Self-sovereign identities are the future of digital identities. Putting the control back into the hands of the users allows for greater security everywhere.
What is self-sovereign identity? Self-sovereign identity (SSI) is a framework for digital identities that gives the power back to the individual to control and gatekeep access to their digital identity and the information contained within their ID.
What Is Digital Identity and What Challenges Does It Face?
Digital identification is a somewhat controversial topic. As modern society turns more and more to digital records and authentication, it seems only logical that primary identification documents, and inevitably private identification information, become the backbone of national identity systems.
Utilizing digital identities on a broader scale, including civic and government identification adoption, could have a significant economic impact. According to McKinsey, moving to more comprehensive digital identities schemas could provide several benefits:
Lowering Barriers to Participation: Currently, many individuals do not have ID documentation, which severely limits their ability to participate in society. Voting, driving, working, and even commerce can become more difficult without an ID. With a digital system, it would be that much easier to coordinate the release of credentials without relying on analog systems like physical offices and paper documents.
Reducing Fraud: Digital IDs can be cryptographically protected and locked with specific authentication methods like multi-factor authentication, meaning that organizations can use these IDs to make identity theft much harder.
Growth and Scalability: A digital ID system linked to computers and mobile devices can significantly cut costs related to document issuance and system upgrades. Additionally, this growth will apply to all potential areas of impact—that is, official digital IDs would support authentication and identification in physical and digital contexts.
However, the challenges for digital ID are also myriad and relatively novel, meaning that developers are still working out how to properly roll out digital ID. Some of the challenges include the following:
Theft and Fraud: While digital IDs can resist some types of fraud, they can also suffer from other forms of theft. Phishing attacks, database hacks, and other malicious events could make it much harder to replace existing ID information already embedded in multiple official systems.
Monetization: Streamlining digital information can make it much easier for businesses to gather that information through malicious means or legitimate relationships with government agencies. It’s only a matter of time before these organizations sell or monetize this important private information.
Abuse of Power: Digital ID must be appropriately designed to protect individuals; if it isn’t, then those in power could abuse the system to fuel oppressive governments or violent state actions. Furthermore, failures of the system due to security issues could completely cripple the ability of IDs to function.
Ownership: One of the major debates in digital information is who owns personal data. Regulations like the General Data Protection Regulation place ownership in the hands of individuals, but in most other jurisdictions, private companies and governments mediate access to private information with little direct regulation.
The last point is critically important when discussing the expansion of digital identity into civil life. Previous models of digital identity didn’t account for basic identity ownership.
Below are two examples of digital ID models:
Under a siloed model, individual organizations manage databases of credentials for users. During authentication, users provide credentials and are granted access to a system’s resources based on that identity.
The challenge of this model is that individual identities are only applied to specific systems and users must juggle several different identities across platforms. This not only placed ownership of identity information into a loose collection of businesses, it also made security much more difficult because users would use simple and identical passwords across multiple platforms so they wouldn’t forget them.
To address the problem of siloed identity, major platforms began connecting authentication systems through federated identity management. In this model, the credentials from one platform can authenticate a user on another platform. For example, when users log in to a platform and are given the option to use their Facebook or Google ID, consumers are interacting with federated identity..
The organizations managing federated identity do so because they are popular and still control those identities. They essentially use personal identity to mediate how people interact with the rest of the web. While this might work for general-purpose computing, it’s unacceptable for enterprise use or anyone concerned with identity and sovereignty.
How Does Self-Sovereign Identity Work?
Self-sovereign identity is a model where individual users and organizations hold ownership over their identity. It is not mediated or provided through third-party organizations, and it is not traded, sold, or modified without a user knowing.
Consider a driver’s license. This documentation is created, logged, and issued by the government, but the actual document is yours. Other organizations don’t have access to it. You hold the actual document itself and can provide it if and when you see fit.
Self-sovereign identity is much the same. The concept is that digital identity shouldn’t fall under the assumption that personal information is a commodity for businesses but an object of critical importance that people and organizations should have control over.
Under previous Digital ID models, conceiving a self-sovereign identity was difficult. However, new models and technologies make the possibility more real:
The blockchain is a decentralized and immutable ledger that monitors digital transactions on a given network. The entire idea behind a blockchain is that individuals on that network own information (or whatever is exchanged).
More popular implementations of blockchains are associated with coins or tokens, but properly managed private blockchain ledgers can be used to provide immutable ID credentials to individual users. Under this model, those credentials belong to whoever has them, not the network as a whole, promoting a form of self-sovereignty.
Conceived and developed by the World Wide Web Consortium (W3C), decentralized identifiers are an attempt to create a global technical standard around cryptographically secured identifiers—in many ways a secure, universal, and sovereign form of digital ID. This technology uses peer-to-peer technology to remove the need for intermediaries to own and authenticate ID information.
DIDs are becoming more and more popular as an open and flexible standard. The European Union (where GDPR is the law) developed a schema for decentralized identifiers as the base of the European Self-Sovereign Identity Framework.
Support Self-Sovereign Identity in Your Organization with 1Kosmos
We talk a lot about the security and usability challenges of enterprise authentication. Complex systems without liveness and identity proofing are a recipe for a security disaster for most businesses.
However, we also take very seriously the idea that employers and employees value the notion of private, ownable identity markers both inside and outside their organization. Placing ownership in the hands of the enterprise and the user provides an additional level of security. They also allow these individuals to better interact with associated managed services, partner businesses, and the greater society.
BlockID from 1Kosmos provides secure authentication and promotes identity ownership through a few critical features:
- Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification. Our ledger is immutable, secure, and private, so there are no databases to breach or honeypots for hackers to target.
- Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
- Streamlined User Experience: The distributed ledger makes it easier for users to onboard digital IDs. It’s as simple as installing the app, providing biometric information and any required identity proofing documents, and entering any information required under ID creation. The blockchain allows these users more control over their digital identity while making authentication much easier.
- Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
- Interoperability: BlockID and its distributed ledger readily integrate with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
To discover self-sovereign identity and BlockID, read more about 1Kosmos as a Distributed Digital Identity Solution. Also, make sure to sign up for the 1Kosmos newsletter to receive updates on 1Kosmos products and services.