Decentralized Identity – Secure Digital Identity Management?
Everyone is familiar with the following situation from everyday life: financial service providers or service providers (e.g., mobile network operators) offer services only for registered and verified users. The consequence: In order to be able to prove one’s own identity online, a new account must first be created using an e-mail address and a selected password. This principle leads to several problems: First, many users use the same password with different service providers; second, passwords are often insufficiently secure. For example, “123456”, “passwort” or “qwertz” are among the most popular passwords used by Germans. This represents a major security gap [1, 2]. In order to link the account created with one’s own identity, the next step is to verify the user account with the help of an identity provider, e.g., a bank. [3]. This involves going through a KYC process (“Know-Your-Customer”). In a KYC process, the identity provider checks the identity documents (ID, passport) of the person to be verified for correctness on the basis of specific features (ID number, security imprints). The verification takes place in (online) presence, a facial verification is performed [4]. After successful verification, the identity provider confirms the identity and stores it.
The process of creating and verifying different accounts results in a single user having many online identities and involves almost as many identity providers (see Figure 1), who are then in possession of the user data. This creates two problems: first, users have difficulty maintaining control over their own data and must cope with a multitude of accounts and identities [5]. Above all, the protection of one’s own data falls by the wayside in many cases due to a lack of password security. This makes user identities an easy target for hackers. On the other hand, identity providers store user identities in central databases; if these are hacked, the hackers can obtain the identities of thousands of users in one fell swoop, depending on the provider. Accordingly, such central user databases represent a major risk [6]. Moreover, it is very inefficient and unnecessarily inconvenient for the customer if every merchant has to verify the identity of a customer anew, even though this process has already been carried out countless times.
The advancement of blockchain/distributed ledger technology in recent years has given rise to a new approach to online identity processing and verification, Decentralized Identity. This post explores the concept as well as the underlying technology and highlights advantages over the traditional use of identity providers and user accounts.
Basics – Decentralized Identity
The concept of decentralized identity is based on blockchain/distributed ledger technology, which is used to check and store information relating to digital identity. Evidence (ID card, driver’s license, certificates) is stored locally by the user (e.g., on a smartphone) and then checked for validity using blockchain technology. In this context, “decentralized identifiers” (DIDs) and DID documents are used, which are stored on the blockchain. With the help of DIDs, individuals and organizations can be uniquely identified across different blockchain networks.
A DID consists of 3 parts, these are separated by “:”:
- Definition: the document is a DID (“did”).
- The DID is located on the blockchain network “Evan.”
- ID “0xb9c5714089478a327f09197987f16f9e5d936e8a” uniquely represents a person’s digital identity.
The following example (as well as Figure 3) shows the use of a DID in practice and explains its relevance for digital identity verification:
A university (DID subject) holds different properties and is described by different attributes (location, name). The challenge is to uniquely describe the university so that all participants in the blockchain network can identify it. This is important so that only the university can validate and verify credentials of former students. This is where the DID comes into play. Similar to a database, the DID allows the unique identification of the subject in the network by assigning a unique identification number. Attributes such as location and name of the university are summarized in an external DID document and can be retrieved through the DID (see Figure 3). Other participants in the blockchain network can subsequently use the unique DID to find the university and the DID document in the network [8, 9].
In addition to additional information about the DID subject, the DID document uses cryptographic blockchain encryption for the release and verification of identity documents (example: has the certificate really been issued by the university?). Public and private keys are used for this purpose [10]. In the university example, for each verified certificate, a public key is generated in the university’s DID document and stored on the blockchain, proving the validity of the document. Students receive the counterpart, the associated private key, and can thus share the transaction/authenticity of their credential on the blockchain with third parties. But more on that later. Classic login methods (email addresses and passwords) will become obsolete through the use of a decentralized identity, and verification of credentials for logins or user verification will be done using the DID [11].
Different initiatives already exist for the standardization of DIDs (Decentralized Identity Foundation [12], W3C standards [8]). Also, large companies such as Microsoft [13] and IBM [11] already offer their own decentralized identity solutions based on DIDs.
If technical terms around blockchain technology such as cryptographic encryption are unknown at this point, we recommend the blog post “The Technical Side of the Blockchain Map” as well as the associated artifact, the BlockWiki. In this, technical basics and contexts of blockchain technology are explained.
The following is a brief introduction to the reference process (Figure 4) for decentralized identity issuance and verification.
Reference Process – Decentralized Identity
Step 1: Create Wallet
The user creates a wallet (e.g.: using a mobile application on their own cell phone). This allows the storage and management (sharing/restriction) of the digital identity (example: certificate). The wallet is secured using a password or the user’s biometrics. [14].
Step 2: Issue of the identity certificate
The user then contacts an official issuer, such as the university described in the example above. This verifies the validity of the certificate once [6]. The issuer assumes the role of identity provider at this moment. The validity of the certificate is now documented on the blockchain using the university DID and in the associated DID document.
Step 3: Obtaining the identity certificate
The user now receives the certificate and cryptographic keys and can store them in their wallet. The wallet is connected to the blockchain, a DID uniquely identifies the user there [14].
Step 4: Verification of the digital identity
The user can now use their wallet to check and verify the credential. The verifier (example: employer) accesses the blockchain and finds the DIDs of the user and the university [3, 15, 16]. By matching the cryptographic keys, the credential is deemed valid. The blockchain/DLT is considered a single source of truth throughout the process and makes a central intermediary obsolete. In this process, certificates and documents are always stored only in the user’s wallet; the blockchain/DLT is used only to store validity information [3].
Advantages over Central Solutions
The use of a decentralized identity creates different advantages compared to traditional identification using passwords and email addresses. Blockchain technology provides trust and security between the involved parties through immutable transactions. DIDs uniquely identify participants in the network and provide transparency. User information enjoys the highest integrity and cannot be modified by any external party (cryptographic encryption). This enhances the overall security of the identification process and makes it difficult for hackers to access user data and digital identities. User privacy is paramount throughout the process, with the wallet providing the central location for approving and restricting access to one’s online identity. Creating digital identities can be done easily and quickly using standardized processes [5]. Identity verification is also improved through the use of decentralized identity. Falsified documents are a thing of the past and can be disproved at any time based on the blockchain.
Conclusion
Thanks to the further development of modern technologies such as blockchain, decentralized identity offers different possibilities for dealing with human (digital) identity. This concept focuses on the users as well as their personal rights; data silos and centralized concepts are a thing of the past. The concept is nevertheless dependent on a critical user mass as well as the underlying infrastructure. Technical implementations of DIDs must function smoothly and be compatible across multiple blockchains. We will continue to watch the developments around the topic of digital identity with excitement and will report on future developments.
Sources
[1] “Was ist Passwortwiederverwendung und wie Sie Ihr Konto schützen”, 2022. https://www.keepsolid.com/passwarden/de/help/manuals/how-to-protect-from-password-reuse
[2] Hasso Plattner Institut, “Die beliebtesten deutschen Passwörter 2021”, 2021. https://hpi.de/pressemitteilungen/2021/die-beliebtesten-deutschen-passwoerter-2021.html
[3] GSMA, “Decentralised Identity”, Identity, 2022. https://www.gsma.com/identity/decentralised-identity
[4] IDnow., “Was ist KYC? Prozess & Ablauf im Überblick – IDnow”, 2022. https://www.idnow.io/de/regulatorik/was-ist-kyc/
[5] Gupta, D., “Decentralized identity using blockchain”, VentureBeat, 2022. https://venturebeat.com/2022/03/05/decentralized-identity-using-blockchain/
[6] Dock, “Blockchain for Decentralized Identity”, Dock Blog, 2022. https://blog.dock.io/blockchain-for-decentralized-identity/
[7] Dechant, S., “Was sind DIDs und wofür werden sie verwendet?”, evan.network, 2019. https://medium.com/evan-network/was-sind-dids-und-wof%C3%BCr-werden-sie-verwendet-348aaa4e2e93
[8] W3C, “Decentralized Identifiers (DIDs) v1.0”, 2022. https://www.w3.org/TR/did-core/
[9] Tykn, “Decentralized Identifiers (DIDs): A Beginners Guide!”, Tykn, 2022. https://tykn.tech/decentralized-identifiers-dids/
[10] Ltd, A.P., “Demystifying Decentralized Identifiers (DIDs)”, Medium, 2021. https://academy.affinidi.com/demystifying-decentralized-identifiers-dids-2dc6fc3148fd
[11] IBM, “Blockchain für digitale Identität und Berechtigungsnachweise | IBM”, 2022. https://www.ibm.com/de-de/blockchain/identity
[12] DIF, “DIF – Decentralized Identity Foundation”, 2022. https://identity.foundation/
[13] Microsoft, “Lösung für dezentralisierte Identitäten | Microsoft Security”, 2022. https://www.microsoft.com/de-de/security/business/solutions/decentralized-identity
[14] Microsoft Security, Decentralized identity explained, 2020.
[15] Microsoft, “Einführung in Nachweise für Azure Active Directory (Vorschauphase) – Microsoft Entra”, 2022. https://docs.microsoft.com/de-de/azure/active-directory/verifiable-credentials/decentralized-identifier-overview
[16] Gisolfi, D., “Decentralized Identity: An alternative to password-based authentication IBM Supply Chain and Blockchain Blog”, IBM Supply Chain and Blockchain Blog, 2018. https://www.ibm.com/blogs/blockchain/2018/10/decentralized-identity-an-alternative-to-password-based-authentication/
- Data strategy in connected business models - 03.06.2024
- Are our jobs at risk? - 23.01.2024
- Are Our Jobs at Risk? - 10.01.2024