Identity is an important aspect of our day-to-day lives. If you want to open an account, rent a car or travel to a different country, you will need some sort of identification. The identity in these cases is taken care of by a License or a Passport or a Citizenship card. All these are acceptable in the physical world. However, things are a little different in the world of the Internet where a digital identity is required.
The Internet was built without any sort of identity in place, to begin with. However, there is a lot of buzz around digital identity in recent times, the importance of Identity Management as well as data privacy of individuals at the same time. A digital identity can contain any attributes that describe the behaviour or characteristics of an Individual for example:
- Username and password
- License/Passport/Citizenship card
- Online search activities
- Any electronic transaction
- Social security number
- Medical history
- Purchasing history or behaviour
Along with the management of these attributes in a digital format, there is also a need to manage the privacy of this data. We have all witnessed various incidents when one’s personal detail is misused by making fraudulent transactions on their behalf to influence electoral results. The time is ripe for a solution that allows individuals to manage their Identity with an ability to share with organizations/people they trust without the need of a third party.
There are three main actors with respect to Identity Management on the Internet:
- User: The person/entity looking to access a service over the Internet
- Identity Provider: Responsible for issuing the credentials to the Individual that can be used to access the service. It can be a state organization issuing the Birth certificate, License, or Passport which has proof of one’s age, or an email id provider that lets you log in with an email/password combination on various websites.
- Service Provider: The entity providing the service after trusting the credentials provided by the Individual. For e.g., an online store selling alcohol needs to verify the age of the buyer
When you log in to medium.com using your Google account, you are the User in this context, Medium.com is the Service Provider and Google is the Identity Provider. Identity management has also evolved with the evolution of services that become available over the Internet.
Below is my take on this evolution
Evolution of Digital Identity Management:
Siloed Identity:
This was the time in the early days where one had to register with each service provider. One had to create his account with the service provider's website and go through some sort of verification (email/phone) to confirm the identity. This meant that one must manage all these accounts and keep track of the email/password combination for each of these service providers.
As this management was a tedious job, Individuals started using the same/similar combination of email and password on each of these websites (I myself am guilty of the same). This generally meant if one can get hold of credentials from one service provider, it became simpler/easier to get account access for the same Individual with other service providers. All this messy management gave rise to Federated Identity providers.
Federated Identity:
When you log on to a service provider website (like medium.com) using your credentials from Google (or LinkedIn/Apple) you are using the Federated Identity model. As explained in the image below, in this model, the service provider (medium.com) and Identity provider (Google) has a trust relationship. Medium verifies the Authentication token issued by Google to the Individual (during the login process) and grants access to the website upon successful verification
The Federated Identity solution makes the life of the Individual easier as they must remember only one set of credentials. However, it comes with a caveat, that the Federated Identity provider is aware of a lot (if not all) of interactions that you have. The provider also knows about the frequency of those interactions. All this data can be mined to understand your likes/dislikes with a chance of this data being exploited for social engineering and hence use targeted advertising to influence an Individual’s decisions. We have all seen the news and various articles that accuse the Federated Identity providers of mining this data for their personal gains
This means that the Digital Identity space needs a better solution that takes the best out of the solutions discussed above and maintains the privacy of the Individual at the same time.
Decentralized Identity:
To overcome the shortcomings of the Siloed and Federated identity solutions, the digital identity is moving towards a decentralized version. The credentials issued by the Identity provider in this case are held in the Individual wallet (typically in a smartphone app) and they can be presented to the Service provider without involving the identity provider. The cryptographic proof of the credentials, when issued, is stored in a decentralized verifiable registry (typically a Blockchain network). The user can share these credentials with the Service Provider when required and the Service Provider can verify the credentials using the decentralized registry. The Service Provider and Identity Provider do not have to connect with each other in this case. The credentials which can be verified, using the verifiable registry, are called ‘Verifiable Credentials’.
The user must explicitly connect with each of the Service providers (sort of adding as a contact). An as different aspect of Identity is issued by different organizations, e.g., a Passport is issued by a Government body, an education degree is issued by a university and an employment certificate is issued by one’s employer. The user will have to connect (or simply add as a contact) with each of these identity providers. While making this connection, the Identity (or Service) Provider and the User will also exchange a set of cryptographic keys to make their interaction and message exchange more secure. The user will generate a new Decentralized Identifier (also called as DID) for each of these interactions, making the aggregation across the Identity/Service providers next to impossible. All this makes the user data secure and impossible to mine for ulterior motives.
Some of the decentralized identity platforms also come with Zero-knowledge Proof (also called ZKP) capability out of the box which further removes the need of sharing the actual data during these interactions. The simplest example of this would be - that to prove you are an adult; all you need to establish is that you are more than 18 years of age wherein, the sharing of the date of birth (which happens currently) is not required. ZKP makes all this possible, though it is a separate area of study in the world of cryptography.
Another important aspect of the Decentralized identity space is interoperability. The DIF (Decentralized Identity Foundation) and W3C are working on defining a generic standard to ensure interoperability among the various solutions working to solve this problem.
There are some very promising technologies in this space, and we will surely see some very interesting implementations in the next couple of years. Some of these are already making their way into the mainstream from state to the private sector and from finance to healthcare sectors. There are some regulatory bodies also that are driving the innovations in this space.
Stay tuned to interesting times ahead!!