Digital Identity: Moving to a Decentralized Future

Decentralized identity improves the end-user experience and helps enterprises strengthen data privacy.

Vinod Baya

Vinod Baya

Director & Head of Emerging Technology

The internet is fundamental to commerce and social interactions. Both require robust systems of identity so they can function, but identity wasn’t built into the internet’s original design. To compensate for this shortcoming, organizations have built nonuniversal services that confirm identity and control over accounts. Unfortunately, these have generally been local in scope.

Today identity is typically managed at the application or enterprise level. Occasional attempts to federate beyond that level have achieved only moderate success, mostly in noncritical areas such as social apps. As a result, most internet users maintain over 90 individual username and password combinations, and the unintended consequence is that each provider they interact with has become a honeypot of personal information vulnerable to theft.

Digital identity isn’t working very well for the people who have it, and at least 1.1 billion people don’t have any digital or legal identity at all. Efforts such as India’s government-sponsored Aadhaar are underway to correct this, but by centralizing so much information and the control over it, these efforts are creating a new kind of problem while solving another.

What is required is an approach to digital identity that is simple, secure, portable, and under the control of the person it represents. The emerging field of decentralized digital identity may be the solution.

What Is Digital Identity?

As interactions move from face to face in the physical world to the internet, people must be able to prove who they are online. Digital identity is identity that can be verified over digital channels with identifying credentials that are digital, portable, secure, and verifiable in real time.

For most people today, their legal identities are represented by offline physical documents such as passports. Their social identities may be digital, but those identities are probably controlled by a large social platform vendor such as Facebook or LinkedIn that uses impermanent terms of service to control users access to their social identities. Behavioral identities are mostly in a person’s search and usage histories with platform vendors and ad-tech databases, where they may be bought and sold without a person’s knowledge or consent.

Physical identity methods fail online, because digital copies of physical documents are easy to forge and because remote presence is tough to verify. Physical identity methods also are not scalable in the way platform- and software-based businesses increasingly require. Such issues have been apparent from the early days of the internet, and they have led to the two predominant solutions of centralized and federated identity in use today.

The Evolution of Digital Identity

The first and still most common form of digital identity is the siloed shared-secret model that anyone who has ever used a username and password is familiar with. Service providers use a combination of online and offline processes to onboard users, then authenticate their identity for future interactions via secrets such as passwords, mothers’ maiden names, and confirmation emails. In this centralized model, user information is fragmented across a pool of service providers (Figure 1). This method is inconvenient for users, who must remember an ever-growing list of usernames and passwords, and makes it easier for hackers to commit identity theft.

Figure 1. Digital identity has evolved from centralized to federated models. Federated identity only addresses authentication—every other aspect of identity is still based on the centralized model. Beyond federated identity, a new architecture of decentralized identity is emerging.

For service providers, this solution is neither secure nor efficient. User passwords are often compromised (in part because users repeat passwords across services) or forgotten, leading to costly security breaches and password reset customer service calls. All of these drawbacks gave rise to the second solution, the federated model, where a single party in charge of both the onboarding and authentication of users offers identity solutions to different enterprises.

The most popular providers of federated identity services are social media sites (Figure 2), and their primary offering related to identity is portability. People can have the same username and password combination across multiple services, and online services don’t need to build their own identity management infrastructure.

This approach has several major drawbacks. It’s not very useful for high-touch services such as banking that have more stringent onboarding requirements. It also creates massive pools of user data that can be monetized by social media sites at best and serve as honeypots for hackers at worst.

Some of the more shocking online developments in recent years (Table 1), including the Cambridge Analytica scandal1 and the Equifax data breach2 , can be traced to the limitations of the centralized and federated approaches to digital identity. The economic and personal cost of such scandals and breaches have opened the door to a better solution.

Figure 2. Typical federated and username/password login screen
Source: medium.com

Table 1. Major data breaches throughout history
Source: Visual Capitalist

Back to the Future with Decentralized Digital Identity

The next generation of digital identity uses a blend of the old and the new. As in the predigital era, it returns control to users by issuing them digital credentials that can be self-custodied and shared only with trusted parties. Unlike in the past, it provides infrastructure for such credentials to be issued, stored, and verified at scale and regardless of whether two parties are meeting in person or interacting online. Two innovations make this possible—the process innovation of verifiable credentials and the technological innovation of distributed ledger technology (DLT). The decentralized nature of the infrastructure moves digital identity from an application to an ecosystem (Figure 3).

Figure 3. This simple view of a decentralized identity system describes the flow of information between participants.
Source: Adapted from Sovrin Foundation white paper, 2018, https://sovrin.org/wp-content/uploads/2018/03/Sovrin-Protocol-and-Token-White-Paper.pdf

How Does Decentralized Digital Identity Work?

Before diving into how decentralized identity works, it’s important to establish some common terminology. Any personal datum that forms an individual’s identity, such as a name or date of birth (DOB) that can be attested by a trusted authority, is known as a claim. A group of claims that are combined into a single document, such as a driver’s license, is a credential. Entities that issue credentials, such as the department of motor vehicles (DMV), are known as issuers. Owners of credentials are known as owners or holders. And any entity that an owner presents a claim to, so the owner can establish some aspect of their identity, is a verifier.

For decentralized identity to work, users need a mobile identity wallet on their smartphone—software that securely holds the credentials and interacts with issuers and verifiers. The requisite metadata needed to make the system work is written to the registry, in the form of a new industry standard known as a Decentralized Identifier, or DID. The credentials themselves are always transacted directly between wallets. To add a credential to that DID, an issuer—after adequate verification—would issue a verifiable credential (VC).

Verifiable credentials are made tamperproof through cryptography. Public keys needed to make the cryptographic elements work are stored in the registry as part of DIDs. Decentralized identity approaches do not require any sensitive data (such as an individual’s personally identifiable information [PII]) to be stored on the ledger. The ledger only acts as the root of trust, allowing the recipient of a credential, a verifier, to confirm that a credential sent by a user was in fact cryptographically signed by the proper issuer.

Consider the example (Figure 5) of a digital driver’s license issued to an individual who then uses it to open a bank account:

  1. First, the DMV, having generated its own DID on the registry, signs the credential with its private key whose corresponding public key is stored in the DID on the blockchain registry.
  2. The signed credential is sent directly to the user’s smartphone or designated cloud location.
  3. To open that bank account, the user countersigns the credential with their own private key and sends it directly to the bank.
  4. The bank, now playing the role of verifier, can reference the registry to confirm that the two signatures on the credential do in fact correspond to the issuer and the holder.

Figure 5. Flow for a digital driver's license issued to an individual who then uses it to open a bank account.

Whereas public-private cryptography in a blockchain like that of Bitcoin tracks the provenance of a digital token, for identity the DLT infrastructure can be used to track the provenance of verifiable credentials.

Decentralized systems must integrate with existing identity and access management (IAM) systems, manage keys appropriately (including key recovery and revocation), and implement all of it through privacy by design principles—for example, by using the emerging technology of a zero-knowledge proof or zero-knowledge protocol.

Types of Decentralized Digital Identity Implementations

There are three types of implementations of decentralized digital identity:

Enterprise

These decentralized identity implementations are internal to an enterprise in a private permissioned blockchain. The enterprise plays the roles of an issuer and a verifier and controls the identity data. These implementations are often used to extend the functionality of the existing IAM systems for new features such as passwordless authentication.

Consortium

Members of a consortium join as issuers and verifiers and use a permissioned blockchain to share verified credentials, such as KYC (know your customer) of a customer, in a secure manner. Identity information is controlled by consortium members, but the identity is portable across the members.

Self-sovereign identity

Self-sovereign identity (SSI) systems are envisioned to operate as public utilities and where the underlying blockchain is foundationally like an “identity internet.” They typically rely on nonpermissioned public blockchains such as Ethereum, although in the Sovrin Network the underlying Hyperledger Indy blockchain is a public but permissioned chain.

Benefits of Decentralized Digital Identity

Decentralized digital identity creates the potential for win-win benefits across consumers, enterprises, and society. Some of the notable benefits include the following:

  • Privacy and convenience: Decentralized identity systems are private by design, giving users the full control of how their identity is shared. These systems also simplify account setup and access at all participating providers, eliminating the need for login ID and passwords.
  • Security and fraud reduction: Users are more secure because they aren’t managing passwords. Businesses are more secure because they no longer control honeypots of descriptive PII (Figure 6). Identity fraud is reduced because there are no login IDs and passwords to steal and reuse.
  • Cost savings and efficiency: Costs may be reduced for customer onboarding, data management and security, and lifecycle management.
  • New opportunities: Digital identity will open opportunities for new products and new business models.

Figure 6. Decentralized identity systems shift the risk of data loss away from large central stores. Any single security breach will yield a much smaller haul of PII, thus changing the economics of a break-in attempt. Source: Gartner, 2017

Challenges with Decentralized Digital Identity

Decentralized identity is promising and is attracting significant attention and investment. However, some important challenges must be overcome for broader adoption:

Ecosystem and new infrastructure

Many benefits will accrue only when a large ecosystem of entities adopt decentralized identity solutions, issue and verify credentials digitally, and institute standards to enable interoperability and portability. This requires a lot of new infrastructure to be built, including new blockchain registries for DIDs, user wallets, third-party custodians, and the cloud and application programming interface (API) services needed to connect everyone.

Key management

Identity depends on carefully guarded private encryption keys. The fact that the blockchain registry only stores DIDs and public keys means that loss of a private key could be catastrophic to holders. Securing and managing those keys across vast populations is a difficult problem that hasn’t yet been solved in the similar cryptocurrency field, as evidenced by the proliferation of offline hardware wallets.

Offline availability

How digital identity will be used in offline situations is still to be determined. Users must be able to prove their identity or the ownership of identifying credentials such as driver’s licenses when they don’t have access to the internet.

Example Use Cases of Decentralized Digital Identity

Decentralized identity is promising and is attracting significant attention and investment. However, some important challenges must be overcome for broader adoption:

  • Canada BankID / Verified.Me: A network of major Canadian banks and other service providers are federating identity across a permissioned Hyperledger Fabric blockchain. The network streamlines logins, data sharing, and account setup so users can conduct traditionally face-to-face business online.
  • IDKEEP: Backed by PayPal and the Omidyar Network, IDKEEP is a partnership between Luxembourg’s LuxTrust and Cambridge Blockchain to build a GDPR-compliant identity network that will resolve both identity and personal data challenges across banking, health care, insurance, and other services. IDKEEP is an enterprise network that leverages Cambridge Blockchain’s permissioned blockchain service and off-chain personal data service.
  • CULedger / MyCUID: CULedger is a credit union service organization that, in concert with Evernym, is building a consumer-focused digital credential and data system called MyCUID. It supports self-sovereign principles and uses the Sovrin network. Its goal is a global identity for credit union members. “With the help of Evernym’s Sovrin Identity Network, MyCUID uses a person-to-person network of distributed, private agents working in parallel with the distributed ledger to give credit union members a lifetime portable digital identity that does not depend on any central authority and can never be taken away.”
  • TrustNet: TrustNet is being built in cooperation between Finland’s research and industry partner network and the Sovrin Foundation. “TrustNet is a heavily industry-networked research project that focuses on developing a blockchain-based distributed environment for personal data management following the MyData principles.” It leverages the Sovrin self-sovereign identity network running on the Hyperledger Indy blockchain to manage identity and access to personal data stores.

Implications for the Financial Services Industry

Few industries are more impacted by identity than financial services and banking. Identity affects the entire customer journey, starting from KYC and onboarding and continuing through account login, verification for large transactions, sanctions screening, anti-money laundering (AML) monitoring, loan screening, and vouching for a client’s creditworthiness. Decentralized digital identity can serve as a new infrastructure layer for all of these services, moving authentication from the foreground to the background and becoming a catalyst for creating simple, seamless, and secure experiences for customers.

The decentralized identity architecture has the potential to reduce the complexity of the current identity management infrastructure while introducing flexibility by promoting a role-based and modular architecture. With data privacy and security built into the solution, decentralized identity can provide new ways to reduce identity fraud and associated risks in operations.

Over the long term, decentralized identity represents the transformation of a major customer interface (identity) that is fundamental and core to financial services firms. The value that exists today in creating, using, and managing digital identities can be expected to be redistributed over a new ecosystem as it takes shape and evolves. This should open opportunities for new services and business models. Regardless of how the future plays out, the current role that banks play as institutions of trust puts them in an advantageous position to impact the development of this emerging technology.

Glossary

Issuer

An entity that creates a verifiable credential. Examples of issuers include corporations and governments.

Verifier (relying party)

An entity that receives one or more verifiable credentials. Examples of verifiers include employers and financial institutions.

Holder

An entity that is in control of one or more verifiable credentials. Examples of holders include users and businesses.

Registry

A registry stores DIDs, verified credential schemas, and revocation lists on a blockchain. A registry can be a public or private distributed ledger.

Claim

An attestation from an entity that confirms that the entity has taken actions to establish truth about a trait. Examples include a social security number or a date of birth.

Verified credentials

A collection of claims that combined into a single identity instrument or document, such as a driver’s license, transcript, or insurance card.

DID

A decentralized identifier (DID) is a new type of identifier standard that is globally unique, resolvable with high availability, and cryptographically verifiable.

DKMS

The decentralized key management system (DKMS) is an emerging standard for interoperable cryptographic key management based on DIDs.

For further information or research requests on this topic, please contact:
Vinod Baya, Head of Citi Ventures Emerging Technology