Identity management systems and their differences are among the recent most talked-about topics in social governance. In the developing and connecting world, experts anticipate that decentralization and artificial intelligence will make dramatic and significant advances in the near future. This article will dive into these areas and help provide you with context for these modern technologies and what we might expect from them.
Before I start this article, I would like to talk a little bit about textual structure. This article consists of 3 essential topics:
- Server Centric Identity Systems
- User-Centric identity- DID
- Self-Sovereign identity — SSI
I will give you only the basics of these three essential elements, and — as always — I will support DYOR because web3 completely supports and encourages self-help learners :)
Server Centric Identity Systems
If you know how the Internet works, you understand that servers are computers that store information. Server-centric management is the backbone of web2, the architecture behind the tech giants’ “user data is our blood” mentality.
Centralization places all elements of the user identity management process under the same authority so that one service is responsible for everything from issuing and authenticating user credentials to validating the platforms that request data on those users.
This centralization results in incompatible data silos with proprietary and often conflicting identity management services. Results are not very cost-effective, and there are inevitably trade-offs for many companies and privacy exploitation to users.
Password clutter: As in the early days of the Internet, many applications still do not use SSO, and the belief in aggregating user data as the ultimate aim of all technology causes accounts and unique logins to proliferate.
Preventing bad actors: In e-commerce, companies must detect bad actors who may order goods they would never pay for to avoid potential business losses. Due to the fragmented and dispersed nature of current digital identity systems, identifying bad actors for fraud protection is a costly and challenging task.
Data protection and custodial costs: With the emergence of an increasing number of data protection laws and potential lawsuits and government penalties, companies that collect sensitive information about users and store this data on their servers are now at business risk. (i.e., exploitation of surveillance capitalism)
Data Mobility: New legislation, such as Article 20 of the European Union General Data Protection Regulation, grants users the right to have their data ported from one company to another and mandates companies to provide for such data portability in B2C apps. In a client-server setup, such data portability with other institutions comes at high operational costs.
Control and Sovereignty Deficiency: Users do not have direct control over what happens with their data and do not know to whom the data is being transferred. Based on a country’s regulations, Internet-based services may have to restrict users’ access or alter the handling of their data at any time.
Re-Centralization of the Internet: The more users e-commerce giants have, the more attractive these services become to sellers, creating a ripple effect. As a result of such network effects, power has begun to build up around these networks. This cumulation leads to the re-centralization of the Internet around Internet platform providers who manage their users’ identities and control all other user-related data.
User-Centric Identity - DID
A Decentralized Identifier (DID) is a generic and pseudo-anonymous unique digital identifier for a person, company, or object that gives personal control over the person’s digital identity without the need for central institutions to manage these identifiers.
To guarantee centralized registries’ independence, DIDs need specific properties. They need to be permanent, so they cannot be reassigned to other entities by whoever is in control. They need to be resolvable so that everyone understands how to interact with the subject identified by the DID. Therefore, they need to be cryptographically verifiable.
For DIDs to ensure the autonomy of centralized records, they must meet specific criteria: 1) Due to the permanence of records, they should not be reassigned to other entities by those controlling the records. 2) Records also need to be resolvable so that everyone can understand how to interact with the DID-identified subject, and they need to be verified and cyphered through a cryptographic setup.
“Blockchain networks currently only offer a minimum set of identity attributes that are not sufficient for many socio-economic interactions over the Web. However, if set up correctly, the ledger can offer critical components for a user-centric and privacy-preserving identity management system, providing less friction and lower costs for everyone involved. Decentralized Identifiers (DIDs) in combination with distributed ledgers allow for a more sophisticated identity-management-systems.” — Token Economy.
In the decentralized network, users need to sign the contract (smart contracts) using public-key cryptography. When this happens, they can now make a claim through their wallet. Digital wallets can be seen as a keychain with access to data across the blockchain. Users can now disclose the information through their wallets to the outside world. They are the ultimate authority that decides what gets shared and when. To that, they need to confirm and give consent on the network. Blockchain requires both sides (identity issuers and identity owners) to be recorded and verified. Anyone in the blockchain network can verify the validity of a claim, which institutions have access to this data, and the accuracy of the claim without having access to the information being transmitted.
Self-Sovereign Identity
Web 3.0 is a possible future version of the Internet. It’s on a decentralized record-keeping system best known as the blockchain.
“The attractiveness of Web 3.0 is that it is decentralized, meaning that rather than consumers accessing the Internet through services mediated by companies like Google, Apple, or Facebook, individuals themselves own and govern sections of the Internet. Web 3.0 doesn’t require “permission,” which means that central authorities don’t get to decide who gets to access what services, nor does it require “trust,” meaning that an intermediary isn’t necessary for virtual transactions to occur between two or more parties. Because these agencies and intermediaries are collecting most of the data, Web 3.0 technically protects users’ privacy better.”
When it comes to Web3, we can not turn our back on the emerging need to govern our data and privacy more objectively. This leads to the question, “How can we regain our identities?”
Five years ago, Christopher Allen published the most comprehensive introduction to revolutionizing how the identity administration should be in the scope of Web-of-Trust.
Based on my research, here are a few critical takeaways for Self Sovereign identity and why we need to get a better understanding of Web-of-Trust:
- Access & Control: In cases where the authority is in the hands of the end-user, direct control of the personal identification data by the end-user and anonymity control of the user data.
- Transparency & Interoperability: User credentials should be long-lived and maintainable, and by choice permanent, or at least as long as the user wishes. Therefore, the algorithms that oversee user identity should be: open-source and independent of any particular infrastructure.
- Portability: User Credentials must work in a cross-platform setup; otherwise, they are subject to censorship or control. These portable identities should enable users to maintain control of their identities regardless of the services the users utilize.
- Consent & Minimization: The user experience should almost always support third-party access to personal data. When personal data is disclosed, it should only reveal the minimum amount of data required. (i.e., zk proof)
Overview
User-centric identity solutions based on blockchain and DIDs can eliminate the centralized identity industry and alleviate the messy boilerplate solutions it brings. But this will take years to come. There are several reasons backing this claim:
1) User-centric identity solutions can increase operational efficiency and reduce costs with instant control and real-time data access. Done right, they can provide more data security and protection against phishing and more efficient regulatory compliance while giving data owners more control.
2) User-centric identity solutions can provide data portability where individuals and organizations can easily reuse credentials to re-authenticate themselves for new services.
3) Although user credentials can be stored on personal devices easily, file storage options for user-centric identity solutions can be either personal data stores or distributed file storage networks (i.e., IPFS).
References
The Path To Self Sovereign Identity — Christopher Allen
Token Economy — Shermin Voshmgir