Decentralized Identity: The Future of Digital Identification

Introduction

Today, all the technologies and apps we use are primarily centralized - that is, they get managed from one central location. Take the example of the Facebook app; everyone uses it for online social activities. The organization is responsible for controlling such apps, user data, digital identity, and other personal details. All these credentials reside in the company's server or cloud storage. Isn't this a worrying factor? Anyone within their organization can misuse such credentials or sell their undercover interests and data to a third party. Well! If you all agree with me on this, let's dig deep into the concept of decentralization and how decentralized identity will become the future of authentication.

Before understanding the concept of decentralization, let us dig deep into some insight into what centralization is and its shortcomings.

What is the Centralization System of Storage and Managing?

All data, authentication applications, digital identities, and other processes reside centrally in the centralized system. It has one central authority to manage, control and store all resources. It's advantageous as it provides visibility to the process and resources. But it caters to issues such as identity and credentials.

Drawbacks of a Centralized System of Identity and Personal Data Storage

• Data Breach: A centralized form of credential and digital identity storage remains in one central server. Therefore, if cyber criminals compromise the system or use any zero-day attack to penetrate it, they can easily steal those credentials, misuse them, or change them to some arbitrary value. Recovering all stolen digital identities and other personal assets costs a lot for the business. According to IBM, the most recent (2021) IBM Cost of a Data Breach Study found the average data breach cost as 3.92 million USD, with 36 percent (1.42 million USD) of direct business loss.

• Privacy Concern: Another issue that is getting quite a boom is the concern of data privacy. Individuals have become concerned about sharing their private details and credentials with the organization where data gets located centrally. Any internal threat can pose a severe issue, or anyone from within the organization can leak or steal those data and share it on the dark web. That is why, nowadays, companies should also follow privacy compliance and industry-standard policies to secure user data. But the concern of centrally stored digital identity, private data, and login credentials is still a trouble.

• Credential Stuffing through Automation: Anyone who has stolen the centrally stored login credentials and digital identities can use automated tools and APIs to perform credential stuffing to compromise other accounts using compromised emails and passwords.

Any breach of the digital identities & login credentials gets directly pointed out to the company, which is the centralized point of failure. For this concern, companies should provide additional security mechanisms to those digital identities and credentials like hashing, encryption, continuous monitoring, etc., which is an additional cost.

What is a Decentralized System?

No single person or authority group handles or deals with the data in a decentralized system. Such a system allows users to store their data without depending on any centralized data center or cloud storage. Some decentralized system uses blockchain technology which makes them more secure. Any unnecessary update or changes creates a new block, and all other members/users associated with the system can see the changes.

What is Decentralized Identity (DID)?

Decentralized identity (DID), also known as self-sovereign or distributed identity, or personal identity, is a technique that allows users to manage their Personal Identifiable Information (PII) rather than handing it over to a centralized system. The primary purpose of decentralized identity is to create standard ways wherein internet users can control and manage which app or service can access particular user details and digital identity.

The entire concept lingers on a trust framework for managing identity. In other words, this framework gives identity control back to the consumer through an identity wallet. The digital wallet enables users to grant and revoke access to user identities by any third party. As per Forrester's report, "Decentralized Digital Identity (DID) is merely a technology buzzword: It promises a comprehensive restructuring of the currently centralized + physical ecosystem of storing and managing digital identity into a decentralized & democratized architecture."

In a decentralized identity mechanism, identifiers such as usernames, Personal Identifiable Numbers (PINs), & phone numbers get replaced with self-owned IDs. These IDs will allow users to exchange data or authenticate themselves without compromising their security & privacy. Let us further explore the different terminologies and concepts associated with decentralized identity.

Terminologies Associated with Decentralized Identity

• Decentralized Identifiers: These are usernames, phone numbers, unique driving license numbers, bank account numbers & other Personal Identifiable Numbers (PINs) that get replaced by a verified self-owned ID called a pseudo-anonymous identifier. These identifiers work on behalf of your original credentials without disclosing user information. They will allow users to verify and exchange data without compromising users' data security and privacy.

• Identity Wallet: It is simply an application (installed on a mobile or computer) that allows users to create a decentralized identity and manage (grant and revoke) access of those identifiers to other companies or service providers.

• Identity Owner: Identity owners are the users who create their decentralized identity by sharing their various identifiers to the identity wallet verified by the issuer or identity verifier associated with the app. They are mainly responsible for managing and granting access to their personal information through that wallet.

• Identity Issuer: These are organizations or authorized persons responsible for verifying the identity & issuing a tag that the owner's identity is fit for decentralized identification purposes. They use the private key to sign the transaction and verify the identity owner. For example, Employers, Private firms, Government organizations, universities, etc. These trusted authorities verify the accuracy of all user details and whether these details are shareable with other individuals or businesses.

• Distributed Ledger Technology (DLT): It is a technology architecture, together with some protocols that enable the system to simultaneously access, validate & update records in an immutable form over the network that is not centrally located or owned by anyone specific organization or individual. The most popular DLTs are the Blockchain and Ethereum.

How Decentralized Identity and App Work?

In a decentralized form of identity, an app or identity wallet operates and handles all the users' credentials & personal details in a repository known as the wallet. The steps are:

1. These wallets function on behalf of their owner to verify the identifiers in a decentralized identity ecosystem.

2. The wallet uses cryptographic keys (private and public keys) to authenticate users to businesses/login firms while not disclosing any of the user's personal information and preserving privacy.

3. The private key becomes the user's universal login credential that acts as a uniquely identifiable PIN across all platforms and devices.

4. The app gets assigned a DID for the first time and then gets fetched (for checking) from the distributed ledger that remains decentralized in the ledger system. That is how the entire verification takes place.

5. The wallet holds verified identity details like the holder's name, age, address, education, employment details, phone number, financial details, etc.

6. All such already approved/issued information (endorsed by the issuer or trusted authority) helps establish trust, making the user eligible to perform authentication on other sites/apps.

7. When users go to any app, e-commerce site, social media app, etc., and register, they only provide the DID that gets authenticated uniquely.

How Blockchain Becomes Advantageous in this System?

Blockchain, one of the most widely used DLTs, can help in various aspects to provide security and brings robustness to the future of digital identity management system. Here is a list of five ways decentralized identity systems can leverage blockchain.

1. The Integrity of Data: As we all know, data residing in the blockchain are immutable & permanent; it becomes hard for anyone to modify the blocks or delete any data from the decentralized ledger. Decentralized identity can use blockchain technology to assure that all the authentication and authorization information remains intact and that no one can tamper with the data. Also, the logs remain unaltered, making the entire identity process safe.

2. Privacy of Data: Since all user/identity owners' sensitive data gets converted into a pseudo-anonymous identifier, also known as a decentralized identifier, it becomes easy to store those decentralized data in the blockchain. With the advent of blockchain in the decentralized system, data will remain encrypted, & no one (since it is not residing centrally) can misuse the user's identity or Personal Identifiable Information. That helps eliminate the issue of privacy among different identity owners.

3. Blockchain Makes the Entire Ecosystem Trustworthy: Blocks in a blockchain system are immutable. It uses a consensus technique that makes trustful transactions in a trustless environment. It uses various nodes in the blockchain and acts as a trusted source for verifying the user. Along with such transactional data, each block within the blockchain comes with a hash. These blocks are a highly-encrypted list of transactions or entries shared across all the nodes distributed throughout the network. These hash value gets changed when someone tempers the data.

4. Robust Security: Decentralized identity systems leverage blockchain to provide high-end user data security. Blockchain uses highly encrypted algorithms and caters to consensus algorithms, digital signatures, and cryptographic hash modules that work closely to defend user identities from identity thefts and leakages. Because of blockchain, the decentralized identity apps and its system do not have to implement additional security measures.

5. Simplify Issuing, Issuers, and Verifying DID: Blockchain absorbs all the complexity and makes the entire decentralized identity mechanism simple. Identity can issue digital identities through blockchain. Identity verifiers can onboard new identity owners & achieve information verification. Users do not find the system risky in storing and managing their identities within the identity wallet.

Real-life Use Case of Decentralized Identity

Let us consider a scenario of online Kindle book shopping. We assume a girl Suzane, who wants to buy some Kindle books from the Amazon bookstore online. She wants to use her decentralized identity wallet for the complete process. The wallet already contains her verifiable identities like phone number, email address, bank account details, credit card number, etc. He shares her initial identity, like an email address or phone number, through the pseudo-anonymous identifier that helps her log in to the Amazon.com website.

Now Suzane brings all the books to the cart. As she goes for the checkout, the website will fetch her bank details from her identity wallet app. Once Suzane uses her biometric to allow the payment, she receives a notification that she successfully bought her Kindle e-book. Here Suzane does not have to share all her bank details and email address with Amazon.com. So, no data is centrally stored in Amazon.com's server/cloud.

Conclusion

The above details conclude that decentralized identity through any blockchain technology (Ethereum, Sovrin, etc.) will be the future of identity security and privacy protection. If enterprises can properly implement decentralized identity, they can change the digital identity landscape with more robust security. IAM providers and developers can leverage decentralized identity for more secure identity management and stay aligned with compliance policies.