Authors: Andy Chen, Hitesh Joshi
Edited by: Kishore Bhatia, Jacob Ko, Jad Chahine
Many thanks to industry contributors: Junius Ho (Affinidi), Stepan Gershuni (cyber•Fund, prev. Affinidi), Angelo Alessio (build_cities), Billy Luedtke (Intuition), LJ Huang (EthSign), David Phelps (JokeRace).
Don’t have time to go through this entire report? Here’s a TDLR:
Human identity initially began in a physical format, evolving from reputation (word-of-mouth) to paper credentials (citizenship, passports, birth certificates).
With the rise of the internet, identity moved to the digital world. New systems like username / password, federated identity, and SSO were developed to authenticate, represent individuals, and enable users to transact with one another online.
While these systems enabled users to interact with the web, they also brought a new set of concerns surrounding data centralization, data honeypots, security risks, and proof-of-personhood challenges. It’s clear that the identity solutions that exist today have room for improvement - so what’s the next evolution of identity?
Up-and-coming self-sovereign identity (SSI) systems provide an internet-native approach to identity that emphasizes ownership, privacy, persistence, and portability across the web. Companies like Intuition, W3C, and Dock.io have implemented novel approaches to SSIs.
While there are many approaches to architecting SSIs, we believe the inherent features of blockchain (decentralization, openness, and ownership) make it the perfect foundation to build SSI systems & solutions.
Stay tuned for Part II in the future, where we will go through the state of the identity landscape in Web3 today.
In this first part of our series on identity in Web3 we will take you through a brief history of human identity and its evolution from physical to its most current digital form. We then cover the challenges with the current state of digital identity and finish up by describing what the next evolution of identity requires - something fit for purpose with the digital age, an internet-native identity… a self-sovereign identity.
Human identity is a multifaceted and complex concept that encompasses an individual's unique characteristics, attributes, and experiences. It provides individuals with a sense of belonging, a framework for understanding how to interact with society, and a basis for forming relationships.
Historically, identity was often linked to reputation within smaller, more intimate communities, such as family, clan, tribe, religion, or region - hence the phrase, “your reputation precedes you.” As societies grew in complexity and size, the concept of identity expanded, incorporating factors like nationality, ethnicity, and eventually more nuanced individual traits. This evolution has been shaped by societal structures, cultural shifts, and most recently by technological advancements, particularly in the realm of digital identity in the internet age.
Today, identity changes with context, adapting to the social, financial, medical, workplace, and regulatory contexts that individuals navigate:
Socially, it underpins group cohesion and dynamics
In Medical and Financial realms, it ensures accurate record keeping, authentication, authorized access, trustworthy transactions, and privacy given information sensitivity
Professionally, it establishes credibility, accountability, determines roles and responsibilities, and enables the creation of professional social graphs
In Governmental and Regulatory contexts, identity is formally established and verified through official documents such as birth certificates, passports, driver's licenses, voter IDs, and professional licenses. Though most of these documents are paper based, software systems backed by connected databases are slowly transforming identity systems through digitization across the globe. Examples of governmental systems that are heavily digitized are Singapore’s NRIC/Singpass, India’s Aadhar, Belgium’s EU and EU+ Card and Itsme®, and The Netherlands’ DigiD
This shift has streamlined administrative processes, improved user experience, and facilitated user engagement with public and private services online.
One of the largest shifts in the concept of human identity came with the advent of the internet. Suddenly we were able to access information, interact with others, and transact from the comfort of our homes – these experiences are all tied together by our Digital Identity.
Digital Identity involves the representation of an individual's attributes, credentials, affiliations, and information that uniquely identifies them in electronic form.
The prevalence of digital identities can be traced back to the original architecture of the internet which was initially created as a medium to exchange information through a series of static web pages, dubbed the “read-only web” by Tim Berners Lee. Digital identities during this time were mostly about authorized access to allow website owners to create & update content or allow users to read this information.
To enable internet users to transact with privacy, companies created centralized databases to track usernames, email addresses, etc in order to authenticate who was writing to their respective web platform. This evolution is what we commonly refer to as ‘Web2’ today – a user-generated internet. This transformation was necessary for online social interaction, e-commerce, and various digital services. To function, there needed to be ways to uniquely anchor contributing individuals to digital identifiers and their credentials.
To solve this problem and track individuals across the internet, companies set up databases that provide users with a unique identifier and attribute any relevant credentials to that identifier. There are two main components to digital identities:
Identifier: a unique set of characters on a database that identifies a user (e.g. email address, username, account number, SSN, etc).
Credentials: provides authentication that a user “owns” the identifier (e.g passwords, security questions, 2FA, etc) and the data that provides context around their identity (e.g. financial history, credit score, posts, likes, comments, browsing history, etc).
The model of identifiers and credentials works very well; however, the implementation of them in existing identity systems leaves a lot to be desired. The main problem is that these identity databases are often siloed and managed by one entity – the ultimate arbiter of identifiers, credentials, and interactions within a platform is handled by the platform-operator.
Recognizing the UX problem of siloed logins, Web2 companies like Google, Facebook, and hundreds of others started employing federated identity systems and frameworks like OAuth 2.0 and OpenId Connect. Federated identity systems allow users to access multiple services with a single set of credentials, thereby simplifying the user login experience and enhancing security by reducing the proliferation of login credentials. For example, OAuth, a cornerstone in the identity management landscape in web2, enables single sign-on capabilities by allowing users to grant third-party applications limited access to their identity-related resources without exposing their login credentials. Furthermore, systems like Apple ID have even implemented single sign-on in a privacy preserving manner.
However, even with the help of federated identity systems, digital identities are still platform-specific and sovereign. Federated identities only help prove that you own an account, making the account creation and login step easier. Any relevant extraneous credentials that provide context to an individual (profile picture, credit score, SSN, passport number, etc) must be manually input each time an individual creates an account on a platform.
Although federated identity management reduces the risk of password-related security breaches and improves UX, we believe this doesn’t solve the fundamental problems of identity on the internet.
While it may seem like we’ve come a long way over the last 30 years, today’s identity solutions still face a myriad of problems driven by the fact that they were bolt-ons created to address limitations with Web1 (read-only). The main challenges:
Data centralization: Some of the largest software companies today (Google, Facebook, X, TikTok) hold a significant amount of user information and control over an individual’s digital identity on the platform. They wield undue power and can monetize user data for their own benefit, raising issues related to data privacy, data monetization, and deplatforming. Data centralization leads to several key problems plaguing identity on the internet today:
Entity-Centric
Third-party ownership
Terminable
Censorable
Permissioned
Siloed
Not truly private
Non-interoperable
Data honeypots and security risk: While companies strive to ensure the security of their identity management systems, these systems are data honeypots and are a target for sophisticated hacking attempts. Instances of data breaches have raised questions about the vulnerability of user information even within well-established and widely used platforms. One notable hack on 23andme left millions of users’ ancestry and DNA data compromised. The security of your private information is only as good as the platform protecting it and with each company managing their own database of user information with different security practices, hackers have a plethora of options to access similar sets of data.
Proof-of-Personhood: Most websites are stuck between a rock and a hard place. They need some way to prove that there’s a unique human behind the account but they cannot ask for privacy-invasive information (SSN, driver’s license, passport, etc) to prove that. Can you imagine if Twitter required you to share your driver’s license or social security number to create an account?! Without proof-of-personhood layers, platforms are susceptible to malicious actors that can take advantage through sybil attacks, vote manipulation, spam, bots, and other attack vectors – which will only become more prevalent in the age of AI. This becomes even more critical when it involves government, financial, and other important societal functions. It’s clear we need a way to enable users to prove they’re a unique human in a private and seamless manner without disclosing intimate information!
Existing digital identity systems utilized by most applications today are not fit for purpose. They are stop-gap measures put in place to handle more features and experiences being built out. Thirty years after the internet’s emergence, it’s clear that we need an identity system for the internet-native age.
Self-sovereign identity (SSI) proposes an internet-native approach to digital identity. It utilizes properties of decentralization to provide users sole control over their digital identity without dependencies on any third-party entities. Examples of SSI solutions include Affinidi, Dock, and Intuition.
This new system comprised of issuers, holders, and verifiers anchored to a public ledger, enables a platform-neutral, interoperable identity.
Additionally, the structure of identifiers and credentials have evolved under SSIs:
Decentralized Identifier (Holder): A unique identifier representing the individual behind the digital identity. The key properties are that they are registered to a decentralized database instead of a centralized one, perpetual proof of ownership, and can hold credentials instead of being tied to credentials. For example, a wallet address on Ethereum is a decentralized identifier because it is a unique 0x address registered to a decentralized database (Ethereum) and can receive/hold verifiable credentials.
Verifiable Credentials: a digital certificate (NFTs, SBTs, tokens, etc) representing statements about a user to provide context to their digital identity that can be verified separately from the issuer. These statements can range from university diplomas, passports, financial history, to things like you’re a fan of an artist! While there are many approaches (EthSign, Polygon ID, KILT Protocol), VCs typically involve three parties:
Issuer: entity that issues the credential alongside a cryptographic proof of the issuer (e.g. government, businesses, and educational institutions).
Verifier: actors that generate proofs that the credential is accurate and/or checks that the cryptographic hash of the credential corresponds to the correct issuer. In an ideal SSI system, any party would be able to verify a credential – this could be a government institution, employer, application, etc.
Holder: the digital representation of an individual or entity that receives and holds verifiable credentials. On blockchains, holders take the form of a wallet.
Now that we understand how SSIs work, what infrastructure should this system be built on? A big clue in the diagram above was the foundational ‘public ledger’ layer. While there are ways to architect SSIs without blockchain (e.g. KERI), it’s our belief that blockchain infrastructure and Web3 in general is the perfect foundational layer for SSI solutions to be built on.
Earlier we discussed the internet’s evolution from “read-only” to “read-write” and the associated development in digital identity due to that leap. We believe the next step in the internet will be “read-write-own” powered by blockchain technology. Blockchains are inherently ownership-centric, making it easy to build an identity system that is also default owned by the user.
The value of self-sovereign identity ultimately comes down to shifting existing identity platforms from entity-centric to user-centric.
Let’s go over a few of the key features of SSIs and why blockchains are the perfect foundation for an internet-native identity layer:
Ownership: users should have full control over their personal data, allowing them to freely monetize their data, selectively share information, and more. Blockchain wallets allow users to hold and own credentials in the form of NFTs, SBTs, tokens, etc.
Persistence: similar to our IRL identity, a true digital identity needs to exist in perpetuity. A self-sovereign identity system needs to be built upon a long-lasting foundation where holders can trust that their digital identity won’t suddenly disappear one day – we believe blockchain is the solution to persistence. By utilizing incentives, cryptography, and consensus mechanisms, blockchains are designed to function as immutable databases that exist as long as nodes are running.
Censorship-Resistance: strong resistance against a third-party taking away your freedom to interact with the internet. Since the majority of accounts and identities are registered to centralized databases, users have no control over what happens with their identity and their access to platforms. Blockchains operate as a decentralized database and computing network; thus, enabling the creation of censorship-resistant identities, apps, and protocols.
Permissionless: creation and use of a digital identity should be available to everyone. The open-nature of blockchains allow anyone with internet access to create a wallet and begin interacting with dApps and other users.
Portability: The current internet landscape consists of a series of siloed logins – leading to individuals having to track logins for each application they use. From first principles, logins are simply a method to allow applications to authenticate users. Web3 and SSIs flip this multi-login paradigm on its head by providing a perpetual method of authentication through wallets. Instead of users logging in to applications, applications login to users by requesting users to sign a transaction proving who they are before interacting with the app - granting users one identity to rule them all and no longer having to create separate accounts for each application. Anchoring an identity to blockchain provides a canonical database of information, allowing users to seamlessly port their identity across different applications through their wallet.
Privacy-aware: Many transactions and identifiers we have today are private by default (i.e. healthcare documents, financial transactions, etc); however, information is public on many blockchains by default. It will be paramount to incorporate features to ensure users have full control over their level of privacy and decide what to make disclose to others, share with apps, or keep fully offchain. For example, when you share your driver’s license to purchase alcohol in America, you also show your birthdate, primary address, state of residency, etc, but the only information that needs to be relayed across is that you’re over the age of 21. Privacy layers utilizing zk technology/FHE/encryption and balancing onchain vs offchain data will allow users to selectively disclose verified information.
Interoperability: An identity system should be open with the ability to seamlessly integrate and communicate with different systems and platforms without users losing control. By building identity systems on blockchain, developers are forced to build on an established standard and public ledger, allowing other apps and services to easily integrate identity systems into their tech stack.
Blockchains enable us to assign ownership rights to users' information while onchain activity provides context-rich indicators of who we are through our VCs, transactions, social graphs, and wallet interactions. For individuals, this means a provable internet-native identity system that provides them full control over their representation online. For enterprises and institutions, this means verification of humanity while preserving privacy to prevent bots, minimize spam, interact with stakeholders at a deeper level, and more. Ultimately, identity solutions built with blockchain tech will give users greater control over their data, drive product innovation, and create better user experiences.
We’re not the only ones that recognize the synergies between blockchain and SSI systems. Many governments have begun trialing SSI systems across the globe:
The EU has been working on establishing an SSI framework called eIDAS, built on the EU's EBSI blockchain. eIDAS 1.0 launched as a digital identity, but ultimately fell short because of criticisms around the ability for governments to deactivate IDs and its strong focus on government use-cases leading to high barriers to entry for private businesses use. eIDAS 2.0 will utilize blockchain to address these concerns by architecting the structure as an SSI system with the goal to establish a ubiquitous and flexible identity layer across public and private services.
In California, SpruceID partnered with the Department of Motor Vehicles (DMV) to pilot a program that digitizes driver licenses and grants individuals access via the DMV’s mobile app.
In Singapore, EthSign has integrated Singpass (Singapore’s official digital identity system) to enable users to seamlessly sign and execute legal documents with even the highest KYC requirements over the internet.
Beyond government use-cases, we’re excited about SSIs as the foundation for new / better markets and coordination. Here are some of those things that we think could unlock SSIs but haven’t fully been built out yet:
Data marketplaces to allow users to directly monetize their data by selling it to AI companies, marketing agencies, research institutions, and more – instead of centralized companies capturing that value through their platforms. Some early efforts include Data DAOs on Filecoin and Ocean Protocol.
Decentralized advertisement enabling companies to create new GTM strategies centered around incentivizing high-quality users through airdrops, engagement campaigns, etc based on their credentials.
Social network: utilizing credentials to minimize bots, find community/groups of people that share your interests, and better recommendation algorithms to display content that’s the most relevant to you.
Combat fake news and misinformation by enabling credentials behind every piece of media. For example, a platform that allows consumers to easily see that a post on Twitter about COVID was created by an individual that has verifiable credentials of a Virology PhD from Harvard, numerous peer-reviewed research publications, and a lifetime of professional experience.
Brands understanding (high-context signals of onchain actions, NFTs/Tokens held in wallet, etc.) and interacting with customers at a deeper level (creating better content, better recommendation algorithms, loyalty programs, etc). Companies tackling this problem include JokeRace, IYK, and Bello.
One ultimate identity that provides a seamless login and registration on the internet
Trust layer in professional settings: proof behind freelancers’ claims, better hiring practices, education & cv credentials backed by their respective institutions.
P2P marketplaces with better buyer/seller reputation backed by trusted & provable credentials, proof of business, trusted reviews, etc.
Financial transactions: enable more regulated transactions to occur onchain like trading securities and other Real World Assets, business transactions, banking, payments and micropayments, etc.
Preventing sybil and malicious attacks over the internet in the AI-age through identity layers ranging from onchain achievements to social profiles/interactions to biometrics systems like Worldcoin.
DAOs: governance and voting mechanisms based on varying depths of identity and/or value provided to the respective DAO.
Health and medical records: enabling users to carry and seamlessly port their important medical data (allergies, vaccines, history) to any relevant parties. Users should also be able to opt-in to sharing data with insurance providers for better rates.
As you can see there’s been early signals of traction, but we’re far from inevitability. We’re confident that SSIs will usher forth a better internet, but upending existing digital identity systems won’t be easy.
The paradigm shift from Digital Identities to Self-Sovereign Identities will be a monumental change. At the very minimum, it necessitates the gargantuan task of migrating society and the internet to a new foundational model.
On the builder-side, we’ve seen tons of teams working on this for many years that have found themselves having to overcome issues of standards hell; nascent and unstable and unscalable tech; privacy & security; regulatory risks and hurdles; lack of education & awareness; etc.
On the user-side, one of the primary challenges is how SSIs shift more responsibilities over to the user in order to enable independence of their digital identity from any institution, platform, etc. YOU own your onchain identity now and you’re responsible for operational security, especially with regards to key management.
Of course, in order for mass adoption of SSI to occur we can’t expect users to manage all their keys so solutions need to be built out to make this seamless. Where are we today in addressing these challenges?
On the security-side, innovations in MPC, account abstraction, ERC-6551, app-specific wallet infrastructure, and more will be necessary to gain global adoption. Products like Affinidi Vault allow users to store and share personal information on their own edge devices, bringing security and control to the hardware-level.
On the UI/UX-side, we’re optimistic about the acceleration of application-level interfaces abstracting away the complexities of using and directly interacting with identity protocols.
Additionally, we’re likely going to see resistance from incumbents that have built their business models upon gathering user information (Google, Meta, etc). But as more users, governments, and companies build on blockchain, there will be an inflection point that will push SSIs to the forefront.
We believe blockchain technology will serve as the foundation for the next evolution of digital identity – self-sovereign identity. The current systems of digital identity produce serious concerns on both the user-side (data centralization and security risks) and enterprise-side (proof-of-personhood) of the internet. Blockchain-based SSI systems help solve these problems by implementing a user-centric approach through ownership, privacy, persistence, and portability. It enables individuals to perpetually prove their identity (via wallet) and dynamically provide context around who they are (credentials, onchain activity, and attestations). This will unlock new economic activities in the digital world – empowering people to create value online through many means, including financial, social, policy, education, and more.
For the internet to realize its full potential of enabling individuals and entities to seamlessly interact and exchange value between one another, especially within financial contexts, a robust identity layer needs to be established.
Stay tuned for Part II where we examine the landscape identity solutions being built in the Web3 space – they aren’t all as straightforward or simple as Verifiable Credential issuers.