Proving it’s really you in the 21st Century – Cointelegraph Magazine
One-quarter of the global populace is going to be spending at least an hour a day in the metaverse by 2026, according to tech consulting firm Gartner, for shopping, gaming, education and more. But at some point, people are going to have to demonstrate that it’s really them behind the avatar.
That’s just one reason many believe that decentralized identity (DI) is likely to play an increasingly important role in Web3’s evolution. And even if DI has been generally overlooked by mainstream media, recent events suggest that is about to change.
Consider that in July, the World Wide Web Consortium (W3C) announced a new standard for decentralized identifiers, culminating years of mostly quiet work and deliberations in this area. In August, Gartner proclaimed DI a “must-know” emerging technology, where people can “control their own digital identity by leveraging technologies such as blockchain […] along with digital wallets.” Earlier this year, Ethereum co-founder Vitalik Buterin proposed Soulbound Tokens (SBTs), which would include many DI elements in a non-transferable NFT format.
Sometimes called self-sovereign identity (SSI), decentralized identity can play a key role in mitigating fraud, data breaches, social engineering and theft in the expanding metaverse, say technologists, but perhaps more importantly, it may impact broad and diverse sectors of human endeavor, including education, healthcare, law, travel and employment.
“I believe that SSI will be revolutionizing how we perceive identity management in the upcoming years,” Adam Gągol, co-founder of Aleph Zero, tells Magazine, while others suggest it is on course to disrupt traditional identity management.
“I’m not sure I would say ‘disrupt’ as much as ‘catalyze,’” Scott Kominers, an associate professor at Harvard Business School who has written about DI, tells Magazine. “My hope is that decentralized identity solutions will make existing sources of information on individuals’ background, activity history and interests more powerful and useful than before.”
“An NFT of a diploma in your crypto wallet, for instance, would turn into a permanent academic certification,” Kominers and Jad Esber wrote recently in a Future article.
Decentralized identity won’t necessarily exclude a bit of fun along the way, either. “With public histories, it would be possible to prove that you were early to a trend or active in a project before it took off — like, say, being into Taylor Swift before she was popular,” Kominers and Esber noted.
Recent events, like the collapse of the FTX crypto exchange, suggest other possible uses for DI/SSI, which can be applied to organizations as well as people. Fraser Edwards, CEO and co-founder at Cheqd, envisions “audit opinions issued as VCs [verifiable credentials], where the focus is less on sovereignty and identity but more on trusted data and reputation — i.e., ‘Do I operate in good faith?’ Or simply, ‘Am I trustworthy?’” he tells Magazine.
Decentralized identifiers and verifiable credentials
DI has two main components: decentralized identifiers (DIDs), which are like traditional identifiers — a legal name, an email address, a social security number, etc. — with the key difference that DIDs are controlled and sometimes even issued by individuals. An example would be an Ethereum account. You can create as many Ethereum accounts as you like and share them with whomever you like. There is no central repository. They reside on an encrypted decentralized digital ledger — i.e., a blockchain.
The second component is verifiable credentials (VCs). These can be derived from familiar credentials such as diplomas, library cards and passports, but again, they are not held on a centralized repository with a single point of control or failure, but on a blockchain where they can be read by machines. They offer familiar benefits like persistence and accessibility, but also more technical ones like cryptographic verifiability (your identity is more secure because it is encrypted) and resolvability — i.e., it’s possible to discover metadata about a user from that person’s DID.
Kim Hamilton Duffy, director of identity and standards at Centre Consortium, offers this example of how decentralized identifiers and credentials might work in an education and employment context:
A fictional “Sally” earns a master’s degree from the University of Oxford for which she receives a “digital diploma that contains a decentralized identifier she provided. This digital diploma is signed using a decentralized identifier which has been published and verified by the University of Oxford.”
Over time, Sally updates the cryptographic material associated with her DID, adding biometric protections and also a quantum-resistant algorithm. “A decade after graduation, she applies for a job in Japan, for which she provides her digital diploma by uploading it to the prospective employee’s website.” A decentralized identifier authenticates that she is the actual recipient of the degree. Moreover:
“Cryptographic authentication provides a robust verification of her claim, allowing the employer to rely on Sally’s assertion that she earned a master’s degree from the stated university without having to contact the university directly.”
Generally speaking, DI has grown with the expansion of blockchain technology, and almost all DI use cases involve a cryptographically secure blockchain at some point. DI is also developing along with zero knowledge technologies that, for example, “enable individuals to prove they own or have done something without revealing what that thing is.” A person applying for a mortgage, for example, would be able to prove that their income falls within a certain approved band without revealing to the bank their actual salary.
An important milestone?
The DI movement has arguably been flying under the radar, but the recent agreement on DI standards makes for faster progress. “The announcement of DID Core as a W3C recommendation is a very important milestone, something that many DI and SSI projects have been waiting for,” Markus Sabadello, CEO at Danube Tech, tells Magazine. It’s a signal to the whole ecosystem that the technology is ready, “not just for experimentation and proofs of concept but for serious solutions to real-life projects.”
“The W3C DID standard’s importance is on par with phone numbers or email address standards’ vitality,” Rouven Heck, decentralized identity lead at ConsenSys Mesh and executive director at the Decentralized Identity Foundation, tells Magazine. “A high level of interoperability becomes possible once every provider uses the same specification.”
Today, Big Tech players like Microsoft are conducting pilots, and even some governments, including the United States, Canada the European Union, Germany and Finland, have been looking at DI “as a tool to improve state-backed identity solutions,” notes Heck.
Are You Independent Yet? Financial Self-Sovereignty and the Decentralized Exchange
Building blocks: Gen Y can use tokens to get on the property ladder
Still, the movement is arguably waiting for its first big use case. Pilots are happening at the fringes and are often modest in scope.
Germany, for instance, recently launched a private/public DI pilot for the travel and hospitality sector. Data from government ID cards and employee certificates were extracted and merged to create a single verifiable credential so that when a company employee checked into one of the 120 German hotels participating in the project, the front desk operator learned immediately from a swipe of the QR code on the guest’s mobile device that “this is really a traveler from that corporation and is allowed to use whatever services we have in in the contract,” reports Florian Daniel, chief information officer of Deutsche Hospitality, who added that the trial will soon be expanded beyond Germany’s borders.
It may seem surprising that pilots like these are happening in areas like travel rather than in healthcare or education or other places where the need for DI/SSI solutions seems more urgent. But cases like the travel example “are more straightforward to pilot, as less sensitive data is involved,” Heck tells Magazine.
Distributed identity’s impact in healthcare
Healthcare is one sector where DI could really change things. It sometimes defies common sense that a person’s health records are stored for years within a single hospital. At a minimum, decentralized identifiers would make it easier for individuals to change health service providers and platforms, but challenges remain.
“For clinicians, DIDs are much more of a sure thing because they enable better reputation registries and reduce the dependence on hospitals and other institutions as keepers of a clinician’s reputation,” Adrian Gropper, a medical doctor and chief technology officer of Patient Privacy Rights — a national organization representing 10.3 million patients — tells Magazine.
How close is DI to mainstream adoption in the healthcare sector? “It will take many years,” says Gropper, explaining:
“The single biggest obstacle is that clinicians have allowed hospitals to control their access to patient records, and hospitals have little incentive to break their control… and risk disintermediation from the clinician-patient relationship.”
DI solutions may be closer to fruition in areas like retail business. The convenience store sector has developed a DI solution called TruAge that’s aimed at curtailing underage purchases of products like alcohol and also restricting the amount of certain other products that can be purchased, Peter Steele, vice president of research at The Pinnacle Corporation, tells Magazine.
The system allows consumers to carry digital proof of their age on their mobile phones, “which can be scanned at a POS [point of sale] to approve age-restricted purchases,” says Steele, adding:
“It might be possible for an ‘adult’ to purchase a large number of vape products and then give them to kids. But with TruAge, they will be restricted from purchasing a large quantity — and that restriction is across all stores, not just one type of store, or a single store.”
TruAge is now being implemented by POS suppliers, adds Steele, but “it will take a few years before it becomes ubiquitous.”
Government’s role in decentralized identity
Many governments are also following DI progress. State agencies are likely to remain the primary issuers of many identifiers like driver’s licenses, birth certificates and social security numbers, even though DIDs and related technologies will eventually give governments less control over them, says Sabadello.
“I think it will take a few more years, but there are already several governments investing into DID technology,” he says. “The EU Commission has been promoting the EBSI/ESSIF infrastructure — which is based on DIDs — as a key building block of a European digital identity framework.”
The U.S. government is also looking into DI solutions. As reported, the U.S. Department of Homeland Security contracted with Danube Tech several years back to develop blockchain security solutions for digital documents like passports and green cards. Eventually, military commanders could send orders to troops in the field across decentralized digital networks, Sabadello tells Cointelegraph, and the soldiers could verify the order using DI solutions.
“In many EU countries, we already see the exploding popularity of gov-tech solutions allowing users to identify themselves using a smartphone app,” says Gągol. One-time Know Your Customer protocols replacing repeated uploads of passports, drivers licenses, health certificates, etc. should prove popular, though this will require “much more privacy-aware solutions, as typically a lot of sensitive data is passed around in the KYC process,” Gągol adds.
Questions about SBTs
Buterin created something of a stir in SSI quarters with his May paper on non-transferable “soulbound” tokens. Does the future belong to privately controlled digital wallets that contain one’s education and employment credentials, but also some social identifiers like “fanships” and recent travel destinations?
“With NFT-based DI/SSI — or soulbound tokens — users can choose to supply or omit as much identifying information as they like,” Amit Chaudhary, head of DeFi research at Polygon, tells Magazine. “The end-user is in control of their information and decides how much they want to interact with or be targeted by businesses and marketers — if at all.”
Others aren’t so keen on SBTs, however. “I do not like the concept of incentivizing users to have a single wallet,” Gągol tells Magazine. Nor does he think that the vast majority of identity-related features like employment credentials, fan club memberships, etc. “should be private by default and revealed only at the request of the user.”
Some types of identity information, including academic credentials like diplomas, “should be ‘soulbound’ in the sense that the information is tied to the individual rather than being tradable,” says Kominers. But others say using NFT tokens like SBTs to represent specific identifiers may not be appropriate, “as this leads to a correlation of an individual’s activities and, therefore, their identity,” Alastair Johnson, founder and CEO of Nuggets, tells Magazine.
Can Crypto be Sweden’s Savior?
Crypto, Meet Fiat. You Two Should Get A Coffee Sometime
A boon for the developing world?
Identity-related problems, including certification fraud, loom especially large in the developing world. According to the World Bank, some 1 billion people on the planet have no way of verifying their identity, which vastly limits their access to digital services.
“These problems are very large, yes,” says Snorre Lothar von Gohren Edwin, co-founder and chief technology officer of Diwala. The problems that existed with regard to identity in the U.S. and Europe 15 years ago are now bubbling up in Africa, he tells Magazine.
Diwala, which claims to be the first company to develop blockchain-enabled digital credentials on the African continent, has built a platform in Uganda that allows “skill providers” to issue digital certificates to trainees, recruiters or employers that can be easily verified online. The company claims to have issued over 10,000 credentials to people and businesses across East and West Africa, with 67% customer growth in 2022.
Scalability and usability questions
Obstacles remain before DI becomes commonplace, however. Can the technology be scaled up? Will DI as currently constituted be usable not just by businesses but by private individuals?
On the first question: DI proponents are often insistent that private information in the future be shared on a need-to-know basis. Optimally, says Gągol:
“Users should have an option of performing a very exhaustive KYC for the purpose of uploading the data to the ID system, but then they should only selectively disclose the information that is absolutely necessary for a given platform.”
Only binary information should be required. For example, is the buyer old enough to purchase alcohol in an online shop: Yes or no? Still, the technology to do this may not be up to speed at present, Gągol tells Magazine. “Such selective reveals are certainly possible with zk-SNARK technology, but we are yet to see a large-scale deployment of such solutions.”
Usability must get better before DI goes mainstream, too. “We need user-friendly digital wallet solutions that can make building one’s decentralized identity intuitive and accessible to the broader population,” Kominers says.
DI’s components — DiDs, VCs and personal datastore protocols — are each “incredibly powerful” on their own, Daniel Buchner, head of decentralized identity at Block, tells Magazine. But so far they have been mostly deployed for relatively narrow use cases, usually in the business world.
Solutions do not offer “sufficient utility or new experiences to consumers that are toothbrush-frequent in use,” Buchner says.
The most engaging reads in blockchain. Delivered once a
Edgar Whitley, associate professor of information systems at the London School of Economics, expressed “concerns about account recovery,” especially if credentials are only held in a personal device, as well as challenges with regard to inclusion and exclusion.
One also can’t assume that all employers will embrace DI soon, either. In the United Kingdom, where employers are required to conduct “right-to-work” checks on employees, for instance, many companies still favor face-to-face checks and “have no obvious plans for making the transition to the new approach,” Whitley tells Magazine.
“Recognition by regulatory bodies is probably one of the biggest obstacles that needs attention,” adds Chaudhary. Once regulation is in place, “companies will be receptive to decentralized identity as part of their daily operations, and the rollout can begin in earnest.”
The future of decentralized identity
If SSI/DI ever do become commonplace, they could spur some interesting spinoffs. Asked recently about the future prospects of blockchain-enabled public elections, Marta Piekarska-Geater, senior DAO strategist at ConsenSys, answered:
“The first question that I would ask is: Where are we with self-sovereign identity? Because right now, when it comes to any usage of public services or engaging with governments, you need to verify yourself.”
Decentralized identity should give people the ability to “leverage their information frictionlessly across a wide array of platforms — and that, in turn, creates new use cases and sources of value for the underlying information itself,” Kominers tells Magazine.
Chaudhary foresees “decentralized credit scores for financial primitives and social payments in DeFi” becoming common. Other possible innovation areas are player reputation profiles for Web3 games, delegated voting, decentralized Sybil scores, and “domain-expertise reputation for DAOs to enable new decision-making and governance models,” he says.
Some believe that decentralized identity solutions are long overdue. Piekarska-Geater, based in the U.K., was born in Poland and still travels with a Polish passport. “I was in situations where I couldn’t leave a country because my passport wasn’t accepted at the border,” she tells Magazine. In one instance, she was held up because her passport’s biometric page had a slight tear. “We are in the 21st century, and that is still happening on a regular basis.”
Chaudhary offered some consolation:
“Once the DI infrastructure is in place, carrying physical IDs will become obsolete.”
Powers On… Top 5 crypto legal and regulatory developments of 2021
The trouble with automated market makers