The use of digital identity allows individuals to access different services without the need to be physically present, thus facilitating the adoption of new services and improving the coverage of existing ones. However, there are still some limitations associated with security, privacy and user convenience in digital identification processes. In this document we will discuss decentralized identity, and some approaches based on it that seek to accelerate the adoption of digital identity.
Most digital services require the user to log in. If this is the case, it is required as a previous step that the user enrolls, that is to say, that he creates an account, which includes a username and a password. This process is repeated for each digital service to which the user wants to access, so it is usual to have an account for e-mail, another for a digital newspaper, another for an electronic store, and so on. This multiplication of identities is quite cumbersome, not only because it requires that the user remembers a large number of passwords (with the security risks involved of having several passwords), but also because it forces the user to identify himself repeatedly.
The fact that a user must identify himself for each service indicates that the context in which he can make use of his digital identity is very small, generally associated with a specific service such as an electronic store or a digital newspaper. While this may be desirable in some cases, it has been argued that this fragmentation of the digital identity restricts the ability to relate different digital services, limiting the ability to generate new services that may be of interest to users, i.e., it hinders the development of the digital market [EUB2019]. Additionally, the fragmentation of digital identity has driven some companies to use tracking techniques in which the user has little or no control over their information [RID2020].
This scenario, in which each service enrolls a user, then requires him to present his credentials, and subsequently gives him access to the digital service, is what is known as centralized identity. That is, the user’s digital identity credentials for each specific context are held by each service.
Decentralized identity
Decentralized identity seeks that a digital user can identify himself to an identification service, and through this access to all kinds of digital services. In other words, it is a scenario in which the role of the entity that identifies and the one that offers the service is separated. Therefore, under a decentralized identity scheme, a user would identify himself only once to an identification service, and would use this digital identity to access a digital newspaper, an electronic store or a social network. As expected, the first benefit this user would enjoy would be that he would only have to remember one key, if this were his authentication mechanism of choice. But it would not be the only one. In fact, by separating these two elements (identification and digital services), it is possible that this user can choose exactly what information to share with each of the digital services (the newspaper, the store, the social network), and if necessary, specific mechanisms that will be used to protect his privacy in each case.
One solution that was proposed at the beginning of the last decade in the European Union was the FutureID project, which proposed a solution to manage digital identitesy in a continental context, considering features such as scalability, privacy and security [EUR2015]. In this solution, as mentioned before, the role of what is called the identity provider and the digital service provider is separated. The first is capable of establishing the identity of a user, for which it can use all kinds of credentials, from the official credentials offered by the state, to those generated by a private entity. The second is the one that offers a digital service to the user, such as the electronic store or the digital newspaper mentioned above. The proposed infrastructure works as an intermediary that connects many identity providers with many digital services, simplifying the access process for the user.
But additionally, the intermediation process offers more value to the user, as it allows them to control which credentials they want to share, allows them to choose between an identity provider that guarantees a certain level of service, and even have a better understanding of how they share their data, as it can be shared after processing to protect their privacy. Additionally, the ability to interconnect different identity providers is consistent with the digital environment, where a user is not limited by geographical boundaries. Finally, it is also very important to take into account that the use of identification credentials is associated with the level of risk of the transaction, possibly with regulations, and in most cases with national data protection laws. Therefore, thanks to the interoperability offered by this solution, it is possible for a user to have access to greater flexibility in the identification process.
Self-sovereign identity
Self-sovereign identity refers to a model in which “the user is the central administrator of his or her identity,” and differs from other identity models in that it “does not require a third party to manage the users’ identity” [IDB2020]. As mentioned above, the goal of such schemes is to allow an identity to be used in different contexts, and therefore efforts to establish self-sovereign identity models bring together several institutions. One such initiative is that of the Sovrin Foundation [SOV2020].
The solution proposed by the Sovrin Foundation seeks to ensure that a user can control the information he shares, and at the same time guarantee the authentication process for any digital service. In this model, the owner of the credentials is the user, who decides to present them to the digital service under his own conditions. Subsequently, the digital service can validate these credentials without the need to go directly to the issuer of the credentials.
In order to carry out this process, it is first necessary to standardize the credentials, to simplify the process by which the attributes of the identity that a user chooses to share are exchanged. These identifiers have been established by the World Wide Web Consortium. On the other hand, it is necessary to ensure that the credentials presented have been issued by someone the digital service trusts, and furthermore that they have not been modified by the user. This is solved by means of a digital signature system, through which authentication, integrity and non-repudiation services are offered. Additionally, in order to distribute the public keys that allow verifying the digital signature, the traditional public key infrastructure of the Internet is replaced with a blockchain system. Each time a credential is issued, the transaction is recorded in the blockchain system, so that anyone who receives the credentials can verify its validity. In other words, it is not the credentials that are stored in the blockchain, but information about the credential that allows its validity to be verified. Therefore, the credentials remain in control of the user, owner of his information. Additionally, the validity of that credential can be revoked by means of a new element in the blockchain, which simplifies the process for the certificate-generating entity. A relevant element of this system is that it allows to perform what is known as zero-knowledge proof. By means of this, a user can access the service by presenting only thosee elements that are relevant to the transaction, even if the original credentials contain more information than necessary. Therefore, in this case the attacker’s interest is redirected to the end user and the blockchain system instead of the institution that generates the credentials [AD2020].
Although this initiative has the backing of several institutions, it is still in the process of maturing due to the relationship between the underlying technology and the economic model that will allow it to be sustainable.
Conclusions
The use of digital identity continues to present challenges that not only present inconveniences for the user, but also limit the development of the digital ecosystem. Distributed identity models have been evolving to improve scalability, security and privacy. In this document we discuss some technical characteristics of some distributed identity solutions.
Diego Pacheco-Páramo
Translated by: Anasol Monguí
Bibliography
[EUB2019] Blockchain and digital identity. A thematic report prepared by the European Union Blockchain Observatory and Forum. 2019
[RID2020] Privacidad y navegación por internet. D. Pacheco-Paramo. 2020. https://reconoserid.com/privacidad-y-navegacion-por-internet/
[EUR2015] FutureID. 2015. https://cordis.europa.eu/project/id/318424
[IDB2020] Self-Sovereign Identity. The future of Identity : Self-Sovereignity, Digital Wallets, and Blokchain. Banco Interamericano de Desarrollo. 2020
[SOV2020] The Sovrin Foundation. 2018. https://sovrin.org/
[AD2020] Hacking Sovereign Identity. A. Délèze . Master Project. EPFL. 2020. https://sovrin.org/