Decentralized identity is an approach to identity management that uses blockchain technology to allow individuals to control their digital identity. This approach to identity is intended to allow individuals to maintain control of their digital identity and keep their personally identifiable information (PII) in the individual's hands. This reduces the risks associated with centralized identity and reduces the risk organizations take, making audits easier and allowing organizations to check an individual's credentials through a click. A decentralized identity approach allows people, organizations, and things to interact securely and transparently without sharing sensitive information and gives people control over their identity and credentials.
Especially in digital spaces, where more of people's private and work lives have moved, decentralized identity allows an individual to keep control over that digital identity. This means an individual could use a connected identity wallet for signing in to various websites, rather than having several profiles and passwords to remember. The identity wallet would offer these websites the necessary cryptographic credentials to prove the identity without sharing or requiring the websites to store PII. In the case of payments, a decentralized identity wallet can handle payments without sharing sensitive payment information.
Understanding decentralized identity is perhaps best done in contrast to traditional or centralized identity systems. In a centralized identity system, the individual has no control over who has access to their PII, which is required to use online services, open a bank account, vote in elections, buy property, and secure employment. Each of those requires the individual to prove their identity, and these systems store the identity and the PII, meaning the individual has to be concerned about the protection these services and companies take to ensure that PII is not accessed by unauthorized users. Centralized systems, in a traditional identity system, are also responsible for the issuance and control of an individual's identity.
In a decentralized identity system, the reliance on centralized third parties is removed, and an individual holds and controls their own identifiers and attestations. The individual is then able to manage all of their identity-related information, create identifiers, and hold attestations without relying on central authorities like service providers or governments. The individual is then given the option to provide consent to share their identity with third parties, such as presenting proof of their identity without revealing particulars or proving the individual is above eighteen without offering their actual date of birth. Further, in digital spaces, users are able to collect the data and marketing information about themselves in their decentralized identity, including their browsing or purchasing history, and only share that information when they choose to. In this case, decentralized identity could lead individuals to monetize their own data.
It is perhaps important to identify what an identity is. Identity seems obvious, as we deal with it in some ways almost every day. It signifies an individual's sense of self as defined by characteristics, or identity refers to being an individual, although identity can also refer to some non-human entities.
An identity, however, has to be established for third parties through identifiers. Identifiers are any piece of information that can act as an attestation of a particular identity. Common identifiers include an individual's name, social security or tax ID number, mobile number, date and place of birth, and digital identification credentials. Traditional examples of identifiers are issued, held, and controlled by central entities; those central entities, such as a government, have to give the individual permission to change the information about their identity, such as changing an individual's name or changing an individual's handle on a social media platform.
Part of this requires attestations, which are claims made by one entity about another. For example, many countries issue a driver's license, which attests the individual is legally allowed to drive a car. An attestation is different from an identifier, as an attestation works to reference a particular entity and make a claim about an attribute related to the identity; in this case, the driver's license has identifiers, but it is also the attestation about a legal right to drive, and in this way also works to prove the individual's identity.
An identity, regardless of centralization or decentralization, works the same. But in a decentralized identity system, the identifiers are also decentralized. These decentralized identifiers (DIDs) are different than the centrally issued identifiers because they are not issued, managed, or controlled by a central entity. Decentralized identifiers, instead, are issued, held, and controlled by individuals. These DIDs are stored on distributed ledgers (blockchains) or peer-to-peer networks, which makes them unique and resolvable with high availability and cryptographically verifiable. The key enabling technologies for DIDs are public-key infrastructure and decentralized datastores.
Public-key infrastructure (PKI) is an information security measure that generates a public key and a private key for an entity. Public-key cryptography is already in use in blockchain networks to authenticate user identities and ownership of digital assets. The public key identifies the account's controller, while private keys can sign and decrypt messages for an account, and PKI's can provide necessary proofs for entity authentication and prevent impersonation of fake identities, using cryptographic signatures to verify claims.
A blockchain can serve as a verifiable data registry as an open, trustless, and decentralized repository of information. The existence of the public blockchain essentially works to eliminate the need to store identifiers in centralized registers, as anyone who needs to confirm the validity of a decentralized identifier can look up the associated public key on the blockchain rather than traditional third parties for the authentication of identifiers.
There are various approaches to developing decentralized attestations, which are similar to the attestations used in a traditional identity management system, with various approaches to issues, storing, and verifying attestations in decentralized identity systems. These include the following:
One concern with storing attestations on-chain is these attestations may include private or identifiable information, including information an individual may otherwise wish to keep private. The public nature of blockchains makes it unattractive to store such attestations. Often, the solution includes issuing attestations held by users off-chain in digital wallets but are signed with the issuer's DID stored on-chain. These attestations can be encoded as JSON Web Tokens with the issuer's digital signatures to allow for easy verification of off-chain claims.
This arrangement transforms attestations into JSON files that are stored off-chain, with most ideal scenarios including decentralized cloud storage platforms, but with a hash of the JSON file stored on-chain and linked to a DID through an on-chain registry. The associated DID could be that of the issuer of the attestation or the recipient. Either way, this approach enables attestations to gain persistence through the blockchain while keeping claims information encrypted and verifiable, also allowing for selective disclosure.
As their name implies, on-chain attestations are held in smart contracts on the blockchain. The smart contract maps the attestation to its corresponding on-chain decentralized identifier, or public key. This allows verifications, or background checks, to occur faster than they currently do. In some cases, they can be used to screen individuals based on whether they are permitted to engage in an activity.
Soulbound tokens, or non-transferable NFTs, can also be used to collect information unique to a wallet and create a unique on-chain identity bound to the particular wallet address. This could include tokens representing activity, achievements, or community participation and can be used as attestations for an individual's identity.
Behind decentralized identity is the idea that identity-related information should be self-controlled, private, and portable. This is built on decentralized identifiers and attestations, which offer tamper-proof, cryptographically verifiable claims made by the issuer, and every attestation or verifiable credential issued can then be associated with the DID. Since DIDs are stored on the blockchain, anyone can verify the validity of an attestation, allowing the blockchain to act like a global directory to enable the verification of DIDs of a given entity. Decentralized identifiers are self-controlled and verifiable, and even in the case in which an issuer does not exist, the holder still has proof of the attestation's provenance and validity. Decentralized identifiers are also crucial to protecting the privacy of personal information, as the verifying party need not view a proof of an attestation, but only the cryptographic guarantees of the attestation's authenticity and the identity of the issuing organization to determine the proof's validity.
Self-sovereign identity is another important concept in decentralized identity. The notion of self-sovereign identity (SSI) refers to the use of distributed databases to manage personally identifiable information (PII). Instead of having a set of identities across multiple platforms or a single identity managed by a third party, SSI users have a digital wallet in which credentials are stored and accessed through reliable applications.
Experts distinguish between components known as the three pillars of SSI: blockchain, verifiable credentials, and decentralized identifiers. Blockchain offers a decentralized database, which makes it difficult or impossible to change, hack, or cheat. The verifiable credentials are built to be tamper-proof and cryptographically-secured and implement SSI and protect users' data. These are capable of representing information found in paper or traditional credentials, such as passports or licenses, and are able to represent digital credentials without physical equivalents. And decentralized identifiers enable users to have a cryptographically verifiable and decentralized digital identity. These are created by the owner and owned by the user and are independent of any organization. SSI creates part of the identity architecture that developed decentralized identities.
Decentralized identity is based on the use of decentralized, encrypted, blockchain-based wallets. These decentralized identity wallets allow users to create their decentralized identifiers, store PII, and manage verifiable credentials instead of keeping identity information on numerous websites through intermediaries. Each identity wallet is encrypted, replacing passwords with non-phishable cryptographic keys that do not represent a single weakness in the case of a breach. The decentralized wallet generates a pair of cryptographic keys, public and private. The public key distinguishes a wallet, while the private one, stored in the wallet, is used during the authentication process.
These wallets, which can be used to transparently authenticate an individual, also work to protect users' communications and data. These wallets allow users to give or revoke access to identity information in order to establish trust, prove eligibility, or otherwise complete a transaction. And as the wallet presents a single source, it makes revoking or giving access faster and easier. Any information in the wallet tends to be, as noted above, verified or signed by multiple trusted parties to prove its accuracy.
Decentralized identity use cases
Sybil attacks refer to individuals tricking a system into thinking they are multiple people, often used to increase an individual's influence. Grant-giving applications that use quadratic voting are vulnerable to Sybil attacks because the value of the grant can be increased when more individuals vote for it. Decentralized identities help prevent this by raising the burden on each participant to prove they are human without requiring them to reveal specific information.
As more companies profit from individuals' data and people examine who owns and should profit from user-generated data, decentralized identity offers a solution, as it offers users a chance to control their data and monetize that data. Data on its own has value, and the insights derived from personally identifiable data substantially increase the value of the data, with the data already considered incredibly valuable and only getting more valuable as more individuals are digitized. Decentralized identity allows users to attribute their online data to themselves and then either personalize their data, for example, by renting it to AI training algorithms or selling it to advertisers. Or else users could keep their data hidden and protected from corporations or governments.
Part of the new data regulations, such as the EU GDPR, grants users right to data portability, which pertains to the data subjects rights to have their personal data transmitted from one controller to another when feasible. With decentralized identity, it is possible to migrate identities when anchored on one target system to another, and data portability reduces the friction for the user while simplifying related processes, such as sign-up processes, further increasing user adoption. This data portability also offers users the chance to meet other requirements, reduce onboarding time, avoid drop-out rates, and cut costs across sectors by skipping identity verification processes.
Increased economic contribution
Decentralized identity is expected to contribute to economic growth worldwide, as it could allow currently unbanked individuals to participate in the economy. This is as many unbanked individuals around the world already own a mobile phone, which could be used to develop a decentralized identity and give those individuals a chance to participate more fully in the online and global economy, let alone local economies.
Using online services often requires individuals to provide attestations and credentials. This can be problematic, as private user information can be compromised and service providers cannot verify the authenticity of the attestation. Decentralized identity allows a company to skip conventional Know-Your-Customer (KYC) processes and authenticate user identities through verifiable credentials, further reducing the cost of identification management and preventing the use of fake documentation.
There are various pros or benefits of decentralized identity. It can be trustworthy because it uses a consensus approach to prove data authenticity, and each block contains the changes in the case someone attempts to or successfully tampers the data. In this way, it provides data integrity as the blockchain data storage mechanism is built to be immutable and permanent and therefore not capable of being modified or deleted. A DID offers security, as the blockchain features data in a highly encrypted fashion, capable of catering to digital signatures, consensus algorithms, and cryptographic functions to protect those identities from breaches and thefts. A DID system offers privacy as each identifier is pseudo-anonymous, which can increase privacy. And it is simple, with individuals or identity owners able to store and manage their identities in an identity wallet, and verifiers are able to efficiently onboard users and conduct the information verification process.
As for DID drawbacks, one of the most common (and to some, the only) drawback to this type of identity verification is adoption. As governments and organizations attempt to figure out how to deploy decentralized identity at scale—if they even want to, as many governments and organizations prefer to control the issuance of identification and identity data—many individuals also have not heard of, let alone understand, the difference between decentralized identity and centralized identity. Overcoming legacy systems, legacy interests, and regulations while creating interoperable global standards and governance remain important concerns. Especially as one country that uses and accepts DIDs may find these types of identities not accepted in other countries. Another issue is data fragility, as identity data can be duplicated, confused, and inaccurate regardless of the identity management system, and centralizing or decentralizing the identity management system does not necessarily solve those issues.
Blockchain for Digital Identity | Real World Blockchain Use Cases | ConsenSys
Centralized and Decentralized Identity Management
Decentralized identity | ethereum.org
Decentralized identity using blockchain
March 5, 2022
The Beginner's Guide To Decentralized Identity