A Simple Introduction to Digital Identities

A digital identity operates more or less like a real-life ID does; it provides proof that people are who they say they are. It includes information such as username and passwords, buying history, search history and other forms of data that are unique to each person. For the modern individual, having a digital identity is crucial to gaining access to both government and private services.

When we think about the most valuable asset of the digital age, data is not the first thing that comes to mind. And yet increasingly, organizations are collecting more and more user data and using it to tailor ads and online experiences that improve their bottom line. It’s not a stretch to imagine that one might feel coerced or managed when going about their activities online.

Now more than ever, data security and privacy are vital to the digital user experience. People want to know that their data is safe and that it is not used to compromise them. However, this is difficult to enforce since that data belongs to the organization for them to use as they wish. This is the system under which many organizations operate under; a centralized identity system.??

Centralized IDs

A centralized ID is the most common and familiar one. It allows users to access services issued by a specific provider such as email accounts or subscription-based websites such as Netflix. This means that the ID belongs to the provider.?

Centralized IDs also require users to have different usernames and passwords for every service they wish to access online.

In this system, organizations can do what they want with user data leaving users at their mercy. They can restrict access to their services or terminate your account at will. Some, like mobile carriers, can even re-issue your ID to someone else without requiring any input from you. However, governments have been taking measures to protect users’ data through passing laws such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA).

Fig. 1.1. Identities are approved, stored and owned by the institution in a centralized system.

Federated IDs

In this system, user data is still owned by the ID provider; however, the user is able to access third-party applications using a single login. For example, users are able to access services such as Twitter using their Apple credentials.?

Facebook login credentials are another good example of a federated ID because users can use them to access numerous services such as Amazon, Instagram etc.?

User access is easier in this system because there’s no need to remember multiple login credentials. While federated IDs are an improvement on identity management systems, they’re still considered centralized IDs.

Fig. 1.2. The user can access services using credentials belonging to different organizations.

Decentralized IDs

This is the future of digital identity. In this system, users have autonomy over their data. They have authority over what they share and with whom. User identity and credentials are stored in a digital wallet that only they have access to. They don’t have to remember login credentials for every single service they access because the ‘keys’ are in their wallets and they can manage them as they see fit.?

Users can also store key documents such as school or government credentials (degrees, transcripts, passport etc.) that enable them to apply for jobs and access services in a timely manner. Usually, it takes organizations a lot of time to verify credentials in a centralized ID system. Certain governments are already laying the foundation for implementation of this e.g EU and Ontario

A good real world use case of a decentralized ID system is bitcoin. No single entity can claim to own the bitcoin network. Instead, it relies on all the nodes (computers) in the system talking to each other in order to maintain the integrity of the system.

Fig. 1.3. The user receives credentials from multiple issuers (governments, schools etc.) proving their identity and then provides that data to entities that request it (verifiers such as employers).

Self-Sovereign IDs

Self-sovereign IDs are the next natural step for decentralized IDs. It’s the true culmination of owning your data. What this would look like is that all user data would be stored on the user’s device and they would own it permanently. Therefore, when an entity needs to verify user credentials, it’s up to the user to provide that verified data because there isn’t a central database.

As it is now, the term self-sovereign identity (SSI) can be used interchangeably with decentralized identity because the idea of decentralization is still in its infancy. The main difference, however, is that an SSI requires the user to verify their credentials upon request while for a Decentralized Identity (DID), the entity requesting verification doesn’t get a ‘thumbs-up’ that the data is valid.

So why decentralized IDs?

1. Data ownership

The main advantage decentralized IDs have over centralized IDs is data ownership. DIDs give back control of identity to the user and allows them to collect verified data about themselves from certified issuers independently. For instance, a user can store government-related documents such as their birth certificate in their digital wallet (the government being the certified issuer in this case) so they would be able to prove they’re above 18 when signing up for a new online service without necessarily having to share their date of birth.

On the other hand, data in a centralized ID system can be collected, stored and shared with third parties without the user’s knowledge thereby putting the user at risk of exposure.

2. Data security

There’s a lot of private user information stored online such as ID numbers, bank accounts, similar passwords for different services etc. that could leave users seriously exposed if accessed by unauthorized parties. Centralized systems are especially vulnerable to threats such as cyber-attacks and privacy breaches because so much sensitive information is stored in the same place.?

DIDs typically have decentralized storage which protects organizations from large scale data breaches because data is stored in each individual user’s wallet. They also enable users to protect themselves from data tracking and targeted content online.?

While no system is truly immune from hacking attempts, DIDs are generally more secure compared to centralized IDs.

3. Access to a Wide Array of Services

The driving technology behind DIDs is blockchain, which has proven to have the ability to provide unified secure access across different platforms. In theory, the same would apply for a DID whereby a user would have one identifier across all business and government domains thereby giving easy access to varied resources without the hassle of having many different logins.

Conclusion

DIDs represent democracy in the digital age in that users own the most precious commodity to digital companies and governments, data. It’s a step in the right direction for data security that people take charge of their experiences online by managing their own data.

However, its eventual deployment may face some challenges such as push back from governments and organizations that are opposed to change as well as those whose user data is a key component to their bottom line.

Users also face the risk of vulnerability if their DID gets into the wrong hands because their entire digital history will be exposed.

However, the benefits far outweigh the risks because the likelihood that a single individual will be targeted by hackers versus an organization with a centralized database is low. Additionally, DIDs will force people to be more conscious of the data they provide to service providers because they will have to approve each request.?

DIDs will also help make the online experience more authentic for users by preventing data collection and tracking.

It may require a bit of a learning curve, but evolution is necessary for survival.