession (e.g., a card, a cell phone, an ID card), or
  • properties (e.g., biometric properties such as fingerprints).

Or a combination of the above.

The majority of us will be mostly familiar with proving through knowledge by entering the password or PIN. After entering it into the form, the provider checks the password against their system, which authenticates the user to the service, granting them access.

– next chapter coming soon –