Spherity’s Identity Tech Predictions for the decade of the 2020’s — Part 1

A high-level overview of where disruptive new technologies will drive identity and cloud-edge computing in the decade to come, with links galore!

In recent years, people speak a lot about revolutionary or disruptive technologies, mixing the terminologies of Thomas Kuhn and Marc Andreessen. Social, Mobile, Analytics and Cloud (“SMAC”) have been the most disruptive technologies of the last decade, but all four transformations are largely complete and foundational today. We have organized our predictions for the next decade according to an acronym for four technologies shifting the groundrules of business today, the so-called “DARQ” [:dɑ?k:] transformations:

• [D] istributed Ledgers like blockchains, permissioned DLTs, DAGs, and peer-to-peer protocols with loads of modern cryptography such as zk Proofs and Multi-Party Computation (MPC) are indisputably one such technology that will change everything, even if a little more incrementally than many predicted a year or two ago.
• [A] rtificial intelligence, and its offshoots of Machine Learning, Federated Learning, Business Intelligence, and Intelligent Agents will also bring major upheavals in the business world in the decade to come.
• Converged [R] eality refers to the approximation of the “Internet of Things” and Virtual/Augmented Reality systems as well as the convergence of IoT, edge & cloud with living species. In Industry 4.0 research, much of this convergence is called “cyberphysical systems”, bringing more natural, constant, and realtime interactions between data and the physical world.
• [Q] uantum Computing refers to a coming architecture of supercomputer that will be able to do mammoth amounts of computation in seconds, if and when it is stabilized enough to be operational. Much of today’s cybersecurity assumes that such massive firepower could never be deployed for “brute force” attacks, which means not just methods and algorithms but entire architectures may need to be upgraded in this decade to be “quantum-resistant”.

We do not want to answer the more narrow question of “what comes after blockchain” (how 2018!), or which projects are hot or worthy of buzz. Instead, we will overview some of the topics that we find promising in our research, and the direction we see our clients and their business models moving. We present these thoughts in the form of short hot-takes, using the [D/A/R/Q] key to allow selective reading and providing links to sources and other writers’ analyses wherever possible.

Identity (and Identity/Access Management) in the 2020’s

????♂? [D] Not only do we agree with Vinay Gupta and with the CEO of Paypal that identity will be “blockchain’s first revolutionary product,” we would go further and say that this revolutionary product, self-sovereign identity, will in turn be the silver bullet for cryptocurrency adoption. An idea that has grown more and more common among crypto thought leaders in 2019 is that adoption of cryptocurrency is held back by three main problems:

1. volatility,
2. integration into the legacy systems of both private and public banks,
3. and user experience.

While identity systems may not seem directly relevant to the design of viable stablecoins, Ethereum’s richness of identity systems, mechanism design, and governance experimentation may have contributed significantly to its central role in the development of stablecoins and other decentralized finance (DeFi) building blocks. Similarly, regulation and liability have been the main roadblocks to interoperability with banking and credit infrastructure, and the integration of digital identity into government infrastructure (detailed below) could make great progress on that front. Lastly, the user experience problems of cryptocurrency (uniformity of wallet designs, wallets’ place in the app-centric model of software markets, and key recovery systems) are all problems shared with decentralized identity, such that whatever advances one will likely advance the other.

????♂? [D, R] Passwords will go out of fashion this year, and be largely gone by decade’s end; they’ll be replaced by more intuitive, contextual, and often invisible authentications. Gartner estimated in March that 60% of large and global enterprises, as well as 90% of midsize organizations, will leverage passwordless methods in over 50% of use cases by 2022; 9 months later, that prediction is still looking reasonable to us. The FIDO alliance, Ubisecure, yes.org, and other such federated solutions are rapidly pushing the passwordless envelope for traditional (centralized) account systems. Meanwhile, our colleagues in the DIF, Aries, and W3C communities, as well as others in the broader blockchain space, are working on advanced key management solutions, custodial and/or cloud wallets, and even binding both centralized and decentralized identities to biometrics or to physically uncloneable features (“PUFs”). These object or machine identity “fingerprints” are derived from unique, microscopic imperfections that are a side-effect of electronics manufacturing or from “taggants” intentional applied during the manufacturing process; these will undoubtedly transform the object and machine identity space in the coming decade.

????♂? [D, A] While the lion’s share of attention in decentralized identity goes to privacy, data rights, and provenance/tracking, a quieter and equally important technical conversation is happening in parallel about where that data gets processed, and predictably the answer is decentralized in complex ways. For years, “edge computing” has seemed an imminent enabler of a shift from centralized clouds to fiduciary agents working autonomously and confidentially on behalf of identities. We think this decade will see an explosion of edge-computing processing edge-data, particularly sensitive and self-sovereign data that never needs to be stored in a server’s hard disk or log files. We see that well by 2025, machine-learning-powered, edge-computed virtual personal assistants will make their debut, and we expect that the first ones to market will be self-sovereign and privacy-preserving, rather than centralized and surveillance-furthering. More on this below, in the “cloudy” predictions.

????♂? [D, Q] It no longer sounds far-fetched to imagine that in the 2020’s, governments will invest heavily in infrastructure enabling them to supplant the entrenched identity monopolies (Big Data, banks, and credit cards). The “honeymoon” of largely underregulated cryptocurrencies and the spectre of a Facebook monetary disruption drove home the point that without identity, DARQ and cryptocurrencies are and will remain dangerously difficult to regulate, tax, or even govern. For all these reasons, major governments will focus their investments and designs on policing tax evasion and other digital crimes, safeguarding privacy and other citizens’ rights, and providing a digital “root of trust” appropriate to their role in the physical world. Unlike existing ledger systems, they will probably demand higher thresholds of secure post-quantum cryptography and other cybersecurity future-proofing than private sector builders to date. America, China and Europe won’t be the only governments to build infrastructure for government services, identity, and currency, but they will be the first and most closely watched in the 2020’s.

????♂?[D] We expect Multi-Party Computation (MPC) for secure key management & transfers, Layer-2, and off-chain implementations will make the privacy conversation more complex and multidimensional, escalating the cat-and-mouse game between transaction ledgers and financial regulators. Also blockchain players such as Tron are tipping their toe into the water with implementation of MPC for shielded transactions. Shielded transactions and AML will become a major regulatory issue in 2020/2021. Enterprises will start to significantly adopt MPC for identity, privacy and data sharing along their value chains from the 2022.

????♂? [D, A] Reputation and Scoring is a deeply thorny, slow-moving problem. After all, it is one of the core problems in identity system design generally (see, for instance, #12 in Vitalik Buterin’s review of Crypto’s Hard Problems between 2015 and 2020). While currency itself has been the domain of government for centuries, the related tools of reputation (and credit scoring) are things that many people do not want administered by even the most tech-savvy and benevolent of governments. Until an interoperable metaplatform for decentralized identity is widely adopted, it is hard to imagine an ethical and democratic reputation system because it requires a social graph that no one authority (private or public) can own, censor, or control. We are optimistic that this decade will see self-sovereign social graphs and reputation systems developed in earnest, offering a powerful alternative to the centralized systems. On a shorter term we expect that enterprises will start using decentralized identity and verifiable credentials for Third-Party Risk Management and responsible sourcing to assess credibility and compliance of their business partners in 2020 with broader adoption across industries in 2021/2022. Currently pharmaceutical, automotive and mining companies are working on this use case simultaneously.

Cloud Computing in the 2020’s

??? [A, Q] Just as modular, “serverless” — as an “event-driven” cloud computing execution — is pushing the cloud-native envelope to edge devices and will come to maturity and general practice in the coming years, so too will the “trustless” model of cybersecurity also take over in cybersecurity thinking and cyber-physical systems design. In trustless cybersecurity, core information and identity assets (rather than security perimeters) are prioritized for maximal security, extending minimal trust to all other interlocutors, even authenticated or internal ones. It might seem extreme to ask other processes and parties, even on-premise ones, to “show their papers” each time they accesses crucial systems, but as definitive perimeters and siloed data become rarer in tomorrow’s more interdependent, containerized, and interoperable environments, finite perimeters become effectively impossible to secure enough. Professionalized hackers periodically prove this rare but significant background risk, with hacks of the most trusted clouds, development infrastructure, and container systems. Trusting any user or agent who can “get in” with valid credentials is already reckless today, even before ML-powering (or worse, quantum-powered) impersonation and identity/credential theft comes into the picture. Instead, prioritized security thinking will have to write off a certain degree of risk in low-value operations and instead keep a shorter list of assets secured to a much higher level of assurance. We also believe that using cost-effective serverless infrastructures and mass-produced taggants costs for secure decentralized identity of serialized FMCG products will go much below 0.05 ￠ /unit by until 2022. This opens up entirely new use cases for digital twinning in FMCG ranging from anti-counterfeiting, to back-to-birth traceability, to object marketing and the circular economy. We expect that decentralized identity will be adopted on a broader scale for circular economy in 2025.

??? [D, A] One way to achieve a higher level of security in a limited scope is to isolate important processes, not just as microservices or as virtual machines (within virtual machines), but even in hardware terms, running important microservices on lightweight custom kernels that live in dedicated processors. This growing trend of building tiny hardware islands and moats within servers has grown a broad field called Trusted Execution Environments, which after years of debate and experimentation is starting to mature into standards, best practices, and even deep-pocketed international consortia. Not only does this offer higher levels of security and stability for cloud operations, this also greatly advances privacy-by-design, allowing sensitive information (encrypted by SSI, for example) to be processed or anonymized for transit and aggregation in high-security isolation on the edges of the cloud. It allows sensitive data to be analyzed more privately on the edge by “federated learning” processes rather than being dumped into a data lake for centralized machine learning. It might also offer an energy-efficient and more securable alternative to “confidential” transactions and calculations that might otherwise take place in smart contracts on a public blockchain. For low costs enterprise applications in which anchoring of identifiers or data on an immutable ledger is required we expect the adoption of cloud-native and then cross-cloud immutable journals such as AWS Quantum Ledger DB will significant gain traction after 2022.

??? [D, A] While the high-level architects of today’s biggest projects (Ethereum and Hyperledger, to name just two) often talk about “sidechains” and their coordination as one way of increasing scale, others are advancing the navigation of DAG (Directed Acyclical Graph) structures to move away from the limitations of linear ledgers. One tendency shared by all of these approaches is that they discreetly and confidentially spread the “compute” (low-level computation) across smart contracts and validators on multiple chains and sidechains, bringing them closer to their inputs and outputs to lower risk, latency, and privacy concerns. In many ways, this could be seen as the distributed ledger analogy to what Gartner calls the “empowered edge”. Holochain, an experimental “post-blockchain” project with a very open-ended and self-sovereign conception of smart contracts, has been finding the process of creating a new license with the Open Source Initiative quite difficult exactly because it is trying to do both, moving both data and compute contractually within the control of self-sovereign individuals. While this thought experiment might seem an academic or cipherpunk extreme of the drive out to the edge, we believe the “edge” envelope will continue to be pushed in new and exciting ways, growing more important to enterprise business processes in the coming decade.

In summary,

we could say that identity and cloud infrastructure are increasingly moving in the direction of decentralization and spontaneity. This is largely driven by a global move to rethink and invigorate the regulation and governance of globalized information technology, incentivizing modern information technologies systems to be resilient, capable of spinning up new value chains or finding new ways to secure, channel, or safeguard ones at the drop of a hat. Many seemingly unrelated tendencies stem from this feedback loop:

1. higher security in limited radiuses to allow more connections and interactions with unknown parties;
2. new meta-platforms for reputation, to strengthen and counterbalance generalized AI;
3. a shift towards cross-company / -entity attribute-based access control (ABAC) and a revival of interest in object-oriented programming as a way of delegating control as well as information and access;
4. a deep suspicion of correlation and tracking throughout the stack.

In our immediate domain of expertise, this entails a rethinking of event-driven cyberphysical systems not only to operate outside of siloes, but to be future-proof and unsiloable in the structure of their identity and their data.

In the second section of our predictions, we’ll chase the consequences and ramifications of this epochal shift deeper into the rabbithole of “deep tech”, looking at how some of our more specific pet topics: MPC, deepfakes and content provenance, ultra-scalable identity, industrial IoT and its unique identity & security challenges, alternative bases for blockchain participation, and quantum-proofing technologies.

Stay sphered by joining Spherity’s Newsletter list and following us on Linkedin.