WEB3 and data decentralization - Part 2

(leggilo in italiano)

In the previous article we saw that an SSI verifiable credential carries not only the desired information, but also the identities of the emissary and the owner through their digital identities. In this article we will see a simple, classic example of how to take a service that uses username and password for system access, to one that using SSI completely removes passwords, which then become redundant.

Before we look at how SSI works and how passwords are removed from systems that use it, let us look at the reasons and history that led to the current systems.

Accessing a service with only one's username, in the early days of WEB2, did not give much assurance of security as one could easily guess it, especially when most usernames became one's email. To restore certainty to identity, passwords were added. The password is something that only the user in question knows (at least one hopes...), so it ensures a unique identification and thus identity.

Unfortunately for us users, over time, as the Internet got bigger and more and more services sprang up, our passwords also grew by the day, so much so that almost all of us often use the same password for different services, which is not exactly the best choice. The problem was also exacerbated by the fact that today's centralized systems make our data available to hackers all at once, in a single database, making it easier to spread our passwords when they are then shared or sometimes sold on the net.

When we realized that username and password were no longer enough to identify ourselves, then given the common use of mobile phones we also added a two-factor system. That is, not only does a user have to enter username and password during login, but also a code that will arrive on the registered device. There have been a variety of creative solutions to the two-factor system, including timed hardware devices, magic links, and even one with a voice call from a quasi-robot to give you the code! The user experience then, given the complexity of these systems, has worsened, and centralized systems are continuing to show symptoms of failing to keep up with the growth of the multiple services offered via the Internet.

Removing passwords from our systems, and thus simplifying service infrastructures and giving us back a better user experience, is possible right away with decentralized systems and especially using SSI as a standard protocol.

A verifiable credential created with SSI, simplified in the image below, consists of three basic parts. The first part contains the information to be transmitted and the digital identity of the owner. The second part contains the digital signature of the emissary that seals the credential, and the third is the digital signature of the owner that confirms the veracity of the ownership of the credential. In SSI systems a digital identity is called a DID (Decentralized IDentifier) or Decentralized Identifier. This DID is linked to our digital wallet and allows us to sign credentials when we want to pass them on to requesters.

Back to our service that wants to remove passwords for its users. First, users need to equip themselves with a digital wallet. The service could promote its own SSI mobile application to its customers, or decide to direct them to use an existing SSI application already on the market. In fact, since SSI is a well-defined standard, it does not matter what application a user uses, the important thing is that it is compatible with SSI standards. There are also digital wallets as browser extensions, should someone not have or want to download an app on their phone. We will discuss this pro-con in another article.

To give its customers an optimal user experience, the service decides to allow everyone to switch from username/password to the decentralized passwordless system through a QR Code that appears in the customer's dashboard after login, and thus give everyone time to be able to arrange in the most appropriate way and timing for the migration. In fact, the two systems, centralized and decentralized, can coexist together seamlessly to facilitate a migration over time.

By scanning the QR Code with their SSI application, each user receives a credential signed by the DID of the service, which is saved in their digital wallet. To login later, simply scan another QR Code that appears on the login page with their SSI application, and select the saved credential to share on the device. The system then checking the information contained in the credential, the signatures, and the various DIDs included in the data packet that arrives, can actually give access to the user who has proven to have the valid credential signed by the system itself.

The user experience improves dramatically because we no longer have to remember passwords, (which no longer exist at last ! ) or wait to receive an SMS or email link, in order to log in. Scanning a QR code to log in is definitely very easy.

It is noteworthy how now the service can remove from its database all passwords, which are no longer needed, and also remove all the infrastructure related to the attached services such as password change, forgotten password, etc. Etc.

Although there are many solutions to remedy the discontent of using passwords, they are all palliative because the password still remains the means of authentication. Instead, the SSI solution completely removes passwords, which have made their history and can certainly be a thing of the past.

As mentioned in the introduction notwithstanding removing passwords from login systems is definitely something I highly recommend all companies to do immediately for a better experience for all of us and infrastructure savings for them, SSI is not only limited to this, but with the same technology many other cases can be solved that with centralized systems are not possible, either physically or legally. In fact, in the next article we will discuss an SSI system of data transfer to and from different governmental jurisdictions where laws prohibit the sharing of personal data.