Self Sovereign Identity- Internet’s Missing Identity Layer
When the Internet was built, it was done so in a way that you would not know who you were connecting to. To get rid of this loophole, the TCP/IP protocol was introduced, which gives us the address of the computer we are connecting to, but nothing about the person, organisation or thing we are communicating with! We can see how that be potentially dangerous for any online user, making your devices highly susceptible not only to hacking but also to identity theft.
If we let the situation be as is, then things could soon get out of hand and could potentially become an uncontrolled online epidemic of distrust.
How difficult is it to build this simple identity layer, you’d ask.
A simple answer would be, very very difficult.
What is the exact problem and how can we solve it?
In our previous blog, we tell you why the entire idea of the password-based system is flawed, ranging from issues relating to remembering tons and tons of passwords to phishing attacks to cases of identity situation
All these are trickle-down effects of the current lack of a strong and foolproof identity layer.
How can we solve this you may ask?
This is where the concept of decentralisation and blockchain enter the game. Before we go ahead with complex components of these famous buzz words, lets us first understand the 3 existing models of digital identity.
Centralised identity model
This is the model used in the current password login systems, passports and other identification systems, where the centralised government or service providers issue your credentials. One can establish their identity in this system by registering an account, earning it a name, Account-based identity.
In this system, you are permitted to plug into a service or website through the credentials that the Organization has given you, hence placing the entire power of control with the organization and very little with you. What if I just delete my account after I used the service you may ask. This just cuts off your access to the account, yet all the data remains with the Organisation.
Does this remind you of the terms of agreement you signed up to while downloading that new trending app?
The biggest threat in this system is the availability of the database full of user data, making it a honeypot of cyber-crime.
Federated identity model
A model in which a ‘middle man’, the Identity Provider, verifies the user’s identity for the organisation of interest, or the relying party. Examples of such authentication methods are OAuth, Security Assertion Markup Language and OpenID Connect( ex. Google, Instagram, Facebook sign-in). These methods have had great popularity, but they have also failed us in multiple ways:
- There isn’t a single IDP that works with all sites, hence a user requires to associated with more than one IDP to gain access to service, bringing the issue of remembering a plethora of issues back into the picture.
- Security and Privacy policies take a beating in these IDPs since they require to be universally acceptable
- Not everyone (firms and users included) are comfortable with the meddlesome middleman, who has the ability to survey user choices and actions
- Such large IDPs again become hotspots for crime, given the large amount of data stored in them
- If you decide to leave an IDP, all the connected accounts are lost.
- Privacy concerns restrict us from storing sensitive data like passports and other details in these IDPs.
Decentralized identity model
In the year of 2013, a new model inspired by the blockchain technology called Fast Identification Online (FIDO) surfaced, which uses a hybrid approach in which connections are peer to peer, but key management is performed centrally by FIDO rather than blockchain. This accelerated rapidly as the model no longer relied on any of the previous two models making it fundamentally decentralised. It started spawning as new decentralised identity standards, such as verifiable credentials and decentralised identifiers.
The difference is that the identification is no longer account-based, instead, it works like identity in the real world, where we share relationships like peers.
Neither of you has an account, but rather share a connection. It is like a string held by both of you, if even one drops it the connection is lost.
But, how does this help provide an identity layer you may ask, that’s where private and public-key cryptography comes into play. Instead of using the blockchain for cryptocurrency, we use it here for Decentralised Public Key Infrastructure.
- Exchanging public keys establishes a connection between two peers
- Storing some of these public keys on public blockchains to verify signatures in digital identity credentials, that peers can exchange to provide proof of real-world identity.
This method is a simple digitization of the real world verification system, but by using digital wallets, connections and credentials
Self Sovereign Identity- The What’s and Why’s
So what is Self Sovereign Identity?
A standard definition of Sovereignty would be :
The quality or state of being sovereign, or of having supreme power or authority; the status, dominion, power, or authority of a sovereign; royal rank or position; royalty.
Attaching the word Self to it gives us :
A person’s identity that is neither dependent on nor subjected to any other power or state.
Why is it so essential?
SSI represents a shift in control from the service providers to the user themselves, giving them the power to interact with everyone else solely as a peer.
The market and SSI
Consumers equipped with SSI digital wallets can
- Enjoy password less registration and login
- Receive warnings when connecting to untrustworthy services
- Payment becomes hassle free through digital wallets
- Automatic logging of receipts
Banking and Finance
In the current day and age, most millennials prefer online or mobile banking, and with the rise in interest in the stock market and cryptocurrency, the necessity of a secure identity layer becomes all the more essential. Hence having an SSI wallet can
- Help work with any financial institution that supports SSI
- KYC and AML(anti-money laundering) checks are necessarily passed before any data is divulged
- Mortgage and Loan papers from relevant issuers can be submitted in seconds, speeding up the process
- Single and Multi-Party signature-based authorisation can be done for heavy transactions with utmost security
With SSI wallets one can
- Obtain instant copies of medical records for any medical procedure
- Provide secure, legally valid, auditable consent for medical procedures
- Share medical details with concerned authorities
- Instant proof can be provided
- Disclose only information that is required- this is done using cryptographic proofs
- Have all travel documents in a single location
Major challenges that SSI faces in execution
Since we have established that SSI is probably the best way to work our way through life, lets look at some problems that it fails to solve
- Building out a new SSI ecosystem
Companies, people and governments will have to work together to understand the thorough impact of SSI as a whole.
- Decentralised key management
Loss of the private key of an individual results in loss of all the data that the person has stored in the wallet. This is one of the greatest pain points in the fields of SSI wallets
- Offline Access
Without internet connectivity, one will not be able to access any of their documents, thereby making the exercise futile.
Hopefully, one day we will have remedial measures for these problems, making the SSI system rather unbreakable and man’s best form of the invention after fire and the internet!