A primer on decentralized digital identity

Decentralized identity refers to a digital identity framework where an individual or device is responsible for their own identity and credentials. Often termed “self-sovereign identity,” the trend is positioned as an alternative to traditional models of digital identity, where an authority is held to be responsible for verifying and managing identities.

Digital identity is the mechanism for providing identification over digital channels. For individuals, this commonly includes identifying attributes such as name, age or contact details. These frameworks are not restricted to individuals (corporations, IoT devices and applications are commonly represented by digital ID). In this report, however, we look specifically at the evolving considerations around ID for individuals, and explore the decentralized identity trend in this context and its implications for technology markets.

The Take

The idea that an individual should manage their own identity data, and have greater control over how it is used, is a notable factor in the challenging convergence of digital transformation, data privacy concerns and interconnectivity. High-profile data breaches have showcased the problems of a centralized approach to identity, but a decentralized reimagining of identity would represent a major disruption to long-standing processes. Although decentralized identity found its footing with the establishment of new processes, like checking COVID-19 vaccine credentials, displacing legacy approaches has taken time. Technology and service providers in the space suggest this shift is happening, and is shown by pilots that are becoming in-production networks. The trajectory is not untroubled, however. It is taking place in an environment of still-evolving standards, interoperability concerns and limited awareness — but use cases in travel, financial services and healthcare may help popularize the trend.

Context

Digital identity approaches can be classified as centralized, federated or decentralized. The distinction between these categories is less about the establishment of identities and more about their use. In a centralized model, organizations hold and manage digital identities for their own use, whereas a federated approach allows identities to be used by multiple organizations. A decentralized model gives an individual control of the use of their identity, and of who accesses that data.

Decentralized identity may involve an issuer creating a verified credential for an individual, an individual holding their own credential, the individual sharing data with several service providers, and service providers verifying data without contacting the issuer.

This represents a major change to the approach where a user of a service has to register with each provider, often having to evidence their identity. Aspects of a user’s identity are consequently fragmented and replicated across countless providers; in some instances, that data is exchanged or sold to other organizations. With decentralized identification, multiple entities could issue credentials to an individual, which can be verified by other stakeholders. The role of the issuer is limited to creating, and possibly revoking, credentials.

Drivers

Many advocates for decentralized identity are inspired by ethics, particularly around data privacy. As such concerns have gained more robust regulatory backing through emerging privacy and consumer protection frameworks, these arguments may get traction in organizations challenged by the collection and storage of personal data.

Decentralized identity may be an opportunity for organizations to reduce liability, addressing the costs associated with preventing data breaches, and guarding against the fines administered by data protection regulators. These costs are not the sole expense associated with centralized approaches to identity, because compliance and verification processes are often cumbersome and costly. Decentralized identity can also improve the experience of accessing services, and is commonly positioned as a means to address identity fraud.

Use cases

A number of early decentralized identity initiatives emerged in response to the pandemic. IBM Digital Healthpass was designed to confirm COVID-19 health credentials. Sita, an IT provider for the air transport industry partnering with decentralized identity specialist Indicio, worked to establish vaccine-status credentials for North American travelers to Aruba.

Some of these initiatives have expanded — for example, decentralized identity passports are being tested in Aruba’s Queen Beatrix Airport, and many projects have started to shift from pilot to production. Recent developments include Bhutan introducing a self-sovereign national digital ID for its citizens; HSBC Labs demoing a decentralized identity approach to internal account opening; and Microsoft Entra Verified ID entering general availability in 2022. Entra Verified ID is a managed verifiable credentials service included with every Microsoft Entra ID subscription, which allows organizations to issue and verify credentials as part of a decentralized identity framework. Early target areas for decentralized identity are discussed below.

Travel

Digital identity credentials could streamline hotel or airline check-ins, and passport or visa verification. They are designed to reduce the need for physical documents and processing time, addressing the inefficiencies associated with multiple stakeholders being required to separately validate passenger identity information.

Some advocates of digital identity also see an opportunity to use biometrics to address the challenge of counterfeit documents, making digital identity approaches more secure than physical documentation. There are significant inefficiencies in the information collection processes of travel providers and hotels — travelers must often provide information every time they make a reservation, leading service providers to store high volumes of outdated information.

Financial services

Decentralized identity could underpin the authentication and verification of bank accounts. A decentralized approach to Know Your Customer practices would reduce the amount of resources dedicated to reviewing checks, with a customer merely scanning a QR code and consenting to share a verifiable KYC credential.

With decentralized identity, financial services companies can also address internal data siloes. An existing customer can effectively hold all the information required to access additional services. Another area could be verified payments, where identity could be attached to credit card information and merchants only accept payment when a verified credential is presented. This can guard against an individual making false claims or engaging in payments fraud.

Healthcare

Healthcare data can be highly sensitive, and the storage and transfer of that data can prove costly and challenging to manage. A decentralized approach to identity could give patients greater control of the information they choose to disclose, better delineating what was shared with a healthcare provider or researcher, for example. Improving the security of health records and streamlining identity verification for healthcare services are two possible outcomes of a decentralized identity approach.

Hiring and training

A hiring organization looking to comprehensively confirm a resume’s contents would have to contact academic institutions, former employers and training providers. Organizations must achieve a balance between risk, such as identity fraud, and the costs of investigation and outreach. A decentralized identity approach could meaningfully speed up and reduce the costs associated with this process. Many early pilots have focused on internal training certifications. This has proven easier to deliver than engaging with the broad range of stakeholders required to address hiring requirements holistically.

Blockchain

For a decentralized identity framework to work, a common trust domain, effectively a shared ID layer, must be set up. Multiple issuers of credentials need to be able to write attestations to a verifiable data registry, ensuring that verifiers can see evidence that a holder’s credentials are valid. The technological underpinning of this trust domain is contested, but distributed ledger technology is one architectural option, with an ecosystem of blockchain vendors targeting these use cases.

Distributed ledger technology can underpin shared and secure recordkeeping, with identity data verified by a distributed network rather than central authorities. Blockchain natively offers an auditable transaction trail, evidencing who issued credentials and when, or logging that a credential has been revoked.

Zero-knowledge proofs — mechanisms where individuals can demonstrate something is true without exposing further details — first emerged in the blockchain ecosystem in 2016. Notable zero-knowledge offerings include Polygon zkEVM, zkSync Era, Aztec and Mina. Zero-knowledge proofs could be valuable in enabling a user to expose the minimal amount of data required to access a service. For example, a user looking to access a gambling website could evidence they are an adult without disclosing their data of birth.

Companies that offer decentralized identity technology with a distributed ledger underpinning include Microsoft Corp., Indicio PBC, Anynome Labs, Polygon Network, NuID Inc., IdRamp Inc., Ping Identity Corp., Nuggets Ltd. and Avast (through its acquisition of Evernym and SecureKey). There is a wide array of projects evolving within the Ethereum ecosystem. Consultancies that have delivered decentralized identity projects include Accenture PLC, IBM Corp. and Condatis.

Wallets that allow users to store and manage credentials are available from a diverse range of companies. A sample of the companies that have invested in decentralized identity use cases include Magic Labs, Gimly and Metadium Technology. Projects such as the European Blockchain Services Infrastructure, which includes a European digital identity use case, and open-source projects like Hyperledger Indy and Aries, also play an important role within this ecosystem.

Challenges

Decentralized identity standards are still developing. Many early efforts fragmented into different standards and underlying technologies, so separate ecosystems are emerging. This could make scaling out initiatives tricky. Bodies such as the Open Credentialing Initiative, the Decentralized Identity Foundation and the Decentralized Identifier Working Group within the World Wide Web consortium are attempting to establish a more universal approach.

The space is challenged by perceptions of its technical maturity, given that many decentralized identity components are still in active development. In addition, blockchain presents a number of hurdles to developers. This includes compatibility with legacy systems and, commonly, ease of development, which is worsened by shortages in blockchain technical skills. The need to balance decentralization, scalability and security in blockchain application development will require careful design.

The problems faced by some cryptocurrency users, as the sole holders of their private keys, in getting locked out of their accounts also illustrates the difficulties in ensuring a wallet used for identity is secure, but also user friendly. Decentralized identity will need to balance giving users more control over their data while ensuring the technology is easy enough to be used by any prospective service user. The high degree of skepticism around blockchain is driven in part by its associations with cryptocurrency. Some technology providers in the space also perceive opposition from a number of established technology companies, which they suggest could influence the narrative around decentralized identity.

Data protection and security — two sides of the same coin?

Data protection and security — two sides of the same coin?


Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.