Blockchain technology allows users to create and manage digital identities through the combination of three components: decentralised identifiers, identity management and embedded encryption.
A digital identity arises organically from the use of personal information on the web and from the shadow data created by the individual’s actions online. A digital identity may be a pseudonymous profile linked to the device’s IP address, for example a randomly-generated unique ID. Data points that can help form a digital identity include usernames and passwords, driver’s licence number, online purchasing history, date of birth, online search activities, medical history, etc. Biometrics (behavioural and biographic) makes up a person’s identity.
How is digital identity created?
In one example, users sign up to a self-sovereign identity and data platform to create and register a DID. During this process, the user creates a pair of private and public keys. Public keys associated with a DID can be stored on-chain in case keys are compromised or are rotated for security reasons. Additional data associated with a DID such as attestations can be anchored on-chain, but the full data itself should not be stored on-chain to maintain scalability and compliance with privacy regulations.
What is a decentralised identifier?
A decentralised identifier (DID) is a pseudo-anonymous identifier for a person, company, object, etc. Each DID is secured by a private key. Only the private key owner can prove that they own or control their identity. One person can have many DIDs, which limits the extent to which they can be tracked across the multiple activities in their life. For example, a person could have one DID associated with a gaming platform and another, entirely separate DID associated with their credit-reporting platform.
Each DID is often associated with a series of attestations (verifiable credentials) issued by other DIDs that attest to specific characteristics of that DID (for example location, age, diplomas, payslips). These credentials are cryptographically signed by their issuers, which allows DID owners to store these credentials themselves instead of relying on a single profile provider (such as Google and Facebook). In addition, non-attested data such as browsing histories or social media posts can also be associated with DIDs by the owner or controllers of that data, depending on context and intended use.
How are decentralised identities secured?
A key element of securing decentralised identities is cryptography. In cryptography, private keys are known only to the owner, while public keys are disseminated widely. This pairing accomplishes two functions. The first is authentication, where the public key verifies that a holder of the paired private key sent the message. The second is encryption, where only the paired private key holder can decrypt the message encrypted with the public key.
How are decentralised identities used?
Once paired with a decentralised identity, users can present the verified identifier in the form of a QR code to prove their identity and access certain services. The service provider verifies the identity by verifying the proof of control or ownership of the presented attestation − the attestation had been associated with a DID and the user signs the presentation with the private key belonging to that DID. If they match, access is granted.
What are the use cases of blockchain in identity management?
Decentralised and digital identification can be used in many ways. Some of the top use cases that ConsenSys has identified are self-sovereign identity, data monetisation and data portability.
What is self-sovereign identity?
Self-sovereign identity (SSI) is the concept that people and businesses can store their own identity data on their own devices, choosing which pieces of information to share with validators without relying on a central repository of identity data. These identities could be created independent of nation-states, corporations, or global organisations.
What is data monetisation?
As the world begins to examine who owns and should profit from user-generated data, blockchain-based self-sovereign identities and decentralised models give users control and carve a path to data monetisation.
Data monetisation refers to using personal data for quantifiable economic benefit. Data on its own has value, but insights derived from personally identifiable data substantially increase the value of the underlying data. There are quintillion bytes of data created each day, by 4,39 billion Internet users. Currently, the online data that we generate is intangible, invisible and complex. Attribution is critical in the processes of ownership, and SSI makes it possible to attribute your online data to your DID. From there, individuals could monetise their personal data, for example by renting it to AI training algorithms or choosing to sell their data to advertisers. Users would also have the option to keep their data hidden and protected from corporations or governments.
What is data portability?
Article 20 of the European Union General Data Protection Regulation (EU GDPR) grants users the right to data portability, which pertains to the data subject’s right to have their personal data transmitted directly from one controller to another, when technically feasible. This right has the potential to enhance user experience, cutting down on the need to reverify their identity across various services and platforms. With DIDs and verifiable credentials, it is possible to migrate identities that were anchored on one target system to another with ease. Data portability reduces friction for the user while simplifying the sign-up process, which increases user adoption. DID data portability also allows for reusable credentials, where users can quickly re-verify themselves while meeting regulatory know your customer (KYC) requirements. This is especially useful for reducing customer onboarding time. This avoids drop-out rates and cut costs in the financial sector by skipping the cumbersome identity verification process where usually a lot of documents need to be provided and checked.
How does blockchain enable increased economic contribution?
Digital ID is expected to contribute greatly to economic growth worldwide over the next 10 years, and it is considered inclusive since it benefits individuals largely while stimulating economic activity for the global market. For example, a McKinsey study reveals that reaching the unbanked population in ASEAN could increase the economic contribution of the region from $17 billion to $52 billion by 2030.
What are the benefits of decentralised identity?
Blockchain technology offers the following benefits:
- Decentralised public key infrastructure (DPKI)
- Decentralised storage, and
- Manageability and control
Decentralised public key infrastructure (DPKI)
DPKI is the core of decentralised identity. Blockchain enables DPKI by creating a tamper-proof and trusted medium to distribute the asymmetric verification and encryption keys of the identity holders. Decentralised PKI (DPKI) enables everyone to create or anchor cryptographic keys on the blockchain in a tamper-proof and chronologically ordered way. These keys are used to allow others to verify digital signatures, or encrypt data to the respective identity holder. Before DPKI, everyone had to buy or obtain digital certificates from traditional certificate authorities (CA). Thanks to blockchain technology, there is no need for a centralised CA anymore. In turn, DPKI is an enabler for many use cases, namely verifiable credentials (VC). Many people today use the term verifiable credentials (VCs) to refer to digital credentials that come with such cryptographic proofs.
Decentralised storage
Identities anchored on blockchains are inherently safer than identities stored on centralised servers. By using the cryptographically secure Ethereum blockchain, in combination with distributed data storage systems like InterPlanetary FileSystem (IPFS) or OrbitDB, it’s possible to disintermediate existing centralised data storage systems while still maintaining trust and data integrity. Decentralised storage solutions, which are tamper-proof by design, reduce an entity’s ability to gain unauthorised data access in order to exploit or monetise an individual’s confidential information.
Decentralised storage is one of the core components of secure identity data management. In a decentralised framework, credentials are usually stored directly on the user’s device (such as smartphones or laptops) or securely held by private identity stores.
When solely under the control of the user, identities are considered self-sovereign. This, in turn, means the user can both fully control access to the data without having to worry about access being revoked. Data under the user’s control makes the information more interoperable, allowing the user to employ data on multiple platforms, use the information for different purposes, and protect the user from being locked into one platform.
Manageability and control
In centralised identity systems, the entity providing the identity is generally responsible for the security of the identity data. In a decentralised identity framework, security becomes the responsibility of the user, who may decide to implement his or her own security measures or outsource the task to some service like a digital bank vault or a password-manager-like app. Additionally, blockchain-powered decentralised identity solutions force hackers to attack individual data stores, which is costly and generally unprofitable.
There are many projects around the world addressing this huge challenge and game-changer. Decentralised identity will be a key component of Web 3.0.
In South Africa, Bankserv in consultation with many stakeholders has a long-term strategy to address this innovation that it is so needed to create a fertile ground for businesses to future-proof themselves.
NOTE
1 An approach to auditing that involves substantive testing in the form of ‘ticking boxes’ to confirm that the proper administrative processes have been followed.
Author
Monica Singer CA (SA) South African Lead and Senior Strategy for Consensys Software