-
The centralized digital identity model is obsolete -
Towards a decentralized digital identity -
How does it work? -
Global and open-source standards
The question of identity, identification, and authentication varies significantly across the globe, depending on one's personal and geographical circumstances. While approximately 1 billion individuals lack the ability to prove their identity due to institutional failures, the remainder of humanity appears unable to safeguard their own identities for commercial and financial reasons (surveillance capitalism), or for political and security reasons (Anti-Money Laundering and Combating the Financing of Terrorism - AML/CFT).
The term "digital identity" typically refers to "the ability to securely use one's identity attributes to access a set of resources." However, it is clear that security is severely lacking in the digital identity systems in question, and that a single vulnerability, sometimes human, can jeopardize the data of millions or even billions of people. Since 2013, more than 13 billion email accounts have been compromised, and in January 2024, 12 terabytes of information, comprising a compilation of 26 billion personal data points distributed across 3,800 folders – each corresponding to a specific data breach – were freely accessible online.
When an individual interacts with a digital service, such as social media, health insurance, banking, music or video streaming, e-commerce, gaming, file storage, or food delivery, they create an identifier, provide an email address, sometimes a phone number, and enter their name and a password for authentication. Depending on the type of service, the user may be required to provide additional information, such as a postal address, date and place of birth, social security number, a copy of a passport or ID card, a tax return, or an insurance certificate.
Each interaction with a new online service is an opportunity to disseminate more personal information.
According to a 2020 study by NordPass, cited by CNN, an individual at that time had around a hundred online accounts. However, just two years later, a global study by Dashlane estimates that a person now uses 240 online accounts. It turns out that this method of identification and authentication online is flawed by design, as the public hypertext system invented by Tim Berners-Lee and Robert Cailliau in the 1990s was never intended for this purpose.
The centralized digital identity model is obsolete.
The principle of online identification currently relies on the fact that online services collect the personal data of their customers, patients, constituents, graduates, citizens, etc. This is known as a "centralized" digital identity model, in which a person's identity attributes are managed in a single location by an entity that is responsible for their collection, security, and authentication – and for which this is often not their primary business. In addition to avoiding the use of the same password for dozens or hundreds of different services, each individual must also trust this entity to protect their personal information and ensure that their identity is used appropriately.
However, this model suffers from a lack of transparency, a lack of user control, the potential for mass surveillance, and, above all, the risks to privacy and data protection due to its high vulnerability, with each online service constituting a point of failure. The current model has therefore become obsolete. Data theft, identity theft, undue surveillance, and the costs incurred by such systems have long been of interest to engineers and cryptographers.
Towards a decentralized digital identity
In contrast, decentralized digital identity is a system that allows anyone to personally store and manage the attributes of their identity, issued by third parties (issuers), and to share them autonomously, selectively, and sometimes anonymously with other third parties (verifiers) in order to use their services, thereby regaining a form of individual sovereignty that has tended to disappear with the digitization of society.
A decentralized digital identity system, sometimes called "self-sovereign identity," proposes to reverse the current model based on authentication and access control managed by a single organization, towards a tripartite model based on a collection of verifiable attestations that constitute a person's digital identity.
This concept is based on the idea that each individual should have exclusive control of their digital identity, without depending on a central authority or a trusted third party to identify or authenticate themselves.
Decentralized digital identity is centered on the individual and is based on the principles of sovereignty, portability, and security. The decentralized identity model requires that a person personally holds a software program called an "identity wallet." This is a digital service, an application that allows the user to hold and manage one or more "decentralized identifiers" (DIDs) and to receive "verifiable credentials" (VCs) associated with these identifiers.
These verifiable credentials are the digital equivalent of printed documents, such as a driver's license, which attests to our ability to drive a vehicle, or a university degree, which attests to a level of education. A credential described as "verifiable" provides an online, privacy-respecting mechanism for cryptographically representing these documents so that they are extremely difficult to forge and can be easily verified using a computer program.
The decentralized identity model involves the interaction of three entities:
-
The holder is an entity, such as a student, a person, an employee, who acquires and maintains one or more decentralized identifiers (DIDs) according to their needs and the services they wish to access.
-
The issuer is an entity, such as a company, an NGO, a government, a university, a club, that certifies certain fields of this identity by electronically signing the verifiable credentials (VCs): name, age, country of birth, bank accounts, membership, etc. These fields are not necessarily all present in a single DID, and a person will have many different DIDs. For example, a civic DID can encode a person's civil status, while a bank DID can encode information related to an account number. Based on a DID, its holder can generate a verifiable credential, which is a statement of fact about one or more fields of the DID, which remain secret. For example, based on a civic DID, a person can provide proof of age without revealing their exact age. Based on a bank DID, a person can prove their solvency without revealing their name or the amount in their bank account.
-
The verifier is an entity, such as an employer, the police, or a service, that receives a verifiable credential and checks it using the "zero-knowledge proof proof verification technique" (ZKP). This cryptographic technique allows one party (the holder) to prove to another party (the verifier) that they have certain characteristics or that they have performed certain actions, without revealing any other information than the strict minimum. Instead of presenting an ID card with their name, first name, date and place of birth, height, place of issue, etc., a person generates and presents a verifiable credential about their age, which they present to a third party who, when verifying it, will have access to no other information than a "yes" or "no" answer to know if this person is over 18 or 21 years old.
The generic term "decentralized identity" encompasses all identity systems whose control does not depend on a single entity. Among them, one variant emphasizes autonomy and user control: self-sovereign identity (SSI). Born in the 1990s, this concept is rooted in the cypherpunk community, a term coined from cipher, encryption, and cyberpunk, a genre of science fiction focused on information technology and its impact on society. Cypherpunks advocate strong cryptography and the use of decentralized technologies to protect fundamental freedoms such as the right to privacy and the right to anonymity, particularly in the face of intrusion and surveillance of private communications by governments and businesses.
Among the great figures of this community are Timothy C. May, author of the "Crypto Anarchist Manifesto" in 1988, Eric Hughes, author of the "Cypherpunk's Manifesto" in 1993, Phil Zimmermann, American cryptographer, creator of the Pretty Good Privacy (PGP) encryption software in 1991, Julian Assange, co-founder of WikiLeaks in 2006, or Hal Finney, American software engineer and cryptographer, one of the first developers of the Bitcoin protocol. Their movement works on the security of electronic communications, the invention of anonymous communication systems, the implementation of digital signatures, and the development of encryption software.
In the 2010s, self-sovereign identity gained popularity with the emergence of distributed ledger technologies such as blockchain, which provided the infrastructure for its implementation. On May 21 and 22, 2015, at the IEEE Symposium on Security and Privacy Workshops (SPW), an important event organized each year by the Institute of Electrical and Electronics Engineers (IEEE), Guy Zyskind, Oz Nathan, and Alex "Sandy" Pentland presented a method inspired by Bitcoin and blockchains in a proposal entitled "Decentralizing Privacy: Using Blockchain to Protect Personal Data" and according to which "personal data, and sensitive data in general, should not be entrusted to third parties, as they are likely to be attacked and misused. On the contrary, users should own and control their data without compromising security or limiting the ability of businesses and authorities to provide personalized services."
Global and open-source standards
The idea of implementing a protocol that transforms a blockchain into an automated, trustless access manager, while ensuring that users possess, control, and manage their data, gradually gained global momentum. This movement brought together developers, researchers, designers, activists, artists, and informed citizens, with the aim of rethinking the way trust is established and verified on the internet. The Decentralized Identity Foundation (DIF), a non-profit organization founded in 2016, was one of the main drivers of this movement, along with events and workshops called "Rebooting the Web of Trust" initiated in 2017, and the Trust over IP Foundation (ToIP), a non-profit organization created in 2019.
On April 29, 2016, renowned cryptographer and cypherpunk Christopher Allen published an article entitled "The Path to Self-Sovereign Identity," in which he detailed the ten fundamental principles of decentralized identity. These principles would have a profound influence on the development of projects and initiatives in this area. "Users must have an (1) independent existence that is not controlled by a single entity. Users must have (2) control over their own identity and personal data. Users must have (3) access to their own identity and personal data. Identity systems must be (4) transparent and understandable to users. Identities must be (5) persistent and durable over time. Users must be able to (6) take their identity and personal data with them when they change service providers. Identity systems must be (7) interoperable and work together seamlessly. Users must give their (8) informed consent before their personal data is shared or used. Identity systems must (9) minimize the collection and storage of personal data. Identity systems must (10) protect users' personal data against data breaches and abuses."
In June 2019, the W3C, a non-profit standardization organization responsible for ensuring the compatibility of World Wide Web technologies, published the "Decentralized Identifiers (DIDs) v1.0" specification as a recommendation, which was updated on July 19, 2022. This specification defines a data model and syntax for decentralized identifiers, which are unique and persistent identifiers for entities (people, organizations, objects, etc.) that do not depend on a central authority.
Anyone who has entered a website's address into a web browser will recognize the principle of "http," which stands for HyperText Transfer Protocol. "http" is the URI (Uniform Resource Identifier) scheme, the standard identifier format for all resources accessible on the World Wide Web, including URLs (Uniform Resource Locators), which indicate the location of a resource on the web. "DID" for Decentralized IDentifiers is, in a similar way, the scheme of a standard identifier format for "decentralized identifiers" that can designate people, things, objects, or any other entity.
Concretely, it is a string of text and numbers composed of three parts: the identifier of the DID URL scheme, the identifier of the DID method, and finally, the decentralized identifier itself. These decentralized identifiers are a new type of identifier that enables the implementation of a verifiable and decentralized digital identity.
A decentralized identifier (DID) can be seen as a link that points to a complete document containing the cryptographically protected fields of the DID. This document is stored in a verifiable data registry (VDR), which can be centralized, distributed, or decentralized in nature.
In the future, we will likely have hundreds or even thousands of DIDs, each of which will provide a private, encrypted channel with another person, organization, or object. There will be no central registration authority, as each DID will be registered directly by a person, ideally on a public blockchain, to make the VDR as uncorruptible as possible.
Using their DIDs, stored in an identity wallet, a person can prove, through the use of verifiable credentials (VCs) that they select, what they know (e.g., a diploma, a professional license), what they have (e.g., a bank account, citizenship), what they own (e.g., land, a vehicle), who they are (e.g., height, weight, age), and what they do (e.g., current or past employment). However, they no longer need to send copies of personal documents, such as diplomas, passports, or income statements, which can be disseminated in a haphazard manner. Instead, they have all of their DIDs in their identity wallet, which they can use to generate, on a selective and temporary basis, VCs to present to identified actors who can cryptographically verify their authenticity.
The concept of identity refers to a dual recognition, both of oneself and by others. Being in the world and being part of society do not necessarily overlap, as evidenced by the "invisible" people referred to by the United Nations, and the fact that, according to a 2023 UNICEF report, "one in four children under the age of five does not officially exist." The ability to prove one's identity is essential to "the ability to enter into relationships."
Decentralized identity systems are extremely immature and have not been deployed on a large scale anywhere. Although there are common standards, the diversity of methods currently prevents their interoperability, which is slowing down their adoption. To be effective, their adoption should be massive and simultaneous by individuals, businesses, and governments. However, this is not the case. The sustainability of the underlying infrastructure, such as distributed ledgers, is also essential to ensure the availability and reliability of decentralized identity models. There are countless questions, most of which remain unanswered.
However, these systems are infinitely less expensive to deploy and are much more secure than traditional centralized identity systems. They are also the only ones that offer a return to individual digital sovereignty. Everyone and the world as a whole would benefit from it, except for those whose business model is based on the trade of personal data without the knowledge of the individuals involved.
Cover Image credit.