Decentralized Identity

Many critics of Web3 claim that there are few, if any, use cases of Web3 that surpass the benefits of a comparable Web2 company. It’s not the fault of critics - few have come close to demonstrating a vision of what the future of networks will look like. Just as it was impossible to see the impact of the Internet in the early 2000s, the same can be said for the impact of blockchain today. The technology is too early. Yet, those who dismiss it publicly (i.e., Steve Ballmer)  have continued to see their remarks as exemplary in what not to do: bet against the future.

As I came to reflect on where Web3 could step in to provide bona fide improvement over the current state of the Internet, I, too, was hard-pressed to come up with an example. For most, the onboarding onto Web3 is too tricky, the communities are gate-kept, and the technology is slow. Why would anyone leverage this technology over a reasonable Web2 counterpart?

I explored a set of pressing technological problems to find an answer. Starting with a problem-solution-based decision tree, I sought to answer the following: What is an issue we are dealing with today, and can we back-solve to a scenario where a blockchain-enabled solution is the most optimal path?

Enter: Decentralized Identity.

Problem Statement

Before we can jump into decentralized identity, we need to discuss why it is a topic worth discussing.

When trying to determine a valid use-case for Web3, solving the concerns around identity was one of the few ideas that could stand on its own legs. In this lens, the benefits of Web3 become more tangible without the gate-keeping and strenuous onboarding effort.

One area that the Internet failed to optimize for was digital identity. As I previously discussed, Web3 is remarkable in providing a native settlement layer for the Internet, removing the need for any middlemen.

For network actors on the Internet to interact with each other, digital identification needed to be solved. This was a natural place for service providers to play a role. Let’s take early eBay as an example. Before eBay’s integration and eventual purchase and spinoff of PayPal, the buying and selling experience was fraught with trust concerns. A buyer would purchase an item, send a check through the mail, and hope that the seller’s reputation would provide enough incentive for them to ship the item as promised. Businesses like eBay, and later, Stripe, PayPal, Affirm, etc., created information hubs to verify identity across Internet actors so that goods could be exchanged over the Internet. They helped to answer pressing questions:

1. [Buyers] Can I trust the service provider to deliver my order?
2. [Sellers] What is the likelihood I will be paid?

A native identity layer did not exist for the Web 1.0 Internet and was not solved during the Web 2.0 iteration, either. The solution is a bit of a hack: the problem supported a hub-and-spoke model, by which traffic and identity are facilitated through a trusted third party whose application layer lives atop the Internet. As such, these facilitators of commerce would take a fee for creating a standard of trust for unknown network actors.

We can summarize Web2 as middleman oriented. As the Internet Protocol has no built-in mechanism for managing identities, centralized intermediaries stepped in to provide identity management, capturing, tracking, and managing identities on privately-managed servers. Each centralized intermediary manages a proprietary identity management database, whether a social media platform, email provider, or online bank.

All these disparate service providers hold a piece of our identity on their servers. Each retains its individual security, format, and storage conditions, making it almost impossible to create interoperability outside single-sign-on providers like Google, Meta, or Apple.

Problems, Examined

There are a set of issues that I find the most pressing when addressing identity management through a centralized lens.

One such concern is a lack of control and sovereignty of our data. We become subject to the ethics and policies of centralized institutions that possess our information. If a company fails to live up to the terms of services for which any of us have agreed, there typically is limited to no recourse.

There are also concerns about fraud. Credentialing matters for just about every online merchant. There is a latency issue between when a purchase is made and when merchants learn that a customer’s private information has been comprised or stolen credit information was used to make a purchase. These were the same issues I dealt with when I ran an online store - the worst part were the chargebacks. Even if I refunded the order, I was still hit with a $35 processing charge for every fraudulent charge made on my site, even though I was just a vendor. The impact of this is enormous, to the tune of $36 billion a year, according to Fiserv.

The hub-and-spoke model even impacts the way we manage our passwords and accounts. The number of usernames and passwords we’ve created over the last decade is enormous - so much so that standalone businesses are made just to manage this digital footprint and credentialing problem. Fortunately, with the help of Google and Apple, the headache of managing, recalling, and inputting many of the passwords is an almost non-existent burden. Yet, this opens a vulnerability for us users. At any point in time, Google and Apple retain both the right and ability to revoke access to any of our accounts. This only compounds the issues of password management and reflects the fragility of our digital identity.

As an extension to the previous point, the companies that manage our username and passwords and those who possess any portion of our private, personal information (PPI) have put themselves at technological and reputational risk. As a honeypot of PPI, they indirectly invite hackers and other nefarious actors to focus on these bigger fish, as a single exploited vulnerability yields outside returns in terms of PPI.

While less of a technological and more of a philosophical concern, today's current identity management system only serves to centralize the Internet further. Referencing famed Internet analyst Ben Thompson, the powers accumulate to the aggregators. The hold that these aggregators possess, as in the case of Amazon or Walmart, only purports their network effects. Their robust data analytics and harvesting mechanics only better service us with finely tuned advertisements and profiling to generate more spending. The ability of smaller merchants to compete against such an engine is almost nonexistent, hurting competition and market entry for challengers in the space. After all, how can a start-up e-commerce site compete with Amazon knowing all your wants and needs from its enormous pile of user data?

Defining Identity

Before we can understand Decentralized Identity and define a solution to the problem set, we must define identity. Identity represents an individual’s/institution’s/objects sense of “self” characterized by a unique set of characteristics. These characteristics are often referred to as Identifiers. Some examples include one’s name, social security number, address, passport, date of birth, or phone number.

Though one’s identity can be intangible, it does not preclude it from being “managed.” Identity management covers the process by which “identifiers” or distinctive characteristics can be identified, authenticated, and certified.

Separately, identity management covers the secure holding of one’s social security card or driver’s license and extends to its footprint on the Internet. Referencing our first principle’s approach to Web3, the Internet was not created to be a native settlement layer. It was merely a network by which information could be created and shared broadly. As such, economic activity cannot be conducted without some form of our identity blueprint “shared” on the Internet.

The following list demonstrates the extent that we take identity management as given:

·Government-issued (birth certificates, passports, social security)

·Education-issued (diploma credentialing)

·Healthcare-issued (health care records, insurance information)

·Banking-issued (bank account data, banking records, KYC/AML data, credit card numbers, etc.)

Identity Types

There are a few monomers worth defining for our discussion of decentralized identity. The main components are identifiers, authentication, and credentials/claims.

Identifiers are the characteristics associated with a person, institution, or object. Some conditions of an identifier within this context are unique and persistent (unchanged) over time. A residential address (or Snapchat username) wouldn’t meet these qualifications, whereas a social security number (in most cases), a passport number, or a driver’s license number tends to work well.

Authentication (often through attestations) references the mechanisms required to prove identity. This could relate to ownership of the identification (e.g., social security number), secret knowledge (e.g., a pin), or personal characteristics (e.g., biometrics or physical signature). An extension of authentication is a username/password combination.

Lastly, we will assess identity through the lens of credentials and claims. These components are claims made by one entity about another. These attestations contain identifiers that reference a particular identity, allowing an owner to make claims about an attribute related to their identity. This could be a claim that you are over a certain age, legally allowed to drive, or conferred a four-year university degree.

An important note is that without unique identifiers linked to a person, institution, or object, then identity would be useless. An identity must be able to provide distinction.

Web3 Decentralized Identity

As we’ve discussed, the Web 2.0 Internet did not include a native identity layer, as it was optimized for the flow of information between computers, as opposed to people.

Given the problems highlighted by Web2 identity management, there is a clear use case for decentralized identity. Such a process would improve identity management standards and greater personal data control. Individuals would be able to make decisions about what type of information is shared with third parties and how. In short, a decentralized identity would allow any individual to *own* an identity (Web3: Read. Write. Own).

Three parties are required to implement a robust, Decentralized Identity System that puts a user at its center.

1. Identity Issuers
2. Identity Owners/Holders
3. Identity Verifiers

An identity issuer is any entity that provides some identifier to a particular identity owner/holder. An identity issuer (e.g., a trusted institution) would provide a claim or credential to an identity owner. The issuer then signs (writes) their attestation (authentication mechanism) to a distributed blockchain or data registry. Separately, an identity verifier could request proof that a credential presented by the identity holder is valid. The process would be to check (read) the attestation from the identity issuer to determine if the public-key signature matches the entry on the distributed ledger. The verifier would not need to see the claim/credential but merely trust that the signature on the ledger matched that which the issuer of the credential provides.

Recall that in most Web3 settlement layers such as Bitcoin and Ethereum, users must create a wallet from which they are given a public/private key signature pair. The public key acts as a username, and the private key acts as a password. The primary distinction is that only the owner knows the correct private key (assuming no theft) and can generate messages, or in this case, attestations, which are “signed” by the issuing party. There is no way to create a message signed from a different private key, making authentication of signatures a source of truth.

There is a lot to unpack here. A decentralized identity stem allows anyone to verify if an issued credential/claim is valid by checking the validity of a trusted issuer’s attestation. This all happens without having the identity holder reveal details of the claim or credential, preserving their PPI.

Let us use an example with an off-chain attestation. Say a recently graduated student from Stanford University needs to have his diploma verified by a potential employer. In this case, Stanford (the issuer) would generate an attestation (digital academic transcript), sign its attestation with its public-key pair to a distributed ledger, and issue the credential to the student (the identity owner). The student can then prove his academic qualifications to the evaluating employer by merely sharing the attestation from Stanford in his Web3 wallet. The potential employer (the verifier) could confirm the presented credential's validity by checking the attestation's signature and referencing it to the public-key pair from Stanford University. In this case, the academic transcript was never revealed, per se, but was verified as authentic and genuine through this mechanism.

While this sounds like an email attachment with extra steps, it is, in fact, an “elegant” solution to the problems we laid out at the beginning of this article: preservation of one’s digital footprint. Because the employer couldn’t download and retain the private and sensitive information directly, the prospective employee can feel better knowing that his personal information does not now sit on a siloed, centralized server owned by the company, which at any point, can release the data to outside, unprivileged parties either by choice or by accident.

There is a requirement for three parties in such a system. To move away from the centralized hub and spoke model of Web2 identity, more players are required to divide the responsibility of identity management. From verifying to updating data, the more parties involved, the more built-in decentralization, and therefore security, exists in the system.

Beyond parties are the tools: the Web3 wallet. In this application, a Web3 wallet is more than a pointer to data on the blockchain: it can replace a physical wallet. While a physical wallet can hold an array of state-issued licenses, loyalty cards, and membership cards, among money and other records, so can a Web3 wallet with a higher level of security. Someone may be able to steal your physical wallet and your social security card, but a Web3 wallet adds layers of protection that require a password and wallet signature to verify any transaction. Not only can we preserve our information, but we also have added data portability, security, and ownership of these credentials. As adoption increases for this type of system and Web3 wallet, so will the amount and type of credentials that the digital wallet can represent.

Concluding Remarks

The Web 2.0 Internet is optimized for communication between computers across networks, as opposed to people across networks. When the need for identity management entered the fray, the system was a hack - no native identity layer meant limited protection for users and their data.

As the Internet’s evolution matures, the emergence of ownership within digital networks will be paramount. Distributed ledgers and public-key cryptography are the only building blocks for this next epoch. As we converge toward adhered-to standards and specifications, decentralized identity can offer a critical missing piece to the future of the internet.

References:

Decentralized Identifiers (DIDs) v1.0. https://www.w3.org/TR/did-core/. Accessed 16 Aug. 2022.

“Decentralized Identity.” Ethereum.Org, https://ethereum.org. Accessed 16 Aug. 2022.

Voshmgir, Shermin. Token Economy: How Blockchains and Smart Contracts Revolutionize the Economy. 1st edition, 2nd amended printing, BlockchainHub, 2019.

“What Is Decentralized Identity And Why Should You Care?” Hashnode Web3, https://web3.hashnode.com/what-is-decentralized-identity. Accessed 16 Aug. 2022.