Certifiers Platform, the 3rd major party in the SelfKey identity ecosystem, is now live on the SelfKey Desktop Wallet. The Certifiers Platform was a long-awaited feature, and is a defining milestone for the SelfKey project.
Why Decentralized Identifiers Are Changing The Future of the Internet, Identity and Finance
Data is a new asset class in the digital world – and identity is the new money. The most important piece of data is certainly personal data.
Data is a new asset class in the digital world – and identity is the new money. The most important piece of data is certainly personal data. With access to vast amounts of increasingly detailed personal data, companies and organizations (such as credit bureaus, Facebook and others) are able to profit from the use of your data to the tune of billions.
At the same time, we have less and less privacy. Our data is mined, bought and sold to advertisers on platforms such as Facebook on a daily basis. But just as technology has turned our data into a commodity – a new, privacy centric model is emerging.
Decentralized Identifiers (DIDs) represent an exciting new breakthrough in the field of identity management. They can be thought of as a vital component in a new layer of decentralized identity, which employs cryptography and public key infrastructure to provide a much better way of using the internet.
DIDs are exciting because they represent a tool that can provide us with the power to control our digital identity without the need for a central authority.
To clearly understand this point, let’s take a quick look at how identity management works today and the ways in which the current system is broken. After developing a base understanding of the core concepts surrounding DIDs, we can discuss in more detail exactly how DIDs can be used to solve many of the most pertinent issues surrounding identity management today.
The SelfKey Identity Wallet is a free identity solution for Windows, Linux and Mac. Get yours today!
What is Identity Management?
Identity management is rarely taught in a formal setting. Instead, we develop an identity over the course of our lives and begin managing that identity through formal documentation. Life experience teaches us when to carry our passport for example, and we quickly learn about the hassle of replacing lost or stolen identification documents.
As a result, we store our physical IDs in a safe place and make sure to renew them on time – while of course paying the required fees to the centralized issuing authorities. Up until about 25 years ago, this approach to identity management was completely sufficient. Business transactions were primarily done in person, so it was just a matter of passing your documents over the counter in most cases. Now in 2019, that simply isn’t the reality anymore and the old system is no longer fit for the purpose.
With the advent of the Internet, we’ve had to start thinking about how we manage our digital identity. This concept encompasses every piece of personal data about us available online. The internet has become such an integral part of our lives that the large majority of us now has a rich and detailed online profile.
This has been caused by increasing international regulation which forces companies of all sizes to identify their customers – often requiring copies of IDs or Passports – before doing business.
But there’s a problem: these documents are physical and not designed to be shared electronically – and the attributed and identity claims of the documents cannot be shared individually (in order to prove your nationality, you must send a passport scan (with details such as date of birth and passport number) instead of *just* proof of your nationality.
This is kryptonite for thoughtful and secure identity management.
Let’s look at the failure of current identity management in more detail.
How is modern identity management failing?
1. Businesses lack the resources to safeguard our information
In the fight against money laundering and terrorist financing, regulators force businesses to store highly personal user information. Naturally, most businesses do not have the resources to adequately safeguard our information.
Furthermore, this imposes huge costs on businesses and enormous pain on consumers, but the bad guys end up winning!
For hackers, the prospect of vast amounts of personal data stored in a centralized infrastructure is an attractive proposition. Centralized databases are the default architecture for web platforms – but when breached, represent an enormous prize.
After a breach, the data is then sold off to the highest bidder. In January 2019, renowned security expert Troy Hunt revealed that a “record-breaking collection” comprising 773 million personal records was being sold off on a popular hacker forum.
This example helps to illustrate that – in the internet age – our identity can be stolen without the need for malicious actors to enter our homes or steal the physical copies of our documents. Instead, we risk identity theft whenever we open a new online account.
Here are the ten biggest data breaches of 2018, which help to illustrate the danger:
- Aadhar – 1.1 billion
- Marriott Starwood Hotels – 500 million
- Exactis – 340 million
- MyFitnessPal – 150 million
- Quora – 100 million
- MyHeritage – 92 million
- Cambridge Analytica – 87 million
- Google+ – 52.5 million
- Chegg – 40 million
- Facebook – 29 million
According to Experian, 31% of all data breach victims later experience identity theft. That’s a staggering amount and it testifies to the fact that modern identity management is indeed broken. If the system worked, we could expect to never suffer identity theft. Instead, 60 million Americans have suffered identity theft as of 2018.
2. Current implementations of Identity Management systems rely on a centralized infrastructure
Depending on where you live and where you want to travel, even your infant may need to possess a valid passport. As we grow older, we typically receive a driver’s license, social security number, and insurance cards as well. When we apply to rent our first flat or open our first bank account, we begin to realise that these identification documents play a vital role in our adult lives.
Indeed, they represent an intrinsic part of our personal identity, a concept treated as a basic human right in international law. Therefore, to participate in a functioning society we are required to apply, pay for, receive, maintain and carry with us, centrally issued documents verifying our personal information. Many countries have even introduced laws that require citizens to identify themselves on demand, de facto requiring the possession of identification documents at all times.
Worryingly, this gives governments a huge amount of power over us as individuals. If your government rescinds your passport or is too inefficient to supply a new one, you are excluded from many vital services. Despite this obvious shortcoming, we’ve had to accept this as a necessary evil.
Until 2008, there simply wasn’t a good way of achieving consensus and recording an accurate history in an immutable way without relying on a central authority. However, with the introduction of blockchain technology that premise can be dismissed.
Blockchain is already causing a paradigm shift and many platforms – like SelfKey – are using its power to fundamentally change the way we manage our identity.
3. It requires the oversharing of personal information
Have you ever noticed how identity verification always requires you to share more data than is necessary? In its simplest form, you can imagine buying alcohol and being asked to show your ID.
In this case the relevant information is:
- Photo – to verify that the document correlates with the person making the purchase
- Date of birth – to verify that the customer is of legal drinking age
These two data points should be completely sufficient in order to purchase alcohol. The reality, however, is that we need to hand over our ID, Passport or Driver’s License, which contains much more information than that.
Below, you can see a typical US Driver’s License which details:
- The full legal name
- Date of birth
- Current residence
- Eye color
- Hair color
- Document number
Now you might be thinking: “What are the chances that the person selling alcohol over the counter is recording all this information?”
In an online environment the likelihood is 100%. Businesses are required to record the information you provide during the identification procedure for KYC and AML purposes.
This is where the big problem arises.
When a hacker breaches a centralized database then he often gains access to all the customer data – including your personal data. Given the extensive information available on your driver’s license, it now becomes much easier to steal your identity. This is one of the reasons why identity theft is one of the fastest growing crimes in the world.
In order to counter this, we need an overhaul of modern identity management systems.
What are Decentralized Identifiers?
At a high level, DIDs utilize the innovations of blockchain technology and allow you to create and manage a resolvable identifier. That identifier can then help prove your identity online.
Additionally, you can think of a DID as always having these four characteristics. It is:
- Globally resolvable
- Cryptographically verifiable
Importantly, you create your DID and retain full ownership and control of it. This means that nobody can access it without your permission, and it cannot be rescinded by a central authority. This is just one important aspect, but many more exist. DIDs also aim to provide:
- Decentralization – DIDs should eliminate the need for centralized authorities or single points of failure in identity management. Instead, the individual should have full control over his identifier which can be powered by an open and decentralized network of nodes.
- Self-Sovereignty – DIDs should give individuals and organizations the power to own and control their digital identifiers. The reliance on central authorities should be broken.
- Privacy & Security – DIDs should improve the level of privacy and security that users enjoy online. They should assist with the ability to selectively disclose data that is associated with your DID and help users manage private keys as well as authentication mechanisms.
- Interoperability – DIDs should work across blockchains, software libraries and mainstream protocols.
- Simplicity – DIDs can assist in providing a user friendly experience by managing authentication mechanisms including key verification that can eliminate the need for a password.
With these goals in mind, let’s take a closer look at how DIDs work.
How does a DID work?
From a technical perspective, a DID is a string which contains several attributes that can uniquely define a person, organization or object. As you would expect, it uses cryptography and key pairs to secure information and handle permissions.
From a user perspective, the use of a DID to access service providers would involve three parties:
- An Identity Owner – the individual aiming to prove his or her identity
- A Claims Issuer – a third party authorized to verify credentials (like a notary or justice of the peace)
- The Relying Party – the service provider accepting the issued claim
The identification process might look like this:
- User creates DID
- A claim issuer (could be a Certifier) issues a claim to that DID
- A claim object is created and shared privately to the Identity Owner
- A Hash of the claim object is stored on-chain
- The identity owner shares the DID with the Relying Party
- The relying party resolves the DID and retrieves the necessary claims
- This could require a request of the explicit claim object, or a check against the on-chain hash might suffice, depending on the case.
- The user is accepted and can access the service provided by the relying party
As you can see the flow of this identity transaction broadly follows that of existing identity systems.
The key difference is that DIDs are not issued and controlled by centralized authorities but instead remain under the control of the individual.
What does a DID look like?
In the wild, a DID looks like this:
Let’s break it into three important parts:
- Scheme – The scheme specifies how the DID is constructed. The “grammar” that corresponds to a DID according to some specific method (different DID platforms might define different methods with their own scheme and specs). Importantly, a DID is a form of URI or Universal Resource Identifier (a URL is another type of URI, for example). So, the scheme is part of the method specs and defines how a DID looks. In our case, we append our method name (“key”), followed by a colon and a 32 byte hexadecimal value.So, for example, a SelfKey DID looks like this:
- Method – A DID method refers to the particular platform that provides the DID functionality. Our method, besides specifying the particular scheme in the previous example, also defines the basic operations for DIDs (creation, removal, update and deletion). All of these among other details are defined in a Method specs document. All DID methods should follow the generic DID specs as defined by the W3C Credentials Community Group.
- DID Method Specification – is a document, encompassing all the aspects of a DID method (including its scheme).
Why should you care about Decentralized Identifiers?
DIDs introduce a number of important innovations to modern identity management. But why should you care?
1. DIDs allow you to own and control your digital identity
In the 15th century, King Henry V issued the first official passport. In the 600 years that followed, governments around the world took control over large parts of our personal identity. We take it for granted that bureaucrats issue, renew and revoke vital identification documents, without which we cannot participate in modern society.
In the digital sphere our identity is managed by the plethora of platforms which house our online accounts. Whenever you sign up for a new service, that company now de facto owns a significant part of your digital identity. This is amplified when you use Facebook or Gmail to access online services. In these cases you have no control or insight into how much data is shared and what is done with it. In order to participate online, you have to give up control over your personal data.
Decentralized Identifiers have the power to change that. For the first time, we can manage our own credentials and create a permanent cryptographically verifiable record of our own identity.
Within the framework of identity management this concept is called self-sovereign identity (SSID). In SSID systems, you control your digital identity, composed of DID’s and verified credentials. This allows you to create, update, or destroy the DID at any point!
There is no need to stand in line in some government building. You do not need to pay a fee to have it renewed. It cannot be taken away from you. It’s fully under your control, at all times.
You truly own your identity. You control your destiny, and as you’ll see in the next point – you are much safer as a result.
2. DIDs enable decentralized identity management
DIDs utilize blockchain technology to provide a decentralized identity management layer. The Ethereum blockchain for example, is a global and immutable database on which anyone can store information. Importantly Ethereum allows for turing complete smart contracts that (specific to identity) enable you to create, update, or destroy your identity, as well as manage keys.
Decentralized identity systems harness these capabilities and leverage them to secure and decentralize our digital identity. As a result, we remove the power of centralized authorities and corporations to manage our identity. Instead, we regain control over our data and are in full control over who has our data, when and from where they access it, and for what purpose. A far cry from the ID management of the past.
3. DIDs enable lightning fast registration
Even if you’re not concerned with privacy and security, DIDs pose an exciting development, because they enable lightning fast registrations.
The average adult has over 90 online accounts so we all know the pain of registering for a service. Tedious identification procedures, customer support tickets and forgotten passwords are just a few of the hallmarks of our current ID systems.
When signing up for a financial service it’s now common to complete a rigorous identification procedure. Depending on where you are located this may include your:
- Email address
- Personal details
- Passport/ID scan
- Proof of address (Utility bills for example)
- Live video identification
- Sanctions screening
Not only is this invasive of our privacy but it’s also time-intensive. In a world where we can communicate with people all over the world in seconds, why does it take so long do register for an online service?
DIDs offer a solution for this. More specifically, your Decentralized Identifier can contain the information service providers need in order to accept you on to their platform. So instead of a lengthy registration period, you could access service providers with the click of a button.
4. DIDs open the door for Verifiable Claims
Verifiable Claims are another fascinating breakthrough in the world of identity management. In the example provided above, we discussed how invasive a regular identification is – for a purchase as mundane as alcohol.
It should be possible to prove certain aspects about ourselves without having to share precise information. The significant oversharing of data is something that Verifiable Claims – with the help of DIDs – allow us to eradicate.
In order for this to work we need three parties:
- The identity owner – the person buying the alcohol (you)
- The claims issuer – a third party authorized to verify credentials (like a notary or justice of the peace)
- The relying party – the liquor store (the service provider accepting the issued claim)
Together these parties have the power to make informed decisions while respecting the privacy of the individual. As an example, you could imagine a notarized document that contains a picture of the individual and verifies a relevant claim: “FULL NAME is above the age of 21”.
If the liquor store accepts the legitimacy of the claims issuer, then it now has all the required information to sell alcohol to the individual. In a nutshell, that’s how Verified Claims work.
Decentralized Identifiers allow us to easily store, manage and submit verified claims. Even more impressively, the interoperability of DIDs would allow individuals and organizations to prove their identity across (almost) all blockchains, software providers and web apps.
Conclusion – What does the future hold?
Decentralized Identifiers clearly have a huge amount of potential and are already changing the way we think about our digital identity.
At SelfKey we are leveraging new breakthroughs to improve the privacy and security of our community. The SelfKey Wallet takes a first important step towards self-sovereign identity, allowing you to manage your identity documents securely on your local device.
With the launch of the Incorporations category of the SelfKey Marketplace, we’ve taken another significant step by developing a platform that provides easy access to an array of service providers and a vastly improved onboarding experience by using your SelfKey ID to directly submit data and documents without requiring a 3rd party platform.
The SelfKey Foundation has always been open source and we carry that philosophy with us. As a result, we will be publishing our own public DID method and specifications and will continue to contribute to the many positive developments in the digital identity ecosystem.