the path towards self-sovereign identity: why user-controlled identity is the future of identity & access management
Over the past two decades, we’ve seen an evolution unfolding in the world of digital Identity and Access Management (IAM).
We started out with the “siloed” identity model, in which each user needed a different login at every access point they encountered online. Remember what a pain it used to be to keep track of your login details for every website or application you needed to access?
To make things easier, we eventually evolved into the “federated” model. And for the most part, that’s where we still are today: Every time you come to a login screen with the option to “Login with Facebook” or ‘‘Google’’, or your government-issued electronic ID (eID), you’re using a federated IAM solution.
The federated concept offers us a lot of convenience. I mean, who doesn’t appreciate being able to use a single set of login credentials to login wherever you need?
But on the downside, each time we log in with Google or Facebook, we’re actually outsourcing our IAM to those organisations. They are the “go-betweens” that facilitate our access to all kinds of systems. And that means we’re giving those corporations access to lots of personal data that really has nothing to do with them.
That’s why we think it’s time to continue the evolution of IAM into a new phase. It’s time for Self-Sovereign Identity.
What is Self-Sovereign Identity?
A Self-Sovereign Identity (SSI) is a form of identity that belongs entirely to the user. They keep it in their own personal digital identity wallet and have complete control over who gets to see it and why.
You may be thinking that Self-Sovereign Identity sounds a lot like carrying a real-life wallet full of ID cards. Don’t those cards belong solely to the user too? Well, yes, they do. But there are some important differences:
ID cards are:
- Prone to theft and fraud
- Time-consuming to create and verify
- Capable of being destroyed or lost
- Not private enough: Every time you show an ID card (for example, to verify your age), the company you’re showing it to has access to all your other details on the card too, which are frankly none of their business.
And you might think that SSI sounds a bit like conventional digital IAM. After all, don’t you have sole access to your usernames and passwords? But again, there are some important differences:
Digital IDs (logins) are:
- Also highly prone to theft and fraud (through cybercriminality)
- Not transparent: When you log in to an online portal, you don’t necessarily have control over which aspects of your identity you’re revealing, or to whom.
- In the case of third-party logins (like using your Google or Facebook account to log in to an app or online shop), you’re potentially sharing personal data or at least metadata with the third-party provider, which can be used to retarget you and track your online behaviour.
SSI is different. It overcomes all these challenges and more, because it’s:
- Manipulation-proof and more secure, due to encryption and use of De-centralized Identifiers (DIDs)
- Private and wholly owned by the user: The user gets to choose exactly which aspects of their identity they want to reveal and they have full control of which ID verifiers they interact with.
- Secure thanks to use of peer-to-peer channels between the ID issuers, ID owner and ID verifier.
- Universal, because you can use your SSI anywhere, anytime, even if the entity that issued it no longer exists.
- Convenient and safe, because it eliminates the need for (multiple) login IDs.
How does Self-Sovereign Identity work?
Using SSI, ID issuers, such as government agencies, can issue digital IDs directly to users via a secure connection (using private DIDs).
The ID may contain multiple identifiers, including the user’s name, image, date of birth, home address, social insurance ID, and more. It could also be something like a credit report, issued by a bank, which contains not just your credit score, but potentially many other highly personal details.
IDs are issued to the user in the form of a Verifiable Credential, a unique digital ID that only the ID owner and ID issuer have access to. The ID owner stores their Verifiable Credential in their own digital wallet.
Whenever the owner needs to use their ID to confirm a specific detail about themselves (such as their age), they can use their digital ID to create a QR code that provides instant verification for whatever they are trying to prove. This method is referred to as zero-knowledge proof.
When the ID verifier scans the QR code, the ID owner’s identity is instantly confirmed on the backend by a secure connection between the verifier and the ID issuer. And after a person’s ID has been verified once, the verification is registered in a de-centralized data registry, or blockchain. That means their ID (or that specific aspect of their ID they have just confirmed) continues to be verifiable, even if the ID issuer ceases to exist.
So, no more third-party corporations snooping over your shoulder each time you use your login credentials to log in.
No more risk of being unidentifiable if your ID issuer ceases to exist.
And no more disclosure of unnecessary personal information, when you really only need to verify one specific detail about yourself.
The future of Identity and Access Management
The technology is already there for SSI to become the new standard in IAM. In the near future, anyone who has a smartphone will be able to benefit from SSI. And a growing number of organisations are already adopting SSI technologies and issuing ID verifications that users can add to their own digital wallets.
We are very excited that at OneWelcome we’re able to help some of the biggest banks and governmental mechanisms to build an SSI backend for both the identity issuer and the verifier, and therefore making SSI the standard practice in n their identity management.
As citizens become more concerned about their own data sovereignty in the age of big data—and more familiar with the benefits of de-centralized data registries and blockchain—we expect to see a rapid transition towards SSI and DIDs in the coming years.
An element that still prevents SSI from becoming widely successful though is the economic principle of the so-called two-sided market, which dictates that two distinct user groups or agents interact through a platform to the benefit of both parties.
In the identity industry, this principle is translated to the development and acceptance of third parties where the highest valued party is subsidised by the other party. As long as this power relation of third parties continues, SSI will remain few steps back.
Nevertheless, there’s been examples of successful implementation of identity management from third parties. Take for example the enforcement of electronic Identification, Authentication and trust Services (eIDAS) in European governmental domains eIDAS anchors trust in Self-Sovereign practices and systems as it provides a framework for digital authentication of citizens with legal validity
We’re looking forward to further expanding the SSI infrastructure with the aid of our cloud identity platform, so that more users and organisations across Europe can start enjoying with confidence all the benefits of these technologies soon.
To answer any specific self-sovereign identity questions or learn more about how we’re helping shape the future of Identity and Access Management, connect with an expert.
about the author
Maarten has more than 25 years of experience advising enterprises on best Identity & Access Management practices for B2B and B2C. He works closely with OneWelcome's customers, technology partners, and the analysts' community, while leading a successful sales and business development team. Maarten remains passionate about the value of OneWelcome’s innovative IDaaS solution.
He holds a degree in Econometrics from the Vrije University of Amsterdam.